Industry collaboration was the "silver lining" of Meltdown and Spectre

Red Hat says the flaws forced software and hardware developers to talk to each other

Open source giant Red Hat has suggested the Meltdown and Spectre vulnerabilities present in processors dating back at least a decade helped to solve a major industry issue of "polarisation" between software and hardware developers, two groups that were required to work together to release fixes.

Red Hat's chief ARM architect John Masters said that the security industry suffered from a lack of communication between software and hardware companies, but that vulnerabilities exposed earlier this year forced the industry to reassess how new products are developed.

"A problem we had in the industry, in particular, was that hardware and software people don't mix. There's a big polarisation," said Masters at Red Hat's annual summit in San Francisco this week, in response to IT Pro's question about how the vulnerabilities have changed the industry. "To me, that's the silver lining."

"We've really had to do bootstrapping a lot of early work with silicon teams the kind of stuff that we didn't traditionally have to do because it all just worked. That's built a lot of relationships," he added.

"I was able to call on a lot of people I've met in the industry over the past seven years in the time since we've actually been able to formalise some of these engagements, and go from happening to know the right people to building a formal framework."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The Spectre and Meltdown exploits were disclosed by the security industry in January after a general agreement to develop fixes for the issues before they were made public.

These vulnerabilities, known as side-channel attacks, target flaws in the speculative processing feature found in the majority of modern processors, something considered to have been innovative when first developed.

Spectre allows hackers to exploit a processor's ability to speculatively process an action that it expects the user to perform, something that hackers could exploit to access personal history - to predict a user's actions, the processor leaks information that usually sits in a separate location on the chip.

Meltdown, on the other hand, breaks down the hardware-level barriers between the different parts of a chip, allowing hackers to access information they normally wouldn't be able to.

The severity of the problem was exacerbated by the fact that neither flaw could be patched through a software update, and would instead require restrictive software updates or a hardware refresh to fully squash.

Advertisement - Article continues below

Masters explained that Red Hat had been informed of the exploits a few months prior to the news spilling, and was aware that a performance hit would be necessary as part of a patch.

"What we can do with software is very creatively mitigate it. We can take a performance hit, which we aim to make as minimal as possible, and in the process we can mitigate we can remove those conditions required to exploit the vulnerabilities," he said.

"The moment the embargo lifted, we had mitigations ready to ship. We made sure we had mitigations ready to go. We ship that, and then over time we improve the performance."

Red Hat admits that the initial fix was its "best effort" given the short time it had to develop a fix, yet by working closely with industry hardware partners it has managed to reduce the initial performance hit.

"At the beginning you saw a performance impact there of between 5% and 20%, and then you've seen that go down to below 10%. We're not done, we're going to continue to optimise the mitigations."

Advertisement
Advertisement - Article continues below

Chris Robinson, manager of Red Hat's product security assurance team, said that the vulnerabilities highlighted the issue that major vendors have different practices when it comes to security.

Advertisement - Article continues below

"We have much closer ties with our peers in the industry [as a result]," he added. "We're now able to share information and comments back and forth with each other.

"Hardware and software companies work very differently, and [Meltdown and Spectre] has helped us all understand that this is a shared ecosystem an issue that affects one of us potentially can affect all of us. This was really one of the first issues that truly touched on most every hardware and software around."

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019