Meltdown, Spectre and Smartsheet

The Intel CPU bugs “Meltdown” and “Spectre” are generating angst  in the IT industry. While details are still emerging, what we’ve learned to date leads us to believe that the Smartsheet app is protected against these bugs being exploited. We are constantly evaluating the new technical details as they become available, and given our current understanding, we believe that our data center architecture mitigates these bugs from being exploited.

To understand why we feel confident in saying this, it’s important to understand two things: the nature of the bugs/exploits, and a brief high-level picture of our data architecture.

Exploiting the CPU

While the technical details of how one exploits these bugs (described in more detail here) are deep in the architecture of Intel, AMD and ARM CPUs, the exploit requires an attacker to execute code on the physical machine they wish to attack. By taking advantage of the bug in the CPU, the attacker’s code could then “peek” across process boundaries at the machine/kernel level, essentially bypassing any operating system restrictions in place. Thus, the attacker can access data they would normally not be allowed to see.

For the cloud vendors that allow for multi-tenancy (multiple customers running virtual machines on the same servers), this would — in theory — permit an attacker to spin up a process or virtual machine running on the same hardware another application, “look around” at what other processes are executing, and access data in those other processes. A particularly stark demo is referenced by this tweet, showing an arbitrary native process “reaching across” process boundaries to see the data being typed into the other process’ window. (It is important to note that researchers have not found any evidence that hackers are currently making use of this in the wild.)

It is also important to note that the “Big Three” public cloud vendors (Amazon, Microsoft, and Google) have already rolled out, or are in the process of rolling out, patches to their banks of hardware to circumvent the bug.

The key to remember about all of this, however, is that the exploit requires the ability to execute code on the target machine.

Smartsheet Data Storage

When a Smartsheet user saves data to a sheet (or makes an API call), that data is transmitted through the client to a Smartsheet web server running at a data center operated by Smartsheet.

In addition for some attachment storage and some ancillary services, Smartsheet does make use of public cloud services including Amazon EC2, S3, and Heroku that all run in Amazon Web Services (AWS).  Amazon has confirmed the patched status of their products here.

Another thing that does deserve mention, however, is that there is one machine over which Smartsheet has no control, and that is the client from which user data is being entered or viewed — that is to say, the customer’s PC or mobile device. While “in the wild” attacks making use of this exploit have not been found, Smartsheet would like to remind all of its customers that data is only as safe as the least-secure computer on which it is found, and strongly recommends all users to keep current with the latest operating system patches and updates to protect against exploits like Meltdown and Spectre. Since the bug can be exploited by Javascript malware, users are especially encouraged to keep their browsers up to date.

Ongoing

The revelation of these flaws diminishes consumers’ trust in computers to keep their data safe and secure, and at Smartsheet, we take that trust very seriously. We will continue to monitor the discussions and bulletins issued by the various principals, and take every action we can to keep your data safe.

For more information on the two vulnerabilities, we recommend readers look at https://spectreattack.com/ which contains a number of links to the details of the exploits, as well as links to the responses by various companies involved. Google’s ProjectZero page is one of the canonical sources of information on Meltdown and Spectre and has links to the academic papers that describe each, as well as deep detailed technical analysis on how they work.

For any questions, please use http://www.smartsheet.com/gethelp.