Meltdown & Spectre Information and Discussion

[Ottawagrant]

Happy New Year Everyone:
What better way to ring in 2018 than to scramble and fix a ten-year-old security flaw in the processor.
There is a kernel memory leak in Intel processors design that now put Windows and Linux users in harms ways as programmers rush to apply patches as quickly as possible.

https://www.onmsft.com/news/intels-kernel-memory-leak-flaw-forces-microsoft-others-to-apply-performance-slowing-patch

But wait!
As for Linux users, there are patches for the Linux kernel available now.

[newtusmaximus]

Which means?
Just  keep loading LL updates and all will be solved??

[Jerry]

A good, simple breakdown:

[Jerry]

[Coastie]

@Jerry, watched video but it was beyond my understanding.  Glad my main computer is AMD based on the recommendations of the ghost formerly know as Spatry. 

[TMG1961]

The video lost me about 10 seconds after it started. I have no idea what he is talking about.

[ian_r_h]

Thanks for this.  Though I'm not sure how well I understand some parts.

In essence, and from technical news posts, my understanding is that (anyone has better knowledge may correct me):-

• Intel processors since the 1990s are vulnerable to this because of using the "speculative" approach.  But cancelling this approach can greatly slow processing in processor-intensive tasks.
• AMD prcoessors are technically unknown according to some reports, and unaffected by others; and possibly affected in their own right by others (I don't have the sources to hand).  My take is that it is unknown/thought unlikely to affect AMD processors.
• My take is also that it requires local access to exploit (as known at the moment), but whether that will continue the case isn't reported on in the items I've read.
• This has been known about for some time.
• The problem requires fixing at the OS level.

I'm presuming that using Intel processors with the current kernel 4.4.x series in Linux Lite leaves it theoretically vulnerable; though I understand that at present there is no malware exploiting the problem?

[JmaCWQ]

This may or may not help explain things......https://thehackernews.com/2018/01/meltdown-spectre-vulnerability.html

[ian_r_h]

OK.

I've had a few minutes to research this further, since coming to it myself first time first thing this morning.

There are two bugs reported:  MELTDOWN and SPECTRE.  According to Wikipedia:-

"The Meltdown vulnerability can be thought of as a particularly easy and efficient-to-implement special case of Spectre."  Note that there is no citation and it is reported as needing one; indeed citation is lacking in the Spectre entry at this time.

"Two Common Vulnerabilities and Exposures IDs related to Spectre, CVE-2017-5753 and CVE-2017-5715, have been issued."

Spectre affects Intel, AMD and ARM processors.

"[Meltdown] was issued a Common Vulnerabilities and Exposures ID of CVE-2017-5754."

Meltdown affects Intel processors and "does not seem to affect AMD microprocessors".

The Wikipedia entries are at:-

https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)
https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)

There is a website for Meltdown and Spectre (which both Wikipedia articles label as the "official website") at:

https://meltdownattack.com/

Hope this helps, though I'm still reading up on it at the moment.

[trinidad]

I have two Windows 10 machines that have been already patched (both originally developer/insider mode) and have had no problems so far, and no noticeable performance issues though there are reports of some VM complications elsewhere. In the case of Linux this is another OEM hardware nuisance which like all such nuisances diffuses down to ordinary users with some over-reaction. Spectre is a threat to ordinary users but only on multi-user boxes i/e - do you trust your wife? I played around with this issue some years back on a Suse Linux system I administrated. It has been known in some form or another for quite a while, but developers never looked at it as particularly threatening. It's the nature of CPUs themselves to not be secure, and again this problem lies within the the whole idea of low level proprietary code. It should be a legal issue with tart recourse to the courts, but who's big enough to sue, maybe Google, or Amazon. Big business is a strangely esoteric political beast here in the US - The government bails out GM but upholds a billion dollar penalty against Ford for bad tires. I can't think of a company in recent history that deserved a class action suit against them more than Intel. As far as civil disobedience perhaps a well organized boycott of Google and Amazon would do the trick but in a lot of ways consumerism is an addiction so that would be awfully hard to organize. Buying a computer for your kids to use is a lot like taking your kids to the doctor. The difference is that most doctors live by a code of ethics, while OEM hardware is produced with an eye to insulating the developers from any liability. Intel developers don't need malpractice insurance. Intel is so big and internationalized that the US government must cast a wary eye on their hardware to protect itself. I have often thought that the first line of recourse for the government is to use the SEC to suspend trading of Intel, and then go from there.

