Director – Power Systems
If you’re in IT, the recognition and concerns about the Meltdown and Spectre vulnerabilities from the past couple of days are well known to you. At a high level, Meltdown is the vulnerability that allows applications, which are running in one address space, to access memory in another application’s memory space. Spectre is related, but different, in that it identifies an “opening” where a single application can have its memory hacked, due to a microprocessor architecture that enables “speculative computing.” In Power Systems, this is also called “out of order execution and branch prediction.” The Spectre vulnerability is where the memory associated with the multiple compute paths being executed before the condition is determined can be accessed via a “flaw” in the processor design in concert with the associated operating system. The Intel x86 microprocessors are of major focus with Windows and Linux effecting Cloud, since that is a multi-tenant environment and vulnerable in Meltdown. However, the information also says most microprocessor architectures are potentially vulnerable (AMD, ARM, Power, Z, etc.).
IBM has released this statement regarding the OS and processor patches for Power Systems:
Jan 4, 2018 10:05 pm EST
Share this post:
On Wednesday, January 3, researchers from Google announced a security vulnerability impacting all microprocessors, including processors in the IBM POWER family.
This vulnerability doesn’t allow an external unauthorized party to gain access to a machine, but it could allow a party that has access to the system to access unauthorized data.
If this vulnerability poses a risk to your environment, the first line of defense is the firewalls and security tools that most organizations already have in place. Complete mitigation of this vulnerability for Power Systems clients involves installing patches to both system firmware and operating systems. The firmware patch provides partial remediation to this vulnerability, and is a pre-requisite for the OS patch to be effective.
These will be available as follows:
- Firmware patches for POWER7+, POWER8 and POWER9 platforms will be available on January 9. We will provide further communication on supported generations prior to POWER7+, including firmware patches and availability.
- Linux operating system patches will start to become available on January 9. AIX and i operating system patches will start to become available February 12. Information will be available via PSIRT.
- Clients should review these patches, in the context of their datacenter environment and standard evaluation practices, to determine if they should be applied.
In my opinion, this is serious and needs to be addressed. However, we should also recognize that we have had many vulnerabilities before, and if history repeats, there will be vulnerabilities in the future. Please note that this is a vulnerability and not malware. This becomes an issue if malware/virus exploit this vulnerability. In-house servers are not PCs, nor public cloud implementations, which have “openings” to allow malware to be installed if they are not protected. In Power Systems, there are several “protections” to address intrusion prevention. Within AIX, there is trusted execution and aixpert which add to firewall protection, to prevent unauthorize code from intrusion and execution (eg the virus or malware). There is also BigFix and Power Security and Compliance (PowerSC), which both have a wide range of protection tools to prevent, shield, and alert if the system has been hacked. For IBM i, there is an IBM Lab Services extension to the features in IBM i to provide this same protection.
In a recent survey, however, a very low percentage of Power Systems are using the tools available to provide protection, and most of these tools are free or very low cost. I think the best path for Power customers is to implement the fixes that are coming from IBM, per the posting above, but also to implement the security features available to secure the future.
Mainline has a security practice that will help you review your environment and assist in the selection of tooling along with its implementation.
Please contact your Mainline Account Executive directly, or click here to contact us with any questions.