Security Software

Spectre and Meltdown Checker Script

The Spectre and Meltdown Checker is a script used to check if a system is potentially vulnerable to transient execution attacks such as bounds check bypass and rogue system register read. The script, developed and maintained by the open source community, supports several open source operating systems (OSes), and looks for vulnerabilities on a variety of platforms from multiple hardware vendors. Cloud service providers, software vendors, and individual developers have been using the Spectre and Meltdown Checker since early 2018 to determine which of their systems have mitigations in place, which systems may have mitigations installed but disabled, and which systems might still be vulnerable to known transient execution attacks. The script can run on-premises, in virtualized environments, and in containers. While Spectre and Meltdown Checker does not itself mitigate any transient execution issues, it is a valuable tool to help you determine your system’s risk exposure.  

Because transient execution attacks target microarchitectural features, the mitigations for these issues in many processors are often found in microcode and/or software. As a diagnostic tool, Spectre and Meltdown Checker does not make any modifications to the system or the kernel. The tool inspects the kernel image, the system hardware, and the installed microcode to determine if the system as it is running is vulnerable to known transient execution attacks. This information can help you determine if further mitigations are required.

Watch a recording of Agata Gruza's presentation on Spectre and Meltdown Checker at Open Source Summit 2020 for further context

Using Spectre and Meltdown Checker

The first step is to install the script on your system. Some Linux* distros already include this tool in their repositories, so you can first check if you can install it using your distro’s appropriate method (such as by using apt or yum).

If the tool is not distributed by your distro or if you want the most up to date version of the script, then you can find it at https://meltdown.ovh or the GitHub repository. In the repository, it is recommended that you check and download the existing releases. You can get the most recent version of the script by running one of the following commands from your terminal:

# curl -L https://meltdown.ovh -o spectre-meltdown-checker.sh
# wget https://meltdown.ovh -o spectre-meltdown-checker.sh

Next, change the permissions of the file so it can be executed:

# chmod +x spectre-meltdown-checker.sh

Note: We recommend that you check the content of the script before you run it.

The script needs to be executed with administrator privileges. For example, you can run the script with the following command:

# sudo ./spectre-meltdown-checker.sh

The script checks your system processor’s family/model number, stepping, and model specific registers (MSRs) for each enumerated vulnerability that could affect your system. Systems that are affected and do not have updated microcode are listed as vulnerable.

Interpreting the results

The script first checks which known vulnerabilities may affect the current processor. At this point, if the script says that your system is affected by a vulnerability, it does not mean that your system is currently vulnerable. The system could already be mitigated, but initially the script does not check for those mitigations.

Next, for each vulnerability that the system is affected by, the script will check whether mitigations are installed in the system or not. Since different vulnerabilities have different mitigations, the script checks whether appropriate mitigation is in place for each vulnerability. For example, if the vulnerability requires both microcode and software updates, it will check that both updates are in place. If any mitigations are missing, the tool will report which component should be updated.

Taking action

If the script shows that your system is vulnerable to an issue, the first thing to do is check with your OS, application, and hypervisor vendors for system updates that can mitigate the vulnerability. Intel works with industry partners to deploy microcode updates for systems affected by these issues. You can also refer to the guidance on the Intel software security site for details on the microcode update process and guidelines for loading microcode from the OS.

Some mitigation options for transient execution attacks allow you to configure the mitigations for your particular environment and workloads. System administrators can review Intel’s guidance for production systems when deciding how to mitigate and configure vulnerable systems.


Was this article helpful?YesNo
0% of users found this helpful

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Performance varies depending on system configuration. Check with your system manufacturer or retailer or learn more at www.intel.com.

All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps.

Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors.

Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more complete information visit www.intel.com/benchmarks.

Performance results are based on testing as of dates shown in configurations and may not reflect all publicly available​ updates.

The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request.

Intel provides these materials as-is, with no express or implied warranties.

No product or component can be absolutely secure.

Your costs and results may vary.

© Intel Corporation.  Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries.  Other names and brands may be claimed as the property of others.