UM Labs

2018 started badly with announcements of two chip level security issues, Spectre and Meltdown. These are serious issues; their potential impact has reached the level where each has its own logo. 

 Both problems arise from design flaws in Intel, AMD and ARM processors. The flaws potentially allow one application to read the memory used by another application, or in the case of Meltdown for a user level application to read memory used by the operating system. This could expose passwords or even encryption keys to a malicious application.

Meltdown is exclusive to Intel CPUs. The flaw has existed since 1995. Exploits for this flaw have been published. In response, Intel issued a press release stating that their processors worked as designed, but this attracted a highly critical response from Linus Torvalds, creator of the Linux operating system.  In an email on the 3rd January Linus wrote:

I think somebody inside of Intel needs to really take a long hard look at their CPU’s, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed. .. and that really means that all these mitigation patches should be written with “not all CPU’s are crap” in mind. Or is Intel basically saying “we are committed to selling you shit forever and ever, and never fixing anything”? 

Spectre affects Intel, AMD and ARM processors. It is much harder to exploit than Meltdown.  At the time of writing only limited attacks have been demonstrated.

Exploiting Meltdown or Spectre requires that malicious code be introduced on to the target. This is a problem for user’s PCs, laptops, tablets and smartphones where malicious Javascript applications on websites have been identified as a possible attack vector. The risk is reduced for well designed and protected servers, as they can deploy other defences to block these malicious applications.

The UM Labs R&D RTC Cyber Security OS runs on Intel or AMD processors. We have carefully assessed the impact of both Spectre and Meltdown and can reassure users that none of our systems are vulnerable to an attack based on these flaws. Our systems run hardened and ring fenced on Linux as a layer in Private, Public or Hybrid cloud implementations. Access to the operating system is restricted and there is no mechanism that would allow malicious code to be introduced on to the system. All patches and updates are protected and validated using a cryptographic checksum.

The Linux community is working on updating the kernel to protect against Meltdown and Spectre. Some experimental patches to protect against Meltdown are already available; however there have been some reports that these patches can slow down a system by up to 30%. As the layered security in the UM Labs R&D OS prevents any known exploit of Meltdown or Spectre and as the patches are still experimental, we will not immediately apply these patches. However, we are continuing to review this situation and will issue an update for all supported systems when we are satisfied that the benefits of applying the patches outweigh the risks.