Computer Science | Grinnell College

We will discuss a recent report from Bloomberg about a security breach in the hardware supply chain for servers used by almost 30 major US-based companies. Bloomberg’s reporting suggests that a group within the Chinese government’s intelligence agency were able to add a small chip to motherboards manufactured for SuperMicro, a major server hardware supplier in the US. These chips apparently inject malicious code into the server’s operating system, allowing hackers to remotely access compromised servers and bypass security controls within the operating system. We will discuss the mechanisms used to carry out these attacks, the differences between hardware- and software-based exploits, consider the impacts of such an attack, and discuss possible ways to mitigate attacks like this one in the future.

Readings include Bloomberg's original reporting (The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies, J. Robertson and M. Riley, Bloomberg Businessweek, 4 Oct 2018) and two articles providing some additional perspective on this story, which has not yet been independently confirmed (The China SuperMicro Hack: About That Bloomberg Report, N. Weaver, Lawfare, 4 Oct 2018, and Decoding the Chinese SuperMicro super spy-chip scandal: What do we know – and who is telling the truth? K. McCarthy, The Register, 4 Oct 2018.)

Computer science table (CS Table) is a weekly meeting of Grinnell College community members (students, faculty, staff, etc.) interested in discussing topics related to computing and computer science. CS Table meets Tuesdays from 12:00–12:45pm in JRC 224C (inside the Marketplace). Contact the CS faculty for the weekly reading. Students on meal plans, faculty, and staff are expected to cover the cost of their meals. Visitors to the College and students not on meal plans can charge their meals to the department (sign in at the Marketplace front desk).

At the January 30 CS Table we will discuss the recently-announced Spectre and Meltdown security vulnerabilities. These are complex security vulnerabilities that rely on two important features of modern processors: speculation and out-of-order execution. In addition to a technical discussion of these specific vulnerabilities, we’ll discuss the ways in which vulnerabilities are disclosed and fixed.

There are two assigned readings for Tuesday. The first gives a non-technical analogy for both vulnerabilities, and should be helpful for getting a handle on how these vulnerabilities work. The second looks at the implications for end users and the tech industry.

• Hubert, Bert. "Spectre & Meltdown: Tapping into the CPU's Subconscious Thoughts." ds9a.nl. January 06, 2018.
• Timberg, Craig, Elizabeth Dwoskin, and Hamza Shaban. "Huge Security Flaws Revealed – and Tech Companies Can Barely Keep Up.” The Washington Post. January 06, 2018.

If you are feeling adventurous, you may want to read the original Spectre and Meltdown papers at https://meltdownattack.com/. These are relatively accessible and include a quite a bit of background information.

Computer science table (CS Table) is a weekly meeting of Grinnell College community members (students, faculty, staff, etc.) interested in discussing topics related to computing and computer science. CS Table meets Tuesdays from 12:00–1:00pm in JRC 224A (inside the Marketplace). Contact the CS faculty for the weekly reading. Students on meal plans, faculty, and staff are expected to cover the cost of their meals. Visitors to the College and students not on meal plans can charge their meals to the department (sign in at the JRC front desk).

• United States Computer Emergency Readiness Team (US-CERT), Understanding Denial-of-Service Attacks, November 4, 2004.
• R. Singel, Twitter, Facebook attacks no surprise to security experts, Wired.com, August 6, 2009.
• R. Singel, Is there rhyme or reason to the attacks on Twitter?, Wired.com, August 6, 2009.
• Domain Name System (Wikipedia).
• ICANN Security and Stability Advisory Committee (SSAC), DNS Distributed Denial of Service, March 2006.

Also worth reading, not required: J. Davis, Secret Geek A-Team Hacks Back, Defends Worldwide Web, Wired 16.12, November 24, 2008.
Presenters: Martin & Max