Vulnerability defines the coding or design flaw in the system that causes the security flaw at the end point of the system or the network (Lipp et al. 2018). Vulnerability enables the chances for the unauthorized users to access the memory or hardware of the system and manipulate the functions of the system. It also increases the chance of hacking the system which includes overrun of buffer and the code injection (Simakov et al. 2018). Many organizations appoint the cyber expert to find out the vulnerability in their system. This practice helps them to detect the flaw in the system and based o those flaws they can upgrade their system to a more secured one. Spectra and meltdown are two types of computer security vulnerabilities (Simakov et al. 2018). These are hardware vulnerabilities. Spectra and meltdown can access the information from the memory in the system and can get access of the important information like password of the system (Lipp et al. 2018). These vulnerabilities can be active in personal desktop, mobile and cloud. In a recent research it has been found out that nearly every system that has been manufacturing since last 20 years contains those vulnerabilities. The main cause of the flaw is the chips which are used in the system. The chips are designed to run faster and this mechanism has created these vulnerabilities. It has not been found yet that exploitation of those flaws has happened in a large scale but there are chances that these vulnerabilities can become a threat to the security of the system (Baker 2018). Spectra and meltdown are the vulnerabilities which are known as the catastrophic to the security experts as the impacts and presence of these two meltdowns are much whispered. There are some similarities between the spectra and meltdown but these two are the different types of vulnerabilities. The presence of these two security flaws has been discovered by the experts in the end of 2017 and the articles are publishing in 2018. Technically there are three vulnerabilities, categorized based on the CVE number. The first two types of vulnerabilities are specified as the spectra and the last one is categorized as meltdown.
Vulnerabilities in computer security:
Vulnerabilities are the way that leads the system prone to the security threats like hacking and stealing of confidential information from the system. In late 2017 it has been found out that there are three kind of vulnerabilities present in almost all the systems, which has been manufacturing since 2000.The three kinds of vulnerabilities are-
The first two kinds of vulnerabilities are categorized as spectra and the last is called meltdown.
Spectra:
Modern CPU has the facility called branch prediction. Using the branch prediction the CPU can execute a set of instructions at that particular location, where CPU believes the set belongs to. This feature of CPU increases the execution time as well as it ensures the utilization of CPU storage in a proper way and it minimizes the waiting time. This feature of the modern CPU helps the system to perform well. Spectra attack exploits the using of this branch prediction technology. The successful prediction of a branch will be followed by the retired of the code and after that memory read will be happened. In case, if the branch predication by the CPU is not successful the whole function will discard and the functions of those instructions will become ineffective (Kocher et al. 2018). During the discard of the function, some indirect effects of the processing of discard branch prediction remains the same – like change in cache in CPU. Extracting values from the speculatively executed code can be done from the cache by measuring the memory latency access.
It also abuse the use of speculative execution chip the CPU can search the possible branches to which a set of instruction is involved, before the execution of the instructions (Kocher et al. 2018). This helps the CPU not to repeat the execution of same logical branch and this helps to reduce the CPU time cycle. . In speculative execution the Spectra leaks the data through cache lines (processer covert channels). This vulnerability can only steal data from the current process. However, it cannot get data from physical parts of the devices like kernel.
The main feature of the spectra vulnerability is that it does not allow an unprivileged process to read the value or access the privileged process (Pieters, Hadžiosmanovi? and Dechesne 2016). It allows the execution of the victim’s process to access the data from the malicious program or execution.
Spectra misguide the user application to present the data in the wrong platform. This kind of attacks mostly happen the browsers where one tab can contain the sensitive information and another tab can contain the malicious code from the attackers. In this case the isolation of the two tabs can lessen the chances of attack.
In case of spectra variant 1 the conditional branch instruction is executed according to the prediction of the malicious code or predictions. In case of spectra variant 2, execution of instructions by the CPU happens in the location which is determined by the mispredicted branch.
In case of attack caused by both the variant of spectra, there is a chance that the sensitive data in the system can be leaked in another process, which is not desirable. It also allows a part of the application to access the other part of the memory location of the same process which may not be permitted.
The access of spectra attack can not affect the kernel of the system. However, depending on the configuration of the user system, it can be possible for the spectra attack to access the kernel memory using user application.
