You’ve probably already heard about Meltdown and Spectre – two of the worst vulnerabilities ever discovered. But what do they mean for developers?
If you’re just turning in, independent security researchers made a disturbing discovery earlier this month. Cybersecurity is broken–and it has been for decades. A group of security researchers discovered a pair of horribly complex vulnerabilities, which they’ve coined Meltdown and Spectre.
The problem with both flaws is that they’re tied to hardware. They’re deep-seated flaws in how we design, manufacture, and distribute computer chips and processors. And, unfortunately, even though we’ve already started rolling out patches for them, fixing them won’t be easy, not by any means.
But how exactly can we address them? And more importantly, how will they impact the development industry? The first step in answering those questions lies in understanding how these flaws work.
They’re tied to a bug in Intel chips that allow low-privilege processes to access memory stored in a system’s kernel. Because Intel has implemented multiple (sloppy) adjustments meant to enable faster processing, there are multiple quirks that an attacker could exploit to gain information on processes and data stored on a system.This could even be used by attackers to theoretically break sandboxing in multi-user systems.
So yeah. It’s pretty bad. And it’s going to get worse.
The issue with fixing Meltdown and Spectre is that it means throwing out many of the performance improvements we’ve developed for our processors over the years. It means routing data less efficiently, as many of our existing efficiencies put entire systems at risk. While the average user likely won’t see any difference, developers will, especially those who work with web applications and platforms that have intensive data requirements.
Thanks to the fixes for Meltdown and Spectre, a performance hit has already been keenly felt by large cloud providers. Google, for example, recently released a performance mitigation patch called Reptoline, an effort to mitigate the slowdown. More patches are likely incoming.
Ultimately, what it comes down to is whether or not your applications and platforms make heavy use of the system kernel. Those that do heavily rely on kernel functions are going to see a significant performance overhead, and it’s going to fall to you to deal with that.
At the same time, many smaller manufacturers and software vendors are still lagging behind in applying patches to address the issue. As a developer, it may well fall to you to ensure that the tools and systems your organization uses are kept secure–and that they’re protected against these exploits. Worse still, you may have to deal with half-cocked fixes that might introduce new vulnerabilities and bugs.
The good news in all of this is that these vulnerabilities will be fixed, and that we will eventually find a way around the challenges those fixes introduce. And while developers may need to find some tricks and tactics to deal with the performance hits their applications take, such fixes will come about in due time.
Editor’s Note: This blog article was written by an outside contributor – a guest blogger – for the purpose of offering a wider variety of content for our readers. However, the opinions and recommendations expressed in this guest blog are solely those of the contributor, and do not necessarily reflect those of The Security Awareness Company, LLC. If you are interested in writing something for us, please do not hesitate to contact us: firstname.lastname@example.org.
Latest posts by Max Emelianov (see all)
- What Do Meltdown and Spectre Mean For Web Development? - March 5, 2018