Spectre and Meltdown vulnerabilities can’t be corrected with software implementations

Google experts consider these vulnerabilities to be inherent in modern processors design

According to network security and ethical hacking specialists from the International Institute of Cyber Security, the vulnerabilities Spectre and Meltdown were reported for the first time about a year ago; since then, countless teams of independent specialists and researchers have tried multiple methods to mitigate the risk of exploiting these flaws, expecting to be able to completely eradicate it in the future. 

Unfortunately, for Google network security specialists these vulnerabilities seem to be an inherent feature of modern processors. In other words, software-based correction and mitigation techniques are not enough to overcome these vulnerabilities.

It is worth noting that Meltdown and Spectre attacks take advantage of the speculative execution, a feature of the currently used processors. This means that a processor may assume that a condition can be true or false. If it turns out to be true, the speculative results are maintained; if the condition turns out to be false, the results will be discarded.

Initially, network security specialists assumed that speculative execution was invisible to running programs, as it is a feature of implementations. However, evidence was later discovered that some traces of false speculation were not completely eliminated.

A malicious user could take control of this data through a side channel. In addition, attackers can trick computers into loading sensitive data, such as administrators’ information, passwords, etc. To mitigate the risks posed by these vulnerabilities, developers have resorted to using software-based techniques, such as using sandbox environments, or preventing the processor from running sensitive information.

While these software techniques are quite functional, Google experts claim that this is just a shallow solution. A test made in the Chrome browser showed that, in trying to implement a comprehensive solution against a Spectre attack, the administrators generated a considerable drop in the performance of their developments.

In conclusion, it is not possible to solve Spectre-type vulnerabilities with software deployments only. Speculative execution is a fundamental part of a modern processor; so many specialists consider that Spectre and Meltdown will keep bringing problems for a long time.