How to avoid Meltdown, and why you shouldn't be that worried about it

Recently, a big vulnerability was discovered in Intel, AMD and some ARM CPUs. Meltdown allows the attacker to get data from the memory because of a hardware bug in superscalar processors; A superscalar processor tries to execute more than one instruction at a time to get more work done in smaller amount of time, instead of just having a higher clock speed. To make my explanation short, let's just say that the attacker can trick a Branch Predictor to arrange instructions in a way that would allow any program to read kernel memory. Of course, I'm simplifying the process to make it easier to understand; If you want to know more, read this blogpost from the Raspberry Pi Foundation or watch the video from Computerphile below.


One thing on what I can't agree with most people that talk about Meltdown and Spectre is the "You HAVE to patch yourself to stay secure" - You SHOULD, but sometimes it's not possible, as the fix may not be released by the manufacturer - look at old android phones or Core 2 Duo and earlier CPUs.

AFAIK, the patch consists of code that disables/overrides the speculation procedure, which usually saves a lot of cpu time by assuming that some instruction will return a specific value. This would obviously slow down the CPUs by anywhere from 10% to 30%, but there's another fix (which will also require a lot of self-consciousness when using a computer) that can have no negative impact on the performence.

NoScript, or how to avoid running malicious code

NoScript is a simple browser addon that disables JavaScript in your browser. The well-known solution for Meltdown is to assume that code is evil, and loose performance by disabling the way it can read all system memory. My awful (mainly because it's not transparent to the user, and it doesn't even try to be) solution is to assume that code is evil, and just don't run it. Of course, todays web is based over javascript, and disabling it entirely may have a bad influence on your browsing experience, but the speed tradeoff may be worth it, and if you ever would need to turn on JS on a page you trust - NoScript supports whitelists, where you can add pages that need JS and are trusted by you, such as Google or YouTube.

About that self-consciousness part.. NoScript only prevents running malicious code in your browser; Outside, you have to be careful to run only programs from safe sources, but that should be common sense to most advanced computer users.

Not a solid, future-proof fix...

... but still a good enough one as a temporary fix, or something for devices that won't get the fix. If you have an android phone that's more than a year old and/or doesn't have a big, bold text on the cover stating that it was produced by a gigant company like Samsung or LG, it's more than likely that you won't get an update. The same applies to End-of-life processors in personal computers, as manufacturers won't care enough to release patches for them.

The fix is terrible, but for some cases, it will have to do.


Comments: