Meltdown is a hardware vulnerability affecting Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.
Meltdown affects a wide range of systems. At the time of disclosure, this included all devices running any but the most recent and patched versions of iOS, Linux, macOS,or Windows. Accordingly, many servers and cloud services were impacted, as well as a potential majority of smart devices and embedded devices using ARM based processors (mobile devices, smart TVs and others), including a wide range of networking equipment. A purely software workaround to Meltdown has been assessed as slowing computers between 5 and 30 percent in certain specialized workloads, although companies responsible for software correction of the exploit are reporting minimal impact from general benchmark testing.
Meltdown was issued a Common Vulnerabilities and Exposures ID of CVE-2017-5754, also known as Rogue Data Cache Load, in January 2018. It was disclosed in conjunction with another exploit, Spectre, with which it shares some, but not all characteristics. The Meltdown and Spectre vulnerabilities are considered “catastrophic” by security analysts. The vulnerabilities are so severe that, initially, security researchers believed them to be false.
Several procedures to help protect home computers and related devices from the Meltdown and Spectre security vulnerabilities have been published. Meltdown patches may produce performance loss. Spectre patches have been reported to significantly reduce performance, especially on older computers; on the newer eighth-generation Core platforms, benchmark performance drops of 2–14 percent have been measured. On January 18, 2018, unwanted reboots, even for newer Intel chips, due to Meltdown and Spectre patches, were reported. Nonetheless, according to DELL computers: “No ‘real-world’ exploits of these vulnerabilities [ie, Meltdown and Spectre] have been reported to date [January 26, 2018], though researchers have produced proof-of-concepts.” Further, recommended preventions include: “promptly adopting software updates, avoiding unrecognized hyperlinks and websites, not downloading files or applications from unknown sources … following secure password protocols … [using] security software to help protect against malware (advanced threat prevention software or anti-virus).”
On January 25, 2018, the current status and possible future considerations in solving the Meltdown and Spectre vulnerabilities were presented.
Mitigation of this vulnerability requires changes to operating system kernel code, including increased isolation of kernel memory from user-mode processes. Linux kernel developers have referred to this measure as kernel page-table isolation (KPTI). KPTI patches have been developed for Linux kernel 4.15, and have been released as a backport in kernels 4.14.11, 4.9.75. Red Hat released kernel updates to their Red Hat Enterprise Linux distributions version 6 and version 7. CentOS also already released their kernel updates to CentOS 6 and CentOS 7.
Apple included mitigations in macOS 10.13.2, iOS 11.2, and tvOS 11.2. These were released a month before the vulnerabilities were made public. Apple has stated that watchOS and the Apple Watch are not affected. Additional mitigations were included in a Safari update as well a supplemental update to macOS 10.13, and iOS 11.2.2.
Microsoft released an emergency update to Windows 10, 8.1, and 7 SP1 to address the vulnerability on January 3, 2018, as well as Windows Server (including Server 2008 R2, Server 2012 R2, and Server 2016) and Windows Embedded Industry. These patches are incompatible with third-party antivirus software that use unsupported kernel calls; systems running incompatible antivirus software will not receive this or any future Windows security updates until it is patched, and the software adds a special registry key affirming its compatibility. The update was found to have caused issues on systems running certain AMD CPUs, with some users reporting that their Windows installations did not boot at all after installation. On January 9, 2018, Microsoft paused the distribution of the update to systems with affected CPUs while it investigates and addresses this bug.
It was reported that implementation of KPTI may lead to a reduction in CPU performance, with some researchers claiming up to 30% loss in performance, depending on usage, though Intel considered this to be an exaggeration. It was reported that Intel processor generations that support process-context identifiers (PCID), a feature introduced with Westmere and available on all chips from the Haswell architecture onward, were not as susceptible to performance losses under KPTI as older generations that lack it. This is because the selective translation lookaside buffer (TLB) flushing enabled by PCID (also called address space number or ASN under the Alpha architecture) enables the shared TLB behavior crucial to the exploit to be isolated across processes, without constantly flushing the entire cache – the primary reason for the cost of mitigation.
A statement by Intel said that “any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time”. Phoronix benchmarked several popular PC games on a Linux system with Intel’s Coffee Lake Core i7-8700K CPU and KPTI patches installed, and found that any performance impact was little to non-existent. In other tests, including synthetic I/O benchmarks and databases such as PostgreSQL and Redis, a measurable impact in performance was found.
Several procedures to help protect home computers and related devices from the Meltdown and Spectre security vulnerabilities have been published. Meltdown patches may produce performance loss. On January 18, 2018, unwanted reboots, even for newer Intel chips, due to Meltdown and Spectre patches, were reported. According to DELL computers: “No ‘real-world’ exploits of these vulnerabilities [ie, Meltdown and Spectre] have been reported to date [January 26, 2018], though researchers have produced proof-of-concepts.” Further, recommended preventions include: “promptly adopting software updates, avoiding unrecognized hyperlinks and websites, not downloading files or applications from unknown sources … following secure password protocols … [using] security software to help protect against malware (advanced threat prevention software or anti-virus).