TC

Additionally: "News" of this is hardly new. Only the exploit news part of it, which was held back by Google in agreement with Intel. I highly doubt that AMD is not vulnerable with a modified version. Any 64bit multt-core cached cpu is vulnerable. This has always been known of speculative processes. The bigger the processor the greater the possibility of stealing information. That is the only reason this has suddenly become important. CPUs are finally big enough to cough up and spew considerable information via the hack. Hilariously the hack will still work even with the patch by simply falling back to the old kernel address system. It is not a permanent solution. The permanent solutuion is full and complete free access to CPU microcode.

   

[rokytnji]

Meh,

Code: [Select]

~$ inxi -f
CPU:       Single core AMD Athlon 64 3800+ (-UP-) cache: 512 KB
           speed/max: 1000/2400 MHz
           CPU Flags: 3dnow 3dnowext 3dnowprefetch apic clflush cmov
           cr8_legacy cx16 cx8 de extapic extd_apicid fpu fxsr fxsr_opt
           lahf_lm lm mca mce mmx mmxext msr mtrr nopl nx pae pat pge pni pse
           pse36 rdtscp rep_good sep sse sse2 svm syscall tsc vme vmmcall

$ inxi -S
System:    Host: biker Kernel: 4.4.0-104-generic x86_64 (64 bit)
           Desktop: Xfce 4.12.3 Distro: Ubuntu 16.04 xenial
$ cat /etc/llver
Linux Lite 3.6


Edit: Just to explain myself. In my area. I am more likely to have have my car stereo stolen stolen than this exploit to take hold on my computers.
I care more about the stereo.

[Jerry]

Just to explain myself. In my area. I am more likely to have have my car stereo stolen stolen than this exploit to take hold on my computers.
I care more about the stereo.

Indeed. Are hackers going to target Joe Nothing living at 123 Who Cares Street or do they have juicer targets?

Sent from my Mobile phone using Tapatalk

[Jerry]

Ubuntu plan to release Kernel updates early next week, in or around the 9th.

Sent from my Mobile phone using Tapatalk

[ian_r_h]

An update on (hopefully) reputable and authoritative information sources this morning regarding Meltdown and Spectre.

Personally I agree with Jerry:  Don't panic - there is no known malware exploiting these yet.  Meltdown looks specific to Intel, and is the "easier" both to exploit and to patch; Spectre affects many more processors (including ARM and AMD as well as Intel), and is both harder to exploit and patch.  At least according to these websites.

BBC News has two articles which may be of interest (the second if you are also an Apple user):
http://www.bbc.co.uk/news/technology-42562303
http://www.bbc.co.uk/news/technology-42575033

Leading cryptography expert Bruce Schneier says he plans to write more soon on his blog, and has a brief summary of the technical issue that is easy to read:
https://www.schneier.com/

4.4.x series updated in Kernel 4.4.109 (among other versions):
https://fullcirclemagazine.org/2018/01/04/linux-kernels-4-14-11-4-9-74-4-4-109-3-16-52-and-3-2-97-patch-meltdown-flaw/

The Department of Homeland Security (USA) website contains additional information on the general problem, as well as links to vendor-specific information:
https://www.us-cert.gov/ncas/alerts/TA18-004A

Threatpost has details on ARM and AMD chips not affected by Spectre (according to the manufacturers) among other things:
https://threatpost.com/vendors-share-patch-updates-on-spectre-and-meltdown-mitigation-efforts/129307/

Happy Computing!

[rokytnji]

If you wanna do a quick check on your own. Just for piece of mind I guess.

Code: [Select]

dd if=/dev/zero of=/tmp/testfile bs=512 count=5000000

<use sudo in Linux Lite>

Linus Torvalds thoughts on all of this hoopla.

https://lkml.org/lkml/2018/1/3/797



[color=inherit ! important][size=13px ! important][/size][/color]