VANCOUVER, British Columbia – If the standing-room-only crowd was any indication, developers and the open source community are very interested in the recent spate of chip flaws dubbed Spectre, Meltdown, and Foreshadow. Unfortunately, it sounds like they may be standing for a while.
Greg Kroah-Hartman, a fellow at the Linux Foundation, headed up a technical session at this week’s Open Source Summit event in Vancouver, British Columbia, focused on the group’s work in battling the nefarious chip bugs. The quick takeaways for those sitting and standing were that those bugs and their variants are serious and are likely to be an ongoing concern.
Kroah-Hartman explained that while it was common for hardware to have bugs, the recent variants impacting different chips from Intel, AMD, and ARM were “nasty, nasty bugs in the CPU.”
Kroah-Hartman said that the Linux community has been aggressively updating the Linux kernel since the bugs were found last year. This includes dozens of different patches, each fixing and building on previous work. This kernel work is important, as he explained, “the kernel’s job is to fix the bugs.”
But, that patching process has also shown that even correct software can be exploited by the hardware. “This is valid code that is somehow shown to be invalid,” he said. Thus the ongoing need for updates. “The kernel can only do so much,” Kroah-Hartman said. “Some things can only be fixed with Microcode.”
Microcode is a layer of hardware-level instructions for the chip. Only chipmakers are able to update Microcode. Fortunately, they have been.
More to Come
Further complicating the process is that Kroah-Hartman said more flaws will be found. Earlier this month, Intel publicly disclosed the Foreshadow variant. However, like Spectre, Meltdown and the subsequent similar bugs spawned since January, Intel says researchers haven’t (yet) seen a Foreshadow attack in the wild.
“We are not aware of reports that any of these methods have been used in real-world exploits, but this further underscores the need for everyone to adhere to security best practices,” wrote Leslie Culbertson, Intel’s executive vice president and general manager of product assurance and security. “This includes keeping systems up-to-date and taking steps to prevent malware.”
Kroah-Hartman repeatedly echoed this sentiment during his presentation, saying it was critical for developers and the open source community to constantly download the latest updates and patches.