spectre, meltdown, vulnerability,

Overview

Based on Green Hills Software analysis of the Spectre and Meltdown side-channel mechanisms and assessment of their potential exposure in a system design, a product is not at risk if any of these conditions apply:

  • If attackers cannot insert and run malicious code on the product.

    Explanation: These vulnerabilities only have the ability to expose protected data via crafted code sequences that must be inserted and executed on a computer system. By themselves, exploits for these vulnerabilities do not allow the insertion or execution of malicious code.

  • If the product’s processor is not affected by these defects.

    Explanation: Only certain processors are vulnerable to Spectre and Meltdown variants. Please consult the silicon provider to find out if the product’s processor is affected.

  • If the product does not require its data to be protected against breaches in confidentiality.
    (e.g., has no privileged or secret data that must not be exported outside the product such as passwords, keys, etc.).

    Explanation: Spectre and Meltdown are only utilized to read data in a way that bypasses system privilege levels.

  • If the product is a closed system.
    (i.e., does not include any external data interfaces that could be used to transmit confidential data).
  • If the product contains a monitoring function for all its outputs to ensure there is no unintentional leakage of confidential data.
  • If uses of the product include procedural controls to ensure there is no unintentional leakage of confidential data.
  • If the product has not yet been deployed.

    Explanation: Green Hills will include mitigations to Spectre and Meltdown in the next releases of the MULTI toolchain and INTEGRITY operating system. Please coordinate with your Green Hills sales team to discuss options for mitigations prior to the release of the product.

Green Hills Software’s security experts are available to help clients perform a risk-based analysis of their products and recommend the best approach for mitigation of these vulnerabilities. Please contact a Green Hills sales representative for further assistance.

More information:

Spectre and Meltdown (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) are processor design flaws that can be exploited to take advantage of weaknesses in speculative execution (present in many modern CPU cores) that break isolation between user applications and the operating system. These are processor flaws that need system-level analysis and potentially require software remediation, these are not bugs in Green Hills Software products. Green Hills Software has been working closely with its silicon partner ecosystem to evaluate the impact and implement the recommended mitigations for each affected silicon platform.

© 1996-2018 Green Hills Software Trademark & Patent Notice