Meltdown:
Meltdown uses the programs to read the information, which is only accessible to the operating system. It exploits the memory cache and speculative execution in order to do leak the data. In case of meltdown vulnerability, the attackers use a user program to gain access of data from the other parts of the system and sometimes data from the other system. Meltdown allows a program to gain access of the information from the other programs, which is not desirable and permitted. Meltdown does not require much knowledge of how the attackers work on the user program. It is a severe problem and this bug is present in some Intel chips.
The mapping of physical memory and virtual memory is contained in the page table. In order to increase the performance of the operating system, the address of kernel is mapped into user space. Generally, a kernel memory cannot read data from the user space (Kawakami, Dahab and Nascimento 2015). User space reads a byte from the kernel address, it can create an exception and the leak of data can happen from the other side of the channel before the involvement of exception handler and generate an out of order execution (Park, Park and Kim 2014). This data is used to manipulate the array list which is accessible to the user space. The array is dependent on the value of the data (Di Pietro, Lombardi and Signorini 2016). In this case if an exception is generated the data cannot access the array list from the user space. The unpredicted process is accessed through the array list in the user space. The confidential data of the victim’s process get reveled to the other location as the element of the cache returns the value much faster.
The main mechanism of meltdown vulnerability is to create a race condition between out of order instruction and rising of exceptions (MUGARZA, PARRA and JACOB 2018). Meltdown captures the memory value of kernel, which raise an exception as the user space cannot access the kernel space memory. However, out-of-order instruction along with the faulting instruction may execute. Some out-of-order exception is executed by the time when exception is raised. The raising exception causes the CPU to roll back the instructions but the cache state does not change
To mitigate the effect of the meltdown some patches are used. One of the important patches is KAISER which is Linux kernel mitigation (MUGARZA, PARRA and JACOB 2018). The aim of this patch is to separate the kernel memory and the user space memory.
Meltdown breaks the system, which allows the application to access the arbitrary memory. The applications, can access the system memory.
It has been said that most Intel chips are affected by these vulnerabilities. Meltdown affects almost all Intel micro processors from 2010 (Mangelsdorf 2017). It has been noted that some AMD microprocessors are also affected by the meltdown vulnerability. Spectra works on non- Intel processor like ARM and AMD.
ARM and Intel provide details about the affected chips. However, AMD did not share any details about the products affected by these vulnerabilities.
Difference between meltdown and spectra:
|
Factors |
Meltdown |
Spectra |
|
Triggering of CPU mechanism |
Out-of-order execution |
Speculative execution using branch prediction. |
|
Platforms affected |
Allows memory read in out-of-order execution. |
Performs the speculative execution. |
|
Difficulty to generate the attack |
Difficulty is low here because accessing kernel and modify the code can be done easily |
Highly difficult as it is required to know the environment of the software at the user’s system. |
|
Effects |
Data from kernel memory get disclosed to the user space memory |
Disclosure of data from inter-process memory |
|
Patches used |
Kernel –page table isolation |
Indirect branch restricted speculation |
The impact of these security flaws can affect on various fields like business, network. The main concern about spectra and meltdown is that these two security flaws are software and hardware independent. This indicates they can become a way of reveling data from any system.
Impact on business performance:
The systems those are involved in maintain the business information of the organization and handling the data of customer can be exposed to the security threats if these types of vulnerabilities are present in the system (Tatourian et al. 2017). In case of spectra o meltdown leads the attackers to get access of data from the system used in the business purpose; all the data regarding the consumers of the organization along with the sensitive information of the organization can be disclosed to the unauthorized source (Ferraiuolo et al. 2017). This can become a security threat for both the organization and the consumers.
Impact on the system:
Spectra and meltdown can make the violation of security through hardware to become more frequent like violation of the security through software (Devendorf, Zeliff and Jabbour 2016). There are some patches available in the market o fix these vulnerabilities but the best way in order to fix this problem permanently is to replace the CPU (Campbell 2016). This kind of flaws can develop in a large scale in future. The chances to get the access of the system through these flaws will make the hackers to exploit the opportunity. In this case, in order to get secured from hardware based attack, installing new hardware every time will not be a convenient option.
