January 22, 2018
Recently fears have been heightened that two new vulnerabilities, Meltdown and Spectre, found in modern processors, such as those made by Intel, AMD and ARM, will allow hackers to steal secret data from the unprotected cache memory of CPUs running on computers or even from the cloud—including cloud-based cybersecurity vendors.
What are Spectre and Meltdown?
Spectre and Meltdown are two names given to different variants of the same fundamental underlying vulnerability that affects nearly every computer chip made over the past two decades. If exploited, they could give hackers access to data previously “trashed” by the “speculative execution” process, an optimization mechanism that allows the computer processors to work ahead of time by predicting and performing future tasks down the line. But the rise of shared networks and cloud computing has unexpectedly turned it into a new security vulnerability.
What is “Speculative Execution”?
To understand what “speculative execution” is in plain language, imagine that you patronize a café every morning at 8 a.m. For the whole past month, you ordered Latte every single morning. The coffee barista knows you so well that he brews the coffee in advance and has it ready just in time when you come in. On one particular morning, you change your mind and order an Americano instead.
Now the barista scrambles to brew your new order and has thrown away that pre-brewed Latte to a bucket—equivalent to the unprotected cache memory where data is processed but eventually discarded are temporarily stored. Hackers can use a “side channel” to steal or hijack the cached data, which may contain passwords or account information.
In cloud environments where resources are shared among many clients, hackers could exploit the vulnerability to sneak into the underlying host’s physical memory and gather the private data of other clients.
The industry has long followed a best practice to publicly disclose a new vulnerability only after a fair period of time to create buffer for the vulnerability to be patched before it is widely known. However, the untimely disclosure of the discovery has prompted cloud vendors to speed up their patching process in order to safeguard their clients’ data security.
The fundamental vulnerability stems from the hardware and cannot be completely eliminated until a new generation of chips is released. By that time, patches can only mitigate the vulnerabilities by altering or disabling the speculative execution and caching features.
Implications for Nexusguard
Unlike cloud environments providing infrastructure or platform as a service where resources are shared, Nexusguard’s cybersecurity platform is safe from the vulnerabilities as we continue to update our infrastructures. One measure we implement is to minimize exposure to the Meltdown security vulnerability by isolating user space and kernel space memory thereby compartmentalizing sensitive data. At the same time, Nexusguard’s platform does not allow for the execution of malware codes by our clients and end-users. This keeps that loophole closed to exploitations through malware codes.
Nexusguard is confident that the impact on our clients and data confidentiality from these vulnerabilities is minimal. In the meantime, Nexusguard will continue to monitor the situation, follow stringent security compliance rule and with our vendors to identify and deploy the required updates to further harden our platform and services to ensure the confidentiality of our customers’ data.