Spectre, Meltdown made industry collaborate: Red Hat

By on
Spectre, Meltdown made industry collaborate: Red Hat

Open source giant Red Hat has suggested the Meltdown and Spectre vulnerabilities helped to solve a major industry issue of "polarisation" between software and hardware developers, two groups that were required to work together to release fixes.

Red Hat's chief ARM architect John Masters said that the security industry suffered from a lack of communication between software and hardware companies, and that vulnerabilities exposed earlier this year forced the industry to reassess how new products are developed.

"A problem we had in the industry, in particular, was that hardware and software people don't mix. There's a big polarisation," said Masters, speaking to members of the press at Red Hat's annual Summit in San Francisco this week. "To me, that's the silver lining."

"We've really had to do bootstrapping – a lot of early work with silicon teams – the kind of stuff that we didn't traditionally have to do because it all just worked. That's built a lot of relationships," he added.

The Spectre and Meltdown exploits were disclosed by the security industry in January after a general agreement to develop fixes to the issues before they were made public.

The vulnerabilities, known as side-channel attacks, target flaws in the speculative processing feature found in the majority of modern processors, something considered to have been innovative when first developed.

The idea is that a processor will speculatively process an action that it expects the user to perform, something that hackers could exploit to access personal history

The severity of the problem was exacerbated by the fact that it couldn't be patched through a software update, and would instead require restrictive software updates or a hardware refresh to fully squash.

Masters explained that Red Hat had been informed of the exploits a few months prior to the embargo lifting and was aware that a performance hit would be necessary as part of a patch.

"What we can do with software is very creatively mitigate it. We can take a performance hit, which we aim to make as minimal as possible, and in the process we can mitigate – we can remove those conditions required to exploit the vulnerabilities.

"The moment the embargo lifted, we had mitigations ready to ship. We made sure we had mitigations ready to go. We ship that, and then over time we improve the performance," said Masters.

Red Hat admits that the initial fix was its "best effort" given the short time it had to develop a fix, yet by working closely with industry hardware partners it has managed to reduce the performance hit.

"At the beginning you saw a performance impact there of between 5% and 20%, and then you've seen that go down to below 10%. We're not done, we're going to continue to optimise the mitigations.

Chris Robinson, manager of Red Hat's product security assurance team, said that the vulnerabilities highlighted the issue that major vendors have different practices when it comes to security.

"We have much closer ties with our peers in the industry [as a result]," added Robinson. "We're now able to share information and comments back and forth with each other."

"Hardware and software companies work very differently, and [Meltdown and Spectre] has helped us all understand that this is a shared ecosystem – an issue that affects one of us potentially can affect all of us. This was really one of the first issues that truly touched on most every hardware and software around."

This article originally appeared at itpro.co.uk

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © ITPro, Dennis Publishing
Tags:

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register

Poll

The channel is a juicy hacking target - are you improving security?
YES - recent attacks on MSPs spurred us to action
YES - we're ALWAYS improving our security stance
YES - we've noticed new forms of attack
NO - we're confident our past efforts are enough, but are always vigilant
NO - we don't see the need for change at this time
View poll archive

Log In

Username / Email:
Password:
  |  Forgot your password?