The Meltdown and Spectre vulnerabilities disclosed in early 2018 dominated much of the infosec discussions and news coverage last year, including those at RSA Conference 2018. But at this year’s event, speculative execution threats are virtually non-existent.
RSA Conference 2019 has a single item on its agenda for speculative execution threats: a classroom session on Foreshadow, a set of L1TF vulnerabilities, by Raoul Strackx, a security researcher at Belgian university KU Leuven who was part of the Foreshadow discovery team.
Last year was a different story. Meltdown and Spectre were the primary focus of at least six RSAC panels and sessions, and the flaws were discussed at length in many more. One session offered an in-depth review of the Spectre flaws by security researcher Paul Kocher, who is credited with discovering Spectre along with Jann Horn of Google’s Project Zero. Other sessions focused on response and mitigation efforts for the flaws.
But reading through the RSAC 2019 agenda, you’d have no idea that Meltdown and Spectre were even a concern, let alone a potential four-alarm fire for the both the infosec and microprocessor industries.
To be sure, there’s no evidence Meltdown and Spectre – or any other speculative executive attack discovered over the last year – has been successfully exploited in the wild; the closest we’ve come are the discovery of malware based on proof-of-concept exploits from security researchers.
That’s the good news. The bad news is, as the original research teams behind Meltdown and Spectre noted, there may be no reliable way to determine whether the flaws have been exploited or not because the attacks wouldn’t leave any traditional log data behind. A number of cybersecurity vendors have introduced detection tools that in theory could spot an exploitation of the flaws in progress, but even these tools, as Trend Micro noted, aren’t silver bullets and require considerable effort.
There’s more bad news, too, as Meltdown and Spectre were just the beginning. Several other side-channel vulnerabilities and speculative execution attacks were discovered in major microprocessors, including multiple new Spectre variants. And while some of these attacks, such as NetSpectre, aren’t entirely practical for threat actors to exploit, they’ve continued to reveal cracks in modern microprocessor architectures.
Then there are the mitigation problems. Meltdown and Spectre patches could cause significant performance impacts on affected chips, and some of the microcode updates and software patches have led to more problems. Plus, the “patches” only stop known exploit methods and don’t fix the underlying problems with speculative execution. All of these issues, combined with the lack of known attacks in the wild, could lessen the chances of organizations actually deploying the patches.
And finally, just last week a group of Google researchers published a paper titled “Spectre is here to stay: An analysis of side-channels and speculative execution,” which argued that software fixes alone cannot full mitigate Spectre vulnerabilities. “It is now a painful irony that today, defense requires even more complexity with software mitigations, most of which we know to be incomplete,” the authors wrote. “And complexity makes these three open problems all that much harder. Spectre is perhaps, too appropriately named, as it seems destined to haunt us for a long time.”
It’s entirely possible the infosec community is feeling a little hungover from Meltdown and Spectre, given the vast amounts of ink spilled about and anxiety cause by Meltdown and Spectre. That’s understandable, especially when the vulnerabilities earned dual Pwnie Awards at Black Hat 2018 for Most Innovative Research and Most Overhyped Bug.
Still, it seems odd that such chip vulnerabilities, which sparked not only a rethinking of speculative execution but significant design changes as well, would be essentially absent at this year’s RSA Conference. That presents several questions: Has the collective response effort from the chip makers and infosec community been that successful? And did the industry as whole overreact to Meltdown & Spectre?
Or are speculative execution threats and side channel attacks here to stay?