At a recent panel at DesignCon 2018, “Continued Innovation in a World Challenged by the Slowing of Moore's Law,” a group of engineers from Intel, AMD, and ARM weighed in on the impact of Meltdown and Spectre chip hardware bugs and how they could impact the chip industry going forward.
Chipmakers did not begin 2018 on a high note. In early January, reports came flooding in of a pair of hardware vulnerabilities affecting CPUs going back as far as 20 years. The bugs, Meltdown and Spectre, were initially discovered by researchers at Google in June 2017, but information about them leaked to the public before a major fix for either could be implemented. This created a scramble not only by major chipmakers Intel, ARM, and AMD but also among big technology names like Apple, Microsoft, and Google to quickly fix the problems before they could become the latest tricks in malicious hackers' toolboxes. A repository has sprung up on Github that features several applications that demonstrate the Meltdown bug. Twitter user, Michael Schwarz, who holds a PhD in information security, demonstrated how easy it would be to steal passwords by exploiting Meltdown in short enough time to fill an animated gif.
— Michael Schwarz (@misc0110) January 4, 2018
What made these particular exploits so thorny is that rather than typical software issues, these were hardware bugs built right into the design of the chips themselves. According to an information site hosted by Graz University of Technology in Austria, Meltdown gets its name because it “basically melts security boundaries which are normally enforced by the hardware” and Spectre, though harder to exploit than Meltdown, gets its name because it is not an easy bug to fix and “it will haunt us for quite some time.”
|At DesignCon 2018 (from L-R), Rory McInerney of Intel, Joe Macri of AMD, Rob Aitken of ARM, and moderator Bob O'Donnel of TECHnalysis discuss changes needed in the chip industry in the wake of Meltdown and Spectre. (Image source: Design News)|
“When I started designing CPUs in the mid '80s we did speculative execution,” Joe Macri, Corporate Vice President, Product Chief Technology Officer, and Corporate Fellow at AMD, told a DesignCon audience. “Speculative execution isn't going to stop; it's how we move fast. What has to change is our understanding and appreciation of the need for secure systems and end-to-end security.”
Another panelist Rob Aitken, a Fellow and Director of Technology at ARM, emphasized that its going to take industry collaboration across all chipmakers to ensure that bugs like these don't emerge in the future. Aitken said that, going forward, engineers will need to think more about designing for resilience against cyberattacks. “Security is and has always been a feature that needs to be included in any design,” he said.
“The industry knows how to collaborate when it's in our best interest,” Rory McInerney, VP of the Platform Engineering Group and Director of the Server Development Group at Intel, added. “This is an exposure that was caught before it was knowingly exploited, so you have to commend the industry on moving quickly on that.”
McInerney also believed more will need to be done on the education and training level for chip designers and engineers as well to assist with testing for cyberattacks. “I think there will be a lot more investment in a lot of the tools and methods of how we attack a design from a security perspective,” he said. “We nee more tools that allow you to do these attacks at a basic building block level in order to make designs more robust. There needs to be more done to make security assurance more mainstream.”
To McInerney's point that Meltdown and Spectre haven't been exploited yet, reports are already emerging of malware being created based off of the bugs. With chipmakers still rolling out fixes for machines affected by the bugs, it may only be a matter of time before we see the first major Meltdown or Spectre hack. On February 1, AV-Test GmbH, a German IT security firm, reported that it had found 139 examples of malware that looked to be attempts to take advantage of Meltdown or Spectre.
Though patches have been released for operating systems, chips, and web browsers, with 20 years worth of vulnerable machines out there it seems highly unlikely that every system will ever be fully patched. And it doesn't mean there aren't other, similar chip hardware issues out there waiting to be discovered and possibly exploited.
“What's changed with Spectre and Meltdown is it's a different form of side-channel attack than people were expecting perhaps,” ARM's Aitken said. “But the nature of side-channel attacks is essentially that they're not what you would expect. We can predict without having to use a crystal ball that there will be future side channels. ...The reality is you can't avoid them, they're going be there; they're going to disrupt things that we thought were less vulnerable than they actually turned out to be.”
Aitken said Meltdown and Spectre in particular should get engineers thinking more about the implications of side-channel attacks – attacks based on computing hardware rather than software – when they are designing chip architecture. “What sorts of things have to change in people's mind when they think about architecture that encompasses side channels?” Aitken asked. “Beyond that, there's the question of what are the metrics. It's ridiculous to say one thing is secure and another is not. It's like if you go look at your own house or your car. Is it secure? That depends. It's not really so much is it secure as it is how much effort does it take to break into it, because somebody somewhere can.”
“We all live in glass houses in this industry and we're all in it together,” AMD's Macri said. “It's not three companies or four companies. It's all companies... It's something that we live with everyday and we're striving to do a perfect job in a world that isn't perfect. We'll just keep at it.”
Aitken said, “We not only have to design systems that are secure against the expected challenges of the moment, we have to actually design them so that they're resilient against some kind of attack in the future that we can't predict right this minute, but we know is coming.”
Moving to conclude the discussion on an optimistic note, moderator Bob O'Donnell, President, Founder and Chief Analyst at TECHnalysis Research, offered, “The silver lining is it drives more corporation. In theory this provides a way for companies to know how to work together to solve this.”
Pacific Design & Manufacturing, North America’s premier conference that connects you with thousands of professionals across the advanced design & manufacturing spectrum, is back at the Anaheim Convention Center February 6-8, 2018! Over three days, OKuncover software innovation, hardware breakthroughs, fresh IoT trends, product demos and more that will change how you spend time and money on your next project. CLICK HERE TO REGISTER TODAY!
Chris Wiltz is a Senior Editor at Design News, covering emerging technologies including AI, VR/AR, and robotics.