Fri, Jan 12, 2018 - Page 9 News List

Inside the chip industry’s meltdown

Tech titans worked in secrecy for months to fix key flaws, after researchers uncovered security holes they thought were too big to be true

By By Ian King, Jeremy Kahn, Alex Webb and Giles Turner  /  Bloomberg

“That made it a bit suspicious,” Schwarz said.

Developers submitting specific Linux updates usually say why they’re proposing changes, “and on some of the things they didn’t explain. We wondered why these people were investing so much time and were working on it so hard to integrate it into Linux at any cost,” he said.

To Schwarz and his fellow researchers, there was only one explanation: a potentially much bigger attack method that could blow open these vulnerabilities, and the tech giants were scrambling to fix it secretly before every malicious hacker on Earth found out.

Unbeknownst to the Graz team and Fogh, 22-year-old wunderkind Horn had independently discovered Spectre and Meltdown in April last year. He is part of Google’s Project Zero, a team of crack security researchers tasked with finding “zero-day” security holes — vulnerabilities that trigger attacks on the first day they become known.

On June 1, Horn told Intel and other chip companies Advanced Micro Devices Inc and ARM Holdings what he had found. Intel informed Microsoft soon after. That is when the big tech companies began working on fixes, including Graz’s KAISER patch, in private.

By November, Microsoft, Amazon, Google, ARM and Oracle Corp were submitting so many of their own Linux updates to the community that more cybersecurity researchers began to realize something big — and strange — was happening.

Tests on the patches these tech giants were advocating showed serious implications for the performance of key computer systems. In one case, Amazon found that a patch increased the time it took to run certain operations by about 400 percent, and yet the cloud leader was still lobbying that every Linux user ought to take the fix, according to Gruss.

He said this made no sense for their original KAISER patch, which would only ever impact a small sub-section of users.

Gruss and other researchers became more suspicious that these companies were not being completely honest about the rationale for their proposals.

Intel said it is standard practice not to disclose vulnerabilities until a full remedy has been put in place. The chipmaker and other tech companies have also said their tests show minimal or no impact on performance, although certain unusual workloads might be slowed by as much as 30 percent.

In late November, another team of researchers at IT firm Cyberus Technology became convinced that Intel had been telling its main clients, such as Amazon and Microsoft, all about the issue, while keeping the full scale of the crisis hidden from Linux development groups.

Prescher was part of the Cyberus team. After his late-night discovery in Dresden, he told Cyberus chief technology officer Werner Haas what he had found.

Before their next in-person meeting, Haas made sure to wear a Stetson, so he could say to Prescher: “I take my hat off to you.”

On Dec. 3, a quiet Sunday afternoon, the Graz researchers ran similar tests, proving Meltdown attacks worked.

“We said: ‘Oh God, that can’t be possible. We must have a mistake. There shouldn’t be this sort of mistake in processors,” Schwarz said.

This story has been viewed 3452 times.

Comments will be moderated. Keep comments relevant to the article. Remarks containing abusive and obscene language, personal attacks of any kind or promotion will be removed and the user banned. Final decision will be at the discretion of the Taipei Times.

TOP top