Meltdown and Spectre: How much are ARM and AMD exposed?

As the chip vendors wrestle to get their arms around the Meltdown and Spectre vulnerabilities, we’re slowly determining the exposure of AMD and ARM to the exploit. Intel, unfortunately, is totally vulnerable. With AMD and ARM, though, it gets complicated.

First, let’s go over the Spectre exploit, which is a second class of attacks similar to Meltdown, the one we all know. Like Meltdown, Spectre exploits speculative execution in order to root out information from a CPU’s cache. Spectre is different because of how it runs.

While Meltdown is based on a specific implementation of speculative execution, Spectre exploits a risk to speculative execution that requires more work to exploit but is also considered harder to mitigate. Because it’s more obscure and arcane, it’s not as well understood. That’s why Meltdown is considered the bigger risk.

To reiterate, speculative execution is a form of high-performance execution in modern CPUs by making what is essentially an educated guess on what the CPU will be told to do next, rather than wait for the instruction. Intel has been doing this for decades, but AMD has not. AMD doesn’t do what’s called branch prediction.

It’s important to remember that Meltdown and Spectre don’t allow malicious code into your computer to destroy data or hard drives. It is a read-only vulnerability. Of course, that’s still bad. It means sensitive data in memory can be stolen. But you don’t need to fear your database being trashed, just read.

The risk to AMD processors

AMD issued a statement on Meltdown and said it is potentially vulnerable to only one of the three variants of Meltdown, but no one has demonstrated an AMD vulnerability as yet. This applies to both the new Epyc server processor and older Opteron server chips for the half dozen customers still using them.

The risk to ARM processors

With ARM, it gets complicated. The company has published a list of cores at risk. ARM has three types of cores — Cortex-A, Cortex-M and Cortex-R.

Cortex-M is an embedded microcontroller used in Internet of Things (IoT) devices and a 32-bit processor, so it has no exposure.

Cortex-R is also an embedded controller used in real-time applications, such as cars. Those are used in closed systems and are not prone to attack, although ARM said they are at risk of exposure.

Only the Cortex-A line has exposure, and not all of the chips are at risk. For example, the Cortex-A53, which is the most widely used processor in smartphones and tablets, is not at risk. The A55 is also clear. But, again, it gets complicated. The iPhone, from which the Ax processor line is derived, used the A53. But Apple did a lot of work to improve performance and has pushed out an update to iOS in version 11.2.2.

What about server vendors?

As for the server vendors, it’s a bit hard to determine Qualcomm’s exposure. Centriq is based on the ARMv8 design, but there are a lot of v8 designs, both in 32-bit and 64-bit derivatives. The Centriq core, code-named Falkor, does do branch prediction and out of order execution, so there is a good chance it does have exposure.

“We are actively incorporating and deploying mitigations against the vulnerabilities for our impacted products, and we continue to work to strengthen them as possible. We are in the process of deploying these mitigations to our customers and encourage people to update their devices when patches become available,” the company said.

As for Cavium, its chief competitor in the ARM server market, I’m told the ThunderX processor on the market does not have exposure to Meltdown and Spectre, but the ThunderX2, which is not out yet, is vulnerable. There was quite a change between the first and second version of ThunderX because the ThunderX2 is heavily derived from IP acquired from Broadcom in 2016.

Broadcom had an ARM-based server project, called Vulcan, in the works and on paper looked to be quite competitive. Then Broadcom was bought by Avago, which didn’t want to be in any market it couldn’t dominate or was unproven. So, Vulcan was a victim of the whittling down of Broadcom’s product line, and Cavium lucked out. It picked up Broadcom’s work and got a big jumpstart on its efforts, and Broadcom was quite ambitious, targeting markets such as networking, communications, servers, and big data for Vulcan. So, chances are it did branch prediction, which means, yes, it is vulnerable.

A Cavium spokesman said Cavium processors in production are not susceptible to all three variants of Meltdown. And due to differences in Cavium’s architecture, the company believes there is “a near zero risk to Cavium processors at this time.” To mitigate any potential risks for ThunderX2, Cavium has software patches in place. However, there are no silicon changes planned, nor does it plan to delay the release of ThunderX2 to make changes to the processor.

“The performance impact due to these patches are negligible,” the Cavium spokesman said.