Based on Green Hills Software analysis of the Spectre and Meltdown side-channel mechanisms and assessment of their potential exposure in a system design, a product is not at risk if any of these conditions apply:
Explanation: These vulnerabilities only have the ability to expose protected data via crafted code sequences that must be inserted and executed on a computer system. By themselves, exploits for these vulnerabilities do not allow the insertion or execution of malicious code.
Explanation: Only certain processors are vulnerable to Spectre and Meltdown variants. Please consult the silicon provider to find out if the product’s processor is affected.
Explanation: Spectre and Meltdown are only utilized to read data in a way that bypasses system privilege levels.
Explanation: Green Hills can provide updates to INTEGRITY and the toolchain that contain mitigations for Spectre and Meltdown. Please coordinate with your Green Hills sales team to discuss options for mitigations prior to the release of the product.
Green Hills Software’s security experts are available to help clients perform a risk-based analysis of their products and recommend the best approach for mitigation of these vulnerabilities. Please contact a Green Hills sales representative for further assistance.
Spectre and Meltdown (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) are processor design flaws that can be exploited to take advantage of weaknesses in speculative execution (present in many modern CPU cores) that break isolation between user applications and the operating system. These are processor flaws that need system-level analysis and potentially require software remediation. These are not bugs in Green Hills Software products.
There have been additional discoveries of speculative execution related vulnerabilities since the release of Spectre and Meltdown. Green Hills Software continues to work closely with its silicon partner ecosystem to evaluate the impact and implement the recommended mitigations for each affected silicon platform.