Impact on compatibility issue:
Installing the patching in different machines needs the perfect synchronization between the machine and the software (Abomhara 2015). The cause of vulnerabilities starts from microprocessor of the system. Microprocessors are the fundamental component of the system (Burleson, Mutlu and Tiwari 2016). There are many companies, who are inventing security patches in order to mitigate the security threat. The challenge is that if those patches are compatible with those machines and the versions of the software (Devendorf, Zeliff and Jabbour 2016). In this situation the application vendors are needed to customize those patches to make those compatible with the machines. During this course of customization the security patches cannot be kept secret. Unveiling the patch makes the malicious users and the hackers to get the opportunity to break the patch and access the system.
Effect on the performance of the system:
Installing of these patches can reduce the performance and the speed of the system .However; it does not happen in many cases (Xiao, Nahiyan and Tehranipoor 2016). It has been that the speed of most of the computers has not decreased much after installing the patches. However, in some cloud architecture the installing of the patches can slow down the speed of the computing (Arnbak et al. 2014). The main concern is that in future there may develop this kind of hardware vulnerability, in that case using more patches in the system may slow down the speed and it can hamper the performance.
The discovery of spectra and meltdown has given a certain impact on the security issues of the computer (Burleson, Mutlu and Tiwari 2016). Researches and the experts are focusing on the threats those come from hardware, which can allow the stealing of data from the system (More 2018). Stolen data can be password of the system and user’s data which can be sensitive and confidential. In this context of the vulnerability it has been found all the systems which have been manufacturing since 1995 are having these kinds of security flaws.
Since the discovery of these security flaws, many papers have been published in order to explain and prevent the situation (Balakrishnan 2015). The current situate implies to use certain patches which will be partially effective in order to mitigate the impact if the attack (Rob et al. 2014). However, there is no permanent solution of this problem has been found yet and the patches are not full proof solution- as for example- the patch to mitigate meltdown will not work to prevent the spectra attack.
In order to get the full proof solution to the problem of this situation, it has been recommended by the experts that a long term solution is required and updated guidance about the security is needed o be formed.
The impacts of these vulnerabilities can be-
There is no fixed solution or code to prevent this security flaw (Balik et al. 2015). However, there are some patches provided by the both microprocessor manufacturing companies and the application vendors (Campbell 2016). These patches can mitigate the effect of spectra and meltdown attack. However, there is no permanent solutions has been discovered yet for this problem.
Recommendations for the home users:
Recommendations for business organizations:
Conclusion
It can be concluded from the above discussion that discovery of spectra and meltdown has a notable impact on the security of the system. The attack on the system through hardware was not much familiar before these two categories of vulnerabilities has come into the notice. The discovery of spectra and meltdown and spectra has increased the chances of violation of security through the hardware interface. There are patches available for different chips to mitigate the effects of the vulnerabilities. However, there is no permanent and convenient solutions to this problem .It can be assumed from the above discussion that these kind of hardware implantation flaws will lead to the various problems and concerns in the near future but, on the other hand it can be assumed that these types of security threats will help to develop the technology to protect the security of the system. The flaw in the design of hardware will help the hardware manufacturing companies to develop more advanced and flawless system which attributes towards an advancement of the technology. The awareness among the users about the identification and impacts of vulnerabilities and invention of long term mechanism in order to detect and prevent these kinds of security flaws can help the system to be secured from the attacks caused by the flaws in hardware mechanism.
References
Abomhara, M., 2015. Cyber security and the internet of things: vulnerabilities, threats, intruders and attacks. Journal of Cyber Security and Mobility, 4(1), pp.65-88.
Arnbak, A., Asghari, H., Van Eeten, M. and Van Eijk, N., 2014. Security collapse in the HTTPS market. Communications of the ACM, 57(10), pp.47-55.
Baker, M., 2018. Real, Unreal, and Hacked. IEEE Pervasive Computing, 17(1), pp.104-112.
Balakrishnan, N., 2015. The Principles of Dependability. In Dependability in Medicine and Neurology (pp. 1-31). Springer, Cham.
Balik, L., Horalek, J., Hornig, O., Sobeslav, V., Dolezal, R. and Kuca, K., 2015. Endpoint Firewall for Local Security Hardening in Academic Research Environment. In Computational Collective Intelligence (pp. 246-255). Springer, Cham.
