Security researchers shook the industry to its core back in 2018 when they disclosed Meltdown and Spectre, two serious vulnerabilities found in virtually every computer processor. Pandora’s box of processor security vulnerabilities had just been opened. One of the scariest parts is that these types of vulnerabilities are far more dangerous and effective when attackers use them in virtual environments, rather than non-virtual or desktop settings.
In his latest column for Dark Reading, WatchGuard’s senior security analyst, Marc Laliberte, explains how the processor speed race gave birth to attacks that abuse speculative execution processes, and ultimately why this issue is likely to cause industry leaders to develop separate lines of processors designed specifically to protect cloud applications from Meltdown, Spectre and the like. Here’s a brief excerpt from the article:
“Since Meltdown and Spectre’s disclosure, researchers have found several variants and other vulnerabilities that abuse speculative execution to access restricted memory. Intel and AMD, the two largest processor manufacturers, have been playing a cat-and-mouse game of patching these flaws, usually at the cost of processor performance. The performance loss has been up to 30% in extreme cases. This has led many desktop users, who are less impacted by Spectre, Meltdown, and the like, to disable the security options to retain more processing power.
Mitigating this type of vulnerability in a cloud environment where security is paramount ranges from difficult to impossible. Patching these vulnerabilities requires difficult microcode updates to the processor itself. Because of these challenges, we’re likely heading towards a future where Intel and AMD manufacture different classes of processors that focus on either security or speed.”
Read the complete article on Dark Reading for more insights on the perils of speculative execution vulnerabilities in the cloud and how the industry will likely adjust to meet demands for both performance and security. And don’t forget to subscribe to Secplicity to receive the latest security news, analysis and best practices directly to your inbox.