Virtual security could be a pipe dream

RK RAGHAVAN | Updated on January 11, 2018 Published on January 11, 2018

The discovery that bugs, Meltdown and Spectre, have been in computer chips for 20 years now, has shaken up cyberspace

There is likely to be a fresh debate across the world over the wisdom of individuals and corporations investing so much time and money on strengthening cyber security. Optimism over the efficacy of well-conceived security measures is likely to yield place to resignation and regretful cynicism because of certain recent happenings.

Totally bugged

The immediate context is the claimed chance discovery of two bugs in computer chips designed by eminent leaders in the field such as Intel, Advanced Micro Devices (AMD) and ARM (Advanced Risk Machines). These bugs are suspected to have holes in them, which have the potential of compromising vital data by allowing access to total strangers.

It all started with news trickling in that some reputed chip manufacturers were busy fixing patches for their products used by machines all over the world. What surprised many observers was that such patches, normally used for taking care of vulnerabilities in applications, were now being used for mending defects in computer chips. This was perhaps one of few occasions when repair work seemed to be shifting from application shortcomings to hardware vulnerabilities.

After some initial guesswork, the big picture started emerging. It became known that the villain was the faulty design of chips by manufacturers, who were hitherto known for their unerring skill and professionalism.

The preliminary finding of those who were tasked to probe reported shortcomings was that chip designers had possibly slipped up sacrificing security for speed. The complaint was that designers, either on instructions from corporate bosses or otherwise, began concentrating more on satisfying the customers’ craving for speed of execution of their commands, even if this meant a slight compromise of security.

I am reminded here of the never-ending debate in statecraft with regard to the efficiency of intelligence organisations. The question is: Do you want your intelligence apparatus (Intelligence Bureau, the CIA and the UK’s MI5) to be fast in purveying information, or would you like them to be dead accurate in preparing analyses, even if it means a loss of speed?

It is the common belief of professionals that an intelligence agency cannot all the time be both swift and correct. This is because field operatives, if they want to be useful to their consumers, cannot lose time verifying the credibility of a piece of vital information collected by them, before actually passing it on to higher formations. This perhaps was the dilemma that confronted computer chip designers and those who paid them for their work.

Old news

The two bugs we are talking about here have been named ‘Meltdown’ and ‘Spectre’. It has been admitted that these bugs were were not a wholly new phenomenon. One estimate (wired.com) puts it as twenty years old. Interestingly, four groups of researchers (including those from Graz University of Technology in Austria) are said to have independently stumbled on this within a short span of time, opening up a flood of speculations and theories. Was this accidental or was it an earlier cover-up that could not be hidden any longer?

Each of the three researchers from Graz University wrote proof-of-concept codes, and, much to their consternation, found their worst fears confirmed. They could see that sensitive personal data, including their browsing history, private email conversations, etc, started appearing on their codes. When alerted by the Graz team, the principal chipmaker, Intel, gave no impression of being surprised or agitated.

After a week-long silence, they admitted they were aware of the problem and were working on plugging the hole.

According to security experts, Meltdown enables hackers to steal information by breaking the hardware barrier between applications and a computer’s core memory. On the other hand, Spectre could trick even error-free applications to surrender information. The belief is that the vulnerability of Meltdown could be fixed with some intelligent effort. Spectre is relatively more difficult to use, and is more complicated to fix. It is expected to pose a long-term problem.

A slowdown of computers is a distinct possibility. This is because many operating systems require assiduous separation of application and kernel memory. This perhaps is a lesser evil than the labour and cost involved in changing a whole set of hardware.

The basic point is that there is no room for complacency, just because there are no known reports as yet that Meltdown and Spectre have caused any major damage. However, the large-scale publicity they have received can give an idea or two to those looking for opportunity. Hopefully, they won’t!

The writer was CBI director and a former security adviser to TCS Ltd

Published on January 11, 2018
This article is closed for comments.
Please Email the Editor