On Wednesday, January 3rd, researchers from Google Project Zero, Cyberus Technology, Graz University of Technology, and other organizations released details about a pair of related vulnerabilities, dubbed Meltdown and Spectre. These vulnerabilities appear to affect all modern processors and enables malicious code to read sensitive portions of memory on nearly all systems, including computers and mobile devices.
Akamai is aware of side-effects of "speculative execution", the core capabilities that enable the Meltdown and Spectre vulnerabilities. We are testing the performance and efficacy of the available patches on our systems. Because of our technical approach to handling data of many customers, we do not believe these vulnerabilities pose a significant threat to the Akamai platform. Akamai does not rely on the capabilities that enable these vulnerabilities. We will continue to update further, as more details become public.
All modern CPU architectures use a technique called "speculative execution", including Intel, AMD, and ARM. This technique takes advantage of times when the CPU is waiting for a slow process, such as reading or writing to main memory, to proactively perform tasks predicted from the current activities. This speeds up overall processing by completing tasks before they're required, and if the task is not needed, the CPU unwinds the work and frees up the resources. Unfortunately, this process is not perfect, and the CPU can be tricked into giving access to read kernel memory.
The vulnerability that speculative execution introduces leads to the paired vulnerabilities called Meltdown and Spectre. Both vulnerabilities grant a user program read access to the kernel memory and to the memory space of other programs and hence all secrets they contain. The impact of these vulnerabilities is especially concerning in the case of shared cloud services, as they can lead to escaping the memory space of the hypervisor to read other sections of virtual memory and potentially access secrets of other virtual hosts.
The difference between Meltdown and Spectre is in the mechanism they use to read memory. Meltdown allows a user program to read any physical memory on the machine directly during speculative execution, leaving "tell-tale" effects that indicate what value has been read. With Spectre, a user program "tricks" the kernel into reading the memory itself during speculative execution and leaving "tell-tale" effects (that the user can see) that indicate what value has been read.
Because these vulnerabilities are at the hardware level, they affect almost all operating systems. Patches for Meltdown are available for the most popular operating systems, with additional patches being released quickly. The Spectre vulnerability is not patchable at this time, and it is projected this will require new hardware to mitigate, meaning a new generation of CPU's. The potential of patching software compilers to disable the exposed features that make Spectre possible exists, but it comes with significant costs.
An additional concern with patching these vulnerabilities is that they cause a significant performance penalty on the CPU. This is a significant impact that many high use systems may not be able to absorb.
Impact to Akamai
Akamai is in the process of evaluating the patches for these vulnerabilities. Our desktop platforms--Macs, Windows, Linux--are as affected as anyone else's. We're rolling out vendor patches and making suggested configuration changes as we receive them. Our production systems are not significantly impacted by it at this time. There are two primary aspects of Akamai's environment that limit exposure to Meltdown and Spectre. First, Akamai's platforms do not rely on CPU-enforced page table isolation for separation of customer data. Second, the platforms do not allow for the execution of arbitrary code by customers or users, severely limiting any potential to exploit this weakness.
Akamai believes there is minimal customer impact from these vulnerabilities, but we will continue to proactively evaluate this problem. Customer secrets and personally identifiable information are not exposed by this vulnerability.
Details about the Meltdown and Spectre vulnerabilities are still evolving, and Akamai is continuing to research their impact on our systems and our customers.
More details can be found in Intel's Newsroom https://newsroom.intel.com/.