Sign In

Communications of the ACM

ACM News

‘it Can’t Be True.’ Inside the Semiconductor Industry’s Meltdown

View as: Print Mobile App Share:
Melting metal.

At least 10 researchers and engineers working around the globesometimes independently, sometimes togetheruncovered Meltdown and Spectre.


It was late November and former Intel Corp. engineer Thomas Prescher was enjoying beers and burgers with friends in Dresden, Germany, when the conversation turned, ominously, to semiconductors. 

Months earlier, cybersecurity researcher Anders Fogh had posted a blog suggesting a possible way to hack into chips powering most of the world's computers, and the friends spent part of the evening trying to make sense of it. The idea nagged at Prescher, so when he got home he fired up his desktop computer and set about putting the theory into practice. At 2 a.m., a breakthrough: he'd strung together code that reinforced Fogh's idea and suggested there was something seriously wrong.

"My immediate reaction was, 'It can't be true, it can't be true,'" Prescher said.

Last week, his worst fears were proved right when Intel, one of the world's largest chipmakers, said all modern processors can be attacked by techniques dubbed Meltdown and Spectre, exposing crucial data, such as passwords and encryption keys. The biggest technology companies, including Microsoft Corp., Apple Inc., Google, and are rushing out fixes for PCs, smartphones and the servers that power the Internet, and some have warned that their solutions may dent performance in some cases.

Prescher was one of at least 10 researchers and engineers working around the globe—sometimes independently, sometimes together—who uncovered Meltdown and Spectre. Interviews with several of these experts reveal a chip industry that, while talking up efforts to secure computers, failed to spot that a common feature of their products had made machines so vulnerable.

"It makes you shudder," said Paul Kocher, who helped find Spectre and started studying trade-offs between security and performance after leaving a full-time job at chip company Rambus Inc. last year. "The processor people were looking at performance and not looking at security." Kocher still works as an adviser to Rambus.


From Bloomberg
View Full Article



No entries found