Your Guide to Secure Software Development Practices, Products & Projects
Your Guide to Secure Software Development Practices, Products & Projects
Credit: Atif Arshad, The Noun Project
January 26, 2018
Dear Steemians:
We’re excited to be a part of this fascinating community! This social media publishing platform is a great example of the ingenuity that comes from people who are inspired to iterate on the Status Quo.
Many of us love to consume and share content. Steemit rewards consumers/readers, as well as creators, curators and investors for their dedication and support for sharing their time, knowledge and experiences. This is rare with today’s digital domains in which Old School advertising keeps these sites alive.
We hope the information in BugHeist Beacon gives you helpful information about the secure software development world and the cybersecurity community.
Best regards,
Sean & Tara
Source: Natascha Eibl
Chip Manufacturers Have Known about Design Flaws that Created Spectre and Meltdown for Years Experts Say
Spectre and Meltdown, the vulnerabilities that give hackers access to Intel, AMD and ARM microprocessors and their kernels or operating systems, were a revelation to many of us when they were officially disclosed in early January 2018.
Ed Maste, director of project development for the Free BSD Foundation and a FreeBSD Security Team member; Matt Joyce, an employee with a security company who worked at NASA; Ike, a sysadmin/DevOps individual who “runs several thousand computers” and a FreeBSD, OpenBSD, NetBSD and DragonFly BSD contributor; and Phillip Koblence, coo and co-founder of NYI, a data and cloud services center in New York City and New Jersey, say these vulnerabilities have been known in academic and certain technology circles for over 20 years.
They talked about these flaws and their impact during an OWASP New York City Roundtable discussion moderated by Tom Brennan, former OWASP board member and founder of Proactive Risk, on January 16, 2018.
Following are the highlights from this virtual event. Click here if you would like to listen to the almost 60 minute conversation.
What the H%ll are Spectre and Meltdown?
“In an effort to expedite processing times, chips employ speculative execution,” says Sean Auriti, who did not participate in the roundtable but has researched hardware and software bugs for more than 15 years and studied electrical engineering at NYIT.
“This method allows microprocessors to execute commands to specific locations in computers’ kernels or operating systems without initially checking to see if they are secure or the accurate paths.
This gap of time that it takes the processors to realize they chose the wrong paths and then choose the correct ones gives attackers access to computer systems. This is essentially the smoking gun or culprit that lead to the Spectre and Meltdown exploits.”
CPU Vulnerability Can Allow Attackers to Read Privileged Kernel Memory and Leak Data by Limor Kessem on IBM’s Security Intelligence blog explains Spectre’s 2 variants and Meltdown.
Eric Sharret, vice president of business development at TELEGRID Technologies, maps out a simple speculative execution scenario in his video.
People Knew about Spectre and Meltdown for Years
The Intel 80x86 Processor Architecture: Pitfalls for Secure Systems, a white paper published in 1995, outlined risks with Intel’s chip design, says Matt.
“It’s an obviously known risk, so I don’t think Intel or ARM or any of those guys have the option to say that this isn’t something they expected to run into if it had been outlined in 1995.
But we all know how academic research papers are. They get written, three guys read them, and it doesn’t generally get widely circulated, especially in 1995. We all know the state of information security in 1995. It’s interesting that this was a known issue—at least in some circles—how pervasively known that was in the chip design community. I couldn’t begin to guess. Obviously, chip designers are not known for focusing heavily on security,” states Matt.
“Ostensibly, this is not just some obscure thing from 1995. People working on operating systems have known about these flaws in Intel systems and have called them out for decades now,” says Ike.
“In my opinion, they’re not just bugs having to do with performance. They’re also features as general purpose computing as a commodity continues to try to reinvent itself and become still a specialized product and introduce management features,” continues Ike.
How Can Businesses Protect Themselves?
“For the small to medium business owners, just patch your stuff,” says Matt.
"For end-users, the most important advice here is to make sure you keep everything patched and up to date. There’s not an awful lot that an end-user should do differently or follow this one simple tip to be safe from Meltdown or Spectre,” states Ed.
"For medium to large businesses, a lot of companies don’t do a very good job of tracking where and what individual groups bring in software. One of the big ones I know is audit and compliance teams will generally farm out the audit and compliance logs to third parties…What are they hosted on? Your security team locally should be getting a list of every service you use,” Matt adds.
Where Do We Go From Here?
“There’s certainly a renewed interest in some circles in micro-architectural kinds of work on improving security from an ISA design perspective and things like that. It’s fair to say that—that work is happening, it’s just that the visibility in the broader tech community is not very high,” states Ed.
…."I’m thinking specifically of a project that Free BSD has been instrumental in. That’s the CHERI CPU work at the University of Cambridge. Very interesting work, that’s happening there that is a little more forward-looking,” continues Ed.
“As an industry at large, we’re not succeeding. If our security work is all going against papers and basically mitigating and following behind and pointing out what’s broken as opposed to fixing or providing an environment (where) we’re able to prevent these kinds of problems from hitting the street then we’re all failing...We need to actually start making some serious shift in the way we’re operating or else we’re just going to be following all of these bugs for the next two decades and I’m not interested in that. I’m interested in computing,” Ike says.
Ed: “We are going to be dealing with this for years to come. There’s certainly some blame to send to Intel in that Meltdown specifically—the specific flaw is being exploited is unique to Intel. The broader issue of speculative execution side channels applies to CPUs from a whole bunch of different vendors. And I think, it’s the case that we will have mitigations committed to Free BSDs, Linux and Windows and what not for Meltdown and 2 variants of Spectre...10 years from now, we’ll probably look back from now and realize this is an inflection point in our understanding of speculative execution vulnerabilities just like buffer overflows were all that time ago.”