Burleson, W., Mutlu, O. and Tiwari, M., 2016, June. Who is the major threat to tomorrow’s security? You, the hardware designer. In Design Automation Conference (DAC), 2016 53nd ACM/EDAC/IEEE (pp. 1-5). IEEE.
Burleson, W., Mutlu, O. and Tiwari, M., 2016, June. Who is the major threat to tomorrow’s security? You, the hardware designer. In Design Automation Conference (DAC), 2016 53nd ACM/EDAC/IEEE (pp. 1-5). IEEE.
Campbell, T., 2016. Threats and Vulnerabilities. In Practical Information Security Management (pp. 15-29). Apress, Berkeley, CA.
Devendorf, E., Zeliff, K. and Jabbour, K., 2016, August. Characterization of Antifragility in Cyber Systems Using a Susceptibility Metric. In ASME 2016 International Design Engineering Technical Conferences and Computers and Information in Engineering Conference (pp. V01BT02A014-V01BT02A014). American Society of Mechanical Engineers.
Di Pietro, R., Lombardi, F. and Signorini, M., 2016. Secure Management of Virtualized Resources. Security in the Private Cloud, p.193.
Ferraiuolo, A., Xu, R., Zhang, D., Myers, A.C. and Suh, G.E., 2017, April. Verification of a practical hardware security architecture through static information flow analysis. In Proceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems (pp. 555-568). ACM.
Kawakami, H., Gallo, R., Dahab, R. and Nascimento, E., 2015, August. Hardware security evaluation using assurance case models. In Availability, Reliability and Security (ARES), 2015 10th International Conference on (pp. 193-198). IEEE.
Kocher, P., Genkin, D., Gruss, D., Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, T., Schwarz, M. and Yarom, Y., 2018. Spectre Attacks: Exploiting Speculative Execution. arXiv preprint arXiv:1801.01203.
Lipp, M., Schwarz, M., Gruss, D., Prescher, T., Haas, W., Mangard, S., Kocher, P., Genkin, D., Yarom, Y. and Hamburg, M., 2018. Meltdown. arXiv preprint arXiv:1801.01207.
Mangelsdorf, M.E., 2017. What Executives Get Wrong About Cybersecurity. MIT Sloan Management Review, 58(2), p.22.
More, A.C.Y., 2018. Security Alert!.
MUGARZA, I., PARRA, J. and JACOB, E., 2018. Analysis Of Existing Dynamic Software Updating Techniques For Safe And Secure Industrial Control Systems. International Journal of Safety and Security Engineering, 8(1), pp.121-131.
Park, J., Park, J. and Kim, Y., 2014. System lifecycle processes for cyber security in a research reactor facility. Science China Information Sciences, 57(7), pp.1-12.
Pieters, W., Hadžiosmanovi?, D. and Dechesne, F., 2016. Security-by-experiment: Lessons from responsible deployment in cyberspace. Science and engineering ethics, 22(3), pp.831-850.
Rob, R., Tural, T., McLorn, G.W., Sheikh, A. and Hassan, A., 2014, September. Addressing cyber security for the oil, gas and energy sector. In North American Power Symposium (NAPS), 2014 (pp. 1-8). IEEE.
Simakov, N.A., Innus, M.D., Jones, M.D., White, J.P., Gallo, S.M., DeLeon, R.L. and Furlani, T.R., 2018. Effect of Meltdown and Spectre Patches on the Performance of HPC Applications. arXiv preprint arXiv:1801.04329.
Tatourian, I.A., Nayshtut, A., Pogorelik, O. and Hunt, S., McAfee LLC, 2017. Cognitive protection of critical industrial solutions using IoT sensor fusion. U.S. Patent 9,817,676.
Watson, R.N., Woodruff, J., Roe, M., Moore, S.W. and Neumann, P.G., 2018. Capability Hardware Enhanced RISC Instructions (CHERI): Notes on the Meltdown and Spectre Attacks (No. UCAM-CL-TR-916). University of Cambridge, Computer Laboratory.
Xiao, K., Nahiyan, A. and Tehranipoor, M., 2016. Security rule checking in IC design. Computer, 49(8), pp.54-61.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download