Here is the original story that broke the news:
https://www.theregister.co.uk/2018/0...u_design_flaw/ I don't think that this story has anything to do with the SPECTRE vulnerability though. |
An associate at a company we would all recognize says they have tested their AMD systems for both vulnerabilities (Spectre and Meltdown) and found them vulnerable to both.
This is of course hearsay and I cannot be more specific without violating his trust, so take it with a grain of salt. |
As bad as these vulnerabilities are, I am still more concerned about Rowhammer2. Spectre and Meltdown will be fixed, eventually, in hardware. To the best of my knowledge there are no plans to address Rowhammer.
|
Quote:
https://www.amd.com/en/corporate/speculative-execution ARM https://developer.arm.com/support/security-update |
Quote:
|
Quote:
https://en.wikipedia.org/wiki/Meltdo...vulnerability) which, is a particularity of the speculative execution (out-of-order execution) really only affecting the Intel Chips. The general and aggravating vulnerability is Spectre and it's apparently affecting all CPUs that have HW engines for speculative execution. Mitigating Spectre would maybe require some more complex and deeper approach - modifying compilers and recompiling not only the kernel but the entire OS. We'll see, there are armies of paid engineers at these CPU manufacturers that should (hopefully) come up with some solutions. These two papers should give more technical details about these vulnerabilities: https://meltdownattack.com/meltdown.pdf https://spectreattack.com/spectre.pdf |
Yeah, I don't doubt it was just his words in that statement.
Looks like I have a lot of reading to do to try and get fully in the loop. I'll probably just wait a few days and see what the wikipedia pages for these cover. I don't have a ton of free time right now :( |
Intel has some patches already available and deploying (I have hoped that there will be only firmware/microcode stuff):
http://nordic.businessinsider.com/in...eltdown-2018-1 https://newsroom.intel.com/news-rele...rity-exploits/ ARM is developing Whitepapers: https://developer.arm.com/support/se...the-whitepaper And AMD is still cooking? |
I just hope this grim outlook won't materialize:
" Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they -- and the research into the Intel ME vulnerability -- have shown researchers where to look, more is coming -- and what they'll find will be worse than either Spectre or Meltdown. There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones. " https://www.schneier.com/blog/archiv...and_mel_1.html |
Hi,
Don't be too optimistic. If you knew that some microcontroller manufacturer embeds backdoor into a chip targeted at avionics, probably nothing would surprise you. -- Best regards, Andrzej Telszewski |
<deleted>
|
There is new kernel with pages tables isolation (to fix kernel side of this mess): https://www.kernel.org/pub/linux/ker...ngeLog-4.4.110
|
I just found a page that keeps track of the updates related to Meltdown/Spectre. Although the article is in German, from a well known IT/Tech related online publication, the list points to links in English (Intel,AMD,ARM,Linux, HW Manufacturers, etc..):
https://www.heise.de/newsticker/meld...n-3936141.html Funny enough, I own an Intel powered Dell laptop, a few years old, that is vulnerable but doesn't appear in Dell's list of affected systems/updates. |
Quote:
Quote:
1) The only admit to the stuff we know others have proven broken camp ( hardware manufacturers ) 2) The shitlist everything until proven safe camp ( Linux kernel developers ) I know which ones I trust :) |
Quote:
Quote:
http://www.businessinsider.com/linus...t-intel-2018-1 (original link doesn't work all the time: https://lkml.org/lkml/2018/1/3/797 ) " Why is this all done without any configuration options? A *competent* CPU engineer would fix this by making sure speculation doesn't happen across protection domains. Maybe even a L1 I$ that is keyed by CPL. " My speculation, without knowing too much about the complex algorithms that are embedded in this speculative execution, is that the Spectre issue might be mitigated with microcode only, imposing some discipline/configuration on these algorithms so that they cannot be influenced. There is another question floating around about why all the speculative execution engines are affected, as they were copycat-ing each other, my view on this is that the compiler guys (SW) have dictated this uniformity and the HW guys just complied. |
All times are GMT -5. The time now is 01:32 PM. |