Spectre and Meltdown

(Justin) #1

There’s been a lot in the news over the past couple of days about the Spectre and Meltdown bugs, which apparently affect the majority of mobiles and computers - apparently making it possible to exploit vulnerabilities in the chips to access data stored in memory by other programmes: https://spectreattack.com/

  • Apple have confirmed that the issue affects all iOS devices and Macs - with the exception of Apple Watches. They’ve indicated a fix has already been deployed (though I haven’t yet seen one).

  • Google have confirmed that it affects Android devices. It will likely take some time for all the manufacturers of Android devices to create updates for their own versions of Android

Apparently, the bugs are not yet known to have been exploited. Any thoughts on how this will impact the use of the Monzo app - and other banking apps - and what information will be given to customers?

Links to press covfefe :wink: here:

(Peter Roberts) #2

Meltdown is Intel only and that’s the easiest to exploit so hopefully the impact will be minimal

The crazy thing about it is the technique is so simple / elegant once you see so it’s surprising it’s taken us this long to think of trying it!

(Andy) #3

Have a read of this and you will find its not just Intel

(Peter Roberts) #4

That’s correct, but I believe AMD hardware lacks the memory aliasing support required to make Meltdown practically applicable. There is no PoC for it

I’m pretty sure Spectre applies to it though both variants known are significantly harder to deploy and attack a single user space program rather than the kernel

(Edward) #5

There’s no PoC for Meltdown on AMD CPUs, but it was not ruled out by the researchers at Google (they just did not pursue the alternate exploit method as the one possible on Intel was much faster to generate results). Spectre is as applicable to AMD CPUs as it is every other OoOE CPU with speculative execution, and the ‘fix’ to Meltdown is kind of a ‘step 1’ to mitigating future Spectre-based attacks so the point is rather moot.