Meltdown and Spectre vulnerabilities

I know! I know! I am so active these days in blogging! That’s because of important international and domestic events! In my 2 previous posts, I have covered 2 important things happened to me in work during these 2 days.

I’ve read more about Meltdown and Spectre vulnerabilities these days. In recent years, we had bunch of vulnerabilities in computer software industry like shellshock, Heartbleed, Grub 2 authentication bypass by pressing backspace 28 times, and last but not least and probably the most important one, a critical bug in Microsoft Windows SMB server which finally caused WannaCry. Now, it’s time to find a critical vulnerable issue in CPU hardware!

Against earlier mentioned bugs, Spectre and Meltdown vulnerabilities are hardware related ones. These kinds of bugs are very very hard to find and very very hard to fix. As people can not change all their affected hardware, we need to address these bug using operating system’s kernel. Patching kernel for addressing such bugs will complicate OS kernels more and will move bugs from hardware to software/kernel bugs.

Almost all computer guys are talking about these hot bugs and I do not want to repeat them. I am just here to conclude three things from these vulnerabilities:

  1. I’ve studied Computer Organization and Design by David A. Patterson and John L. Hennessy and Modern Operating Systems by Andrew S. Tanenbaum during last 2 years. Thanks to these scientists and my prior studies in electronic engineering technology, I can understand how such a thing is possible. I also know how hard is to discover such a bug in hardware and this can not be done by a single person, but a group of security researchers with spending years of study and research. I suggest you to take a look at these books. You will love them. I promise.
  2. I made sure that independent people can participate and have a great effect on such a important papers. Paul Kocher had a great work on Spectre and a great help to find and address  Meltdown. He cited in those papers as an independent researcher. Also, for-profit-corporations like Cyberus Technology GmbH and Rambus, Cryptography Research Division could have effect on papers.
  3. This is the first time that I see a great co-operation from German company in a very important affair in computer science.