29-06-2018 | | By Christian Cawley
Do the challenges presented by the disclosure of the Meltdown and Spectre exploits remain locked into the usual bug-patch-repeat dynamic? Do businesses have a choice beyond putting up with PCs slowed by patching the bugs?
It turns out that there could be a hardware solution that doesn't demand a massive increase to the hardware budget: ARM-based thin clients on every desktop.
The Threat Posed By Meltdown and Spectre
Publicly disclosed in January 2018, Meltdown is the name given to a hardware-level vulnerability affecting Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. Accompanying this news was the revelation that switching to AMD-based systems isn't a solution; while AMD state that "AMD processors are not susceptible due to our use of privilege level protections within paging architecture," the Spectre vulnerability does impact AMD microprocessors.
While Meltdown allows rogue processes to access memory without permission, Spectre subverts speculative execution, a common time-saving function. Both could have terrible consequences for business users in particular, which is why patches were rolled out for all operating systems.
Latterly, the now-patched Lazy FPU exploit has been discovered to permit the copying of supposedly encrypted data from older Intel Core and Xeon processors. Current-generation operating systems are not impacted.
Security guru Bruce Schneier suggests that these vulnerabilities represent "the future of security - and it doesn't look good for the defenders... attacks against hardware, as opposed to software, will become more common."
Using hardware less susceptible to attack seems a better solution than patching mistakes.
Inadequate Solutions Call for New Approaches
Now widely rolled-out, these patches have so far been successful in mitigating the risks of both Spectre and Meltdown's vulnerabilities. In short, they should now be protected from exploitation. But the solution comes with a cost: speed.
By tightening up the security holes in the affected CPUs, operating systems have slowed down. In some cases (especially on older CPUs) this reduction in server and PC performance has had frustrating results.
Not all hardware is affected by these vulnerabilities, however. While much of the technology that has avoided Meltdown and Spectre is somewhat archaic by modern standards, there is hope for any IT department or agency looking for a patch-free solution.
Of course, reverting to older hardware and operating systems unlocks a whole host of further exploits for hackers to open up; these require less effort than the current issues. However, many current Intel Atom laptops and tablets are immune to the Meltdown and Spectre bugs. But are they the best solution?
ARM Computers with Thin Client Support
Although some ARM-based systems are affected by Meltdown and Spectre, others are not. Many Android smartphones, for instance, require patching. Some models of the Raspberry Pi, on the other hand, do not.
Back in 2016, desktop virtualization publisher Citrix discussed how the Raspberry Pi 2 could be used as a thin client, noting that "Typical business users don’t care if they have a PC with a 2.0 GHz CPU, or 3.0 or 4.0 as long as it works well and looks good." Although there is a case for dedicated hardware for video processing, CAD, and intensive development, these are specialist uses. Most office-based users can get by with a virtualized environment providing their email, word processor, spreadsheet, etc.
Significantly, both the Raspberry Pi 2 and 3 models are unaffected by Meltdown and Spectre. Could these devices prove the necessary jumping off point for a new generation of office-ready hardware that doesn't have the weaknesses of its predecessors?
At this point, it's probably worth revisiting Bruce Schneier's words concerning computer security of the future: "attacks against hardware, as opposed to software, will become more common." Sooner or later, there will be a new threat, one that hits ARM-based systems as hard as Meltdown and Spectre have hit Intel and AMD. ARM-based thin-clients may simply be nothing more than an affordable Band-Aid.