A spectacular security flaw has emerged which affects pretty much every computer made in the last 10 years.
All eyes were on Intel as it recently became clear that the processing architecture of Intel Core CPUs made it susceptible to data stealing. AMD initially stated that its CPUs were unaffected; unfortunately for them, that turns out to be not entirely true. Intel says it’s working with both AMD and ARM to resolve the problem. So this also means that your phone, TV and artificially intelligent fridge may also be affected. According to media reports, Intel say the CPU hit for an OS workaround is 2% at most. Others have put that hit at between 5-30%. That would be seriously bad news for music makers. Oh, and everyone else, too.
What’s the problem?
With Meltdown, the problem is one of speculative execution. Instead of performing every task sequentially the CPU predicts which calculations it might need to do subsequently. It then processes those ones first, in parallel. It’s a clever way of grouping processes together which results in much faster performance than doing them one at a time. However, the way this is implemented means that they don’t check permissions correctly and can leak information about speculative commands that don’t end up being run. It essentially breaks the fundamental isolation between user applications and the operating system. So a malicious program could access the kernel memory and steal data from other programs.
Spectre is ever-so-slightly different, in that it tricks other applications into leaking data and then exploits the same loss of isolation.
All of this means that it would be possible for someone to steal data from pretty much any computing device, and this, of course, potentially means passwords or personal data.
It is primarily a problem with Intel CPUs due to the architecture. Both AMD and ARM are more likely to be affected by Spectre. ARM says that there could be a problem with Cortex-A processors but would require a certain type of malicious code already running on the device and could, at worst, access small pieces of data from privileged memory. Maybe the easiest way to visualise it is on a phone where apps often run in the background. It could be possible to build an app and get it installed on a phone where it could glimpse tiny packets of data in memory and potentially witness the entering of a password into another app. But there are a lot of steps that have to come together to make that happen.
What’s the fix?
Unfortunately, it’s not something that can be fixed with some kind of hardware firmware update. It has to be worked around in the operating system. This means some kind of patch which, according to some reports, could result in a 5-30% performance hit. What? That’s huge! And this is only for the Meltdown issue. Apparently, there is no solution for Spectre at the moment. That flaw, however, is also much harder to exploit.
As with all these computer Armageddon scenarios, it’s helpful to try to get a grip on what’s going on. Intel has already refuted the performance impact saying that the vast majority of users won’t notice a thing. In fact, Microsoft has already patched Windows 10. Have you got an up-to-date system and noticed a plug-ins worth of difference? Apple has apparently issued an initial fix to MacOS in version 10.13.2 released in December.
The performance impact is more likely to be felt by high-end servers and processor farms, the sort of systems running the Cloud, rather than desktop PCs. But Intel believes any impact will be mitigated over time.
Perhaps the most telling statement is that this is only a potential vulnerability – it’s not something that has ever been achieved. The concept has been proven by researchers but what could actually be done by a hacker is up for debate.
Of course, it’s all a bit rubbish, but it’s also unlikely to affect us regular people making music on our computers and devices. A performance hit is never welcome but it sounds like we’re not going to notice and are probably past it already. Security is a bigger issue but it’s a leaky boat we’re all sailing in.
This is a developing story and I’m not an expert in processor architecture or security. These are my thoughts on the information I’ve gathered from the various sources around the net. What’s your view? Is this 2018’s Millenium Bug non-event? Or a serious problem affecting musicians, at least potentially? Let us know in the comments section below.