practice
THE WORLD OF vulnerability management is rapidly
changing to keep pace with the complexity of potential
threats requiring remediation. What will it look like to
live in this world for the next 10 to 15 years?
In 1996, Aleph One published “Smashing the
Stack for Fun and Profit.” 1 For the next decade, stack
smashing was a common form of exploitation, and
the security community expended significant effort to
finding defenses against it. The Spectre and Meltdown
vulnerabilities may constitute an equally seminal
moment, ushering in a decade or more of chronic risk-
management issues. Indeed, two
variants were recently released:
SpectrePrime and MeltdownPrime, as
detailed in a recent paper by Caroline
Trippel, Daniel Lustig, and Margaret
Martonosi. 3 Expect these to be the first
of many.
Spectre and Meltdown create a risk
landscape that has more questions
than answers. This article addresses
how these vulnerabilities were triaged
when they were announced and the
practical defenses that are available.
Ultimately, these vulnerabilities present a unique set of circumstances, but
How to
Live in a
Post-Meltdown
and -Spectre
World
DOI: 10.1145/3267116
Article development led by
queue.acm.org
Learn from the past to prepare
for the next battle.
BY RICH BENNETT, CRAIG CALLAHAN, STACY JONES,
MATT LEVINE, MERRILL MILLER, AND ANDY OZMENT