Call us at 507.319.5206 or This email address is being protected from spambots. You need JavaScript enabled to view it.
Follow us on LinkedIn and Twitter

Spectre and Meltdown: More Patches to Come for IBM i

Spectre & Meltdown— Take Steps to Protect Your Systems Until Then —

The ubiquitous, hardware-related Spectre and Meltdown security flaws surprised many in the IBM i community. Who would have thought that the IBM i platform is just as susceptible to these bugs as nearly every other platform?!?!

Not so surprising is IBM’s lack of transparency regarding these flaws.  This has left most customers wondering whether their IBM i systems are affected and when they’ll be fixed.

It’s easy to imagine that the lack of communication from IBM is being driven by lawyers’ concerns about being sued – whether the suit has merit or not.

But I think the concerns go far beyond that. The thorny nature of the flaws, the complexity of the fixes, the number of system components impacted, and the difficulty of providing a generic estimate of the potential performance impacts of the fixes — these all probably contribute to IBM’s reluctance to provide more than minimal details about the plan for addressing the Spectre and Meltdown security flaws.

IBM has already released two sets of patches for the IBM i. The first patches were for firmware, and the second were operating system changes. Given the fundamental nature of these flaws (hardware), I think we should expect to see more patches rolled out over time; perhaps many more over a long period of time.
[3/7/2018 Update: IBM i 6.1.1 and 7.1 (pre-Tech Refresh 5) boot issue following Power Firmware update/upgrade.]

My guess is that we’ll see general patches as well as patches for individual OS components (e.g., database.)

However, expect IBM and its lawyers to be very careful about providing much information in advance. It will take a relatively long time to gather the data necessary to understand the impacts of the required fixes. For example, there will be performance impacts, and it will be a tricky and difficult job to predict and describe the types of workloads that will be affected, as well as the magnitude of the impact. This will slow the rollout of those patches.

Strict control over what is installed/restored and by whom will greatly reduce risk from these flaws. However, because of their nature, perfectly legal programs can exploit them. This means it is virtually impossible for users to create mechanisms that can detect/prevent a program which exploits Spectre/Meltdown – programs exploiting these flaws aren’t doing anything illegal. Microcode changes can probably fix Meltdown, but microcode and probably hardware changes will be needed to eradicate Spectre.

Spectre, in particular, has important ramifications for those who host production and development partitions on the same hardware and who have less restrictive security policies for the development partition. This scenario allows a malicious insider to create and run code on the development partition that could theoretically access memory from processes running in the production partition!

There are a few things you can do to protect your system until IBM has rolled out all patches required to address the security issues.

  1. Follow recommended practices for managing your system. This is a must. If you’re not sure what I mean by this, contact me!
  2. Pay close attention to the code you allow into your production environment.  Employ a robust software and release management strategy that gives management and administrators control over code that is integrated.
  3. Don’t rely on library lists to separate production and development on the same partition. It provides no protection.
  4. Don’t host development and production partitions on the same hardware. If you don’t have a second system, check out an IBM i cloud IaaS provider (e.g., Lightedge Solutions, etc.) who can fairly quickly spin up a hosted development partition for you. Of course, if you take this route, remember not to use any production data, passwords, certificates, etc., in your development partition. Cloud-based partitions are cheaper because you share the hardware with other customers of your cloud-provider!

Spectre and Meltdown are quite tricky to fix and protect against. While IBM has already released at least two sets of fixes, there are likely to be several more rolled out over time. And because of the nature of these flaws, it is likely that IBM will provide only a minimum amount of information about additional fixes and when they will be available.

If you would like to learn more about the Spectre and Meltdown flaws and how they may apply to your system, let’s talk.

 

Facebooktwittergoogle_pluspinterestlinkedinmail
This entry was posted in IBM i Security, Security Breach and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>