Solving Spectre and Meltdown may ultimately require an entirely new type of processor

Are Meltdown and Spectre too fundamental to patch? One expert suggests they may be.

How to identify and fix execution bugs like Spectre and Meltdown has been a burning topic among microprocessor buffs this year. At Hot Chips, one of the industry’s premier academic conferences on microprocessors, experts agreed that the ultimate solution to solving them may require, yes, a lot more talk.

At a panel Monday at the Cupertino, California event, Professor Mark Hill of the University of Wisconsin, Madison, was asked to think about the implications of side-channel, speculative execution attacks on modern microprocessors like those made by ARM, Intel, and others. His solutions included specialized cores, flushing caches on context switches, and business ideas like charging more for exclusive virtual machines.

But the real answer, he and several other panelists said, is more collaboration between hardware and software designers—and maybe a complete redesign of today’s microprocessors.

How the entire chip industry was blindsided

Meltdown and Spectre were revealed unexpectedly in late 2017, shortly before the vulnerabilities were due to be formally, quietly, disclosed during CES in January, 2018. Originally discovered by Google’s “zero-day” investigative team, Google Project Zero, the attacks take advantage of a modern property of microprocessors, speculative execution, where the processor essentially “guesses” which instruction branch to take and execute. (Paul Turner, an engineer and lead on Google’s kernel team who was on the panel, said that Project Zero didn’t give the others at Google a heads-up; they found out just like everyone else.)

What microprocessor designers thought for 20 years was that a bad “guess” simply retired the data without any security risks. They were wrong, as the side-channel attacks proved. 

In practical terms, it means one browser tab could view the contents of another, or one virtual machine could peer into another. That prompted CPU vendors like Intel, along with Microsoft, to issue software “mitigations,” or patches. It’s the most effective way to protect your PC from Spectre, Meltdown, or any of the followup attacks, like Foreshadow

Fortunately, teasing that information out takes time—in some cases, a lot of it. NetSpectre, which can exploit one of the Spectre vulnerabilities remotely, can be used to break in via the cloud or a remote machine. On one hand, the resulting data leak can be as slow as 1 bit per minute, according to panelist John Hennessy, the famous microprocessor designer and now chairman of Alphabet. On the other, the average time between when a server is remotely penetrated and when that intrusion is discovered is 100 days, he added—giving a vulnerability like Spectre lots of time to work.

Intel’s next-generation processors probably won’t totally fix the first Spectre variant, Hennessy said, even though Intel’s planned hardware mitigations will start being designed in this fall with Cascade Lake, a new Xeon processor.

intel cascade lake mitigations Intel

A list of the hardware mitigations against side-channel attacks like Spectre and Meltdown that Intel is including in its next Xeon microprocessor, Cascade Lake.

Patch, or do-over?

ARM, Intel, AMD, and others in the industry can fix the problem through mitigations in the short term, Hill added. But more fundamental changes may need to be made to eliminate the problem altogether, he said.

“The long-run question is how do we define this right so that we potentially eliminate the problem,” Hill said. “Or are we forced to make it like a crime thing that we’re always mitigating.”

Speculative execution was one of the ways that the microprocessor, and by extension, the PC industry, achieved record sales, noted panelist Jon Masters, a computer architect at Red Hat. But speculation was treated as a “magic black box,” he said, without proper questioning by users or customers. That genie’s out of the box, too. Removing speculation and the processor caches that they leverage would lower performance by twenty-fold, Hill said.

hill spectre meltdown Mark Hill

Some of Professor Hill’s suggestions for short-term fixes for speculative-execution attacks.

Hill’s suggested solutions included isolating the branch prediction element, adding randomization, and implementing better hardware protections. Adding slower, safer execution modes by turning off speculation could be one solution; another would be to split an execution engine between “fast cores” and “safe cores.” He also suggested business solutions including charging more for virtual machines—instead of sharing hardware resources with more than one VM, a cloud provider could provide exclusive access.

The fundamental solution to the problem,  though, would be a ground-up reworking of the architectural definition, Hill said. A computer architecture is the way in which a processor executes the software instruction set, with arithmetic units, floating-point units, and more—and today’s chips were designed to conform to the needs of the original model. But if the basic architectural model is fundamentally flawed, he said, it may be time for a new one. In other words, Spectre and Meltdown aren’t bugs—just flaws in the design of all modern chips—and a new model may be needed.

What the panel ultimately decided upon, though, was the simple truth that hardware needs to be designed with software in mind, and vice versa—and both sides need to become more versed in security.

“What often happens is that hardware designers go and build some great hardware, and then we stop talking about it, or software folks say, ah, that’s hardware—I don’t care about it. We have to stop doing that,” Masters said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Mark Hachman

Mark Hachman

PC World (US online)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?