Anterovium - Fotolia

Meltdown and Spectre target cloud computing environments

Hackers could target cloud computing environments to exploit the Meltdown and Spectre vulnerabilities, but AWS, Microsoft and Google say their fixes are enough to bar the doors.

The biggest tech security glitch in recent memory could especially darken the skies for cloud computing platforms.

The Meltdown and Spectre security flaws  reported this week that affect Intel, AMD and ARM chips expose just about every server, desktop system and smartphone. But the biggest target figures to be servers in large data centers that host cloud computing environments.

The two vulnerabilities have existed for over 20 years in modern architectures based on Intel, AMD and ARM processors, ubiquitous in servers, desktops and mobile devices. But, realistically, hackers probably won't hunt for individual devices or even corporate IT setups, said Jack Gold, president and principal analyst of J. Gold Associates LLC in Northborough, Mass.

"Will it be your PC? No. But going after the information in your data center could be well worth their while," he said.

The Meltdown and Spectre vulnerabilities exploit computer architectures that use pre-fetch capabilities to anticipate code or features users will request next, and load data and instructions into memory, Gold said. Bypassing pre-fetch and going out to the disk to retrieve data avoids that vulnerability, but that extra work will affect performance. It's not a technically difficult problem to solve, but an effective fix might prove tricky, given the performance tradeoffs.

An academic research paper suggested the Meltdown vulnerability most seriously affects cloud providers, particularly if guests on the platform are not fully virtualized. Many hosting and cloud providers lack an abstraction layer for virtual memory, the report indicated, and they utilize containers, such as Docker, where the kernel is shared by all the guests. This means Meltdown can circumvent the isolation between guests and thereby expose the data of all other guests on the same physical host.

Cloud providers circle the wagons

Going after the information in your data center could be well worth [hackers'] while.
Jack Goldpresident and principal analyst, J. Gold Associates LLC

The major cloud providers, including Amazon Web Services (AWS) and Microsoft Azure, raced to release statements in an attempt to reassure users that many of them are already protected and the rest will soon be.

AWS officials said in a statement that all but a small, single-digit percentage of instances across the Amazon Elastic Compute Cloud fleet were already protected, and remaining ones would be completed within hours.

Microsoft similarly said it has worked "closely with chip manufacturers to develop and test mitigations to cloud services" and will release security updates to protect Windows-based users that have deployed Intel, AMD and ARM chips. Like AWS, the company said the majority of its Azure cloud customers should not see a noticeable performance effect after applying the fix, which addressed the vulnerabilities at the hypervisor level.

Google officials have come up with a mitigation called Retpoline, which protects against branch target injection attacks and has had negligible impact on server performance, according to the company.

This mitigation involves kernel page-table isolation (KPTI), described as a general technique to protect information residing in memory from other software that runs simultaneously. Google officials said tests of KPTI on most of its own workloads, including cloud infrastructure, resulted in negligible performance impact, contrary to widespread speculation that the software caused significant performance slowdowns.

IBM, meanwhile, stated that its engineering teams are working to determine "any potential impact" and resolutions, as its services and security organizations work with users to plan and update potentially affected systems.

Big Blue advised users to first protect themselves from the Meltdown and Spectre flaws by stopping the execution of unauthorized software on any system responsible for handling sensitive data, including adjacent virtual machines.

Ed Scannell is a senior executive editor with TechTarget. Contact him at [email protected].

Dig Deeper on Cloud app development and management