
A critical security flaw affecting computers the world over is here to stay, and there isn’t any software that can properly safeguard against it. That is the conclusion of engineers trying to fix a vulnerability in processing chips known as Spectre – and it is leading to a rethink of the way that computers are designed.
For at least one variant of the flaw, no software exists that can prevent this, Ben Titzer and his colleagues at Google have found.
Spectre, which was first discovered a year ago, affects processors built by Intel, AMD and ARM, which are used in almost every computer and smartphone. It leaves your device vulnerable to programs that steal data being processed, including passwords and emails. Websites could also use Spectre to steal sensitive information from other pages open in the same browser.
Advertisement
Following its discovery, companies including Apple and Microsoft scrambled to release security patches for some variants of the flaw, which were reported to slow down certain computer functions by between 5 and 30 per cent. Google introduced a feature that isolates information on each Chrome web page from others.
But these security patches only mitigate the risk for some of the Spectre variants found so far, and don’t solve the underlying issue.
A fundamental flaw
For one type known as Speculative Store Bypass, the Google team has now concluded that there is no software fix that works – leaving all existing computers vulnerable.
The problem stems from a fundamental flaw in how computer chips have been designed, says Titzer. “The entire field of computing missed this.”
Spectre takes advantage of a feature of computer chips known as speculative execution. To speed up processing, chips make guesses about future calculations, which are then discarded if incorrect.
We still don’t know exactly what information can and can’t be stolen, so while software fixes have seemed to work well so far, it is impossible to know whether they are actually effective, says Paul Kocher,Ěýa cybersecurity researcher who initially helped find Spectre.
The only permanent defence against Spectre is to build new machines with physically separate processors for security, he says.
So far, the risk hasn’t translated into reality. Ian Batten of the University of Birmingham, UK, says the vulnerability hasn’t caused as much damage as experts first envisaged – no Spectre attacks using malware have yet been detected. He believes it will be a flaw exploited only by sophisticated attackers, such as nation-state hackers.
“We will be living with the consequences of it for a long time,” he says.
¸é±đ´Ú±đ°ů±đ˛Ôł¦±đ:ĚýarXiv,Ěý