Posted on 01/03/2018 8:32:08 PM PST by BenLurkin
Here’s what you need to know about Meltdown and Spectre, the two huge bugs that affect practically every computer and device out there.
What are these flaws?
Short answer: Bugs at a fundamental level that allow critical information stored deep inside computer systems to be exposed.
Security researchers released official documentation — complete with nicknames and logos — of two major flaws found in nearly all modern central processing units, or CPUs.
It’s not a physical problem with the CPUs themselves, or a plain software bug you might find in an application like Word or Chrome. It’s in between, at the level of the processors’ “architectures,” the way all the millions of transistors and logic units work together to carry out instructions.
In modern architectures, there are inviolable spaces where data passes through in raw, unencrypted form, such as inside the kernel, the most central software unit in the architecture, or in system memory carefully set aside from other applications. This data has powerful protections to prevent it from being interfered with or even observed by other processes and applications.
Meltdown and Spectre are two techniques researchers have discovered that circumvent those protections, exposing nearly any data the computer processes, such as passwords, proprietary information, or encrypted communications.
(Excerpt) Read more at techcrunch.com ...
While there are POC exploits, it would be difficult to actually use them effectively against a target computer.
Difficult, but not impossible.
We need someone from the NSA to post here.....
I think I know what an operating system is. But what’s a kernel?
Local access could happen by way of an installed virus, BTW—something already installed on most popular commercial operating systems.
The kernel is the core of an operating system. It does low-level work. Oops. It’s loaded early during boot.
I should have simply mentioned updating the operating system. Do that, when the update is available. :-)
Relatively non-techie, here, thanks in advance if anyone feels like addressing the following:
I have a Dell laptop, with the following processor:
Intel(R) Core(TM) i5-6200U CPU @ 2.30 GHz
running Windows 10 with automatic updates.
Anyone know if I should be particularly concerned by the problems announced with Intel processors, etc.??
or should I be ok? thanks to anyone!!
I meant oops, I should have kept it simple. Trying to do two things at once here.
Wow, for meltdown, the Intel FUD machine is in overdrive. Not sure about Spectre, though. My discussion below is focused on Meltdown.
As I understand, Intel was doing speculative execution without memory protections in place on the instructions being speculatively executed (this is deep in Comp Eng, but if interested, it can be explained).
So for years they have dominated AMD in benchmarks, but turns out their method of perf extraction is a bit iffy!
I am not a AMD fan boy, but can’t really prove it here.
But needless to say I have been cheap for years and refused to pay the Intel tax for consumer grade hardware, so I lucked out. Not even my ten year old amd64 laptops will be impacted, unless MS insists upon subjecting AMD to the same WARs that Intel processors will be forced to execute.
It’s going to play hell with Amazon, etc. who export cloud compute services, and more than likely are exclusive Intel shops. You don’t take the fix, and you could compromise customer security.
Microsoft says January 9th according to this. Don’t know how dependable the following news source is.
https://www.dailydot.com/debug/intel-kernel-bug-spectre-meltdown/
I don’t use Microsoft. Linux and *BSD core teams are working on updates now and have made some progress.
I just read up on Spectre - it exploits natural architectural features of modern processors (speculative execution) to snoop around outside of the scope of a given piece of code.
I could think of ways to fix this, but they are pretty heavy handed. I would think the best way is to enhance IPC, and force sandboxes into true sandboxes (not sandboxes sitting in a bigger process).
The hw changes needed to clean up this vulnerability across the board, would be onerous. For example you would have to have cache history, and when invalidating speculative execution results, if access was legal, you would need to be able to back out every memory action (down to the RAM chips, through the cache, etc.).
I would assume best practice will be to spin a new process for any untrusted code module, and talk across process boundaries.
I guess we will see what the big players do...
Here’s some news. Cloud services should be updated today.
Hopefully, seeing the big vendors operating just fine will calm the stock market herds. Linux is already partially patched and will complete that shortly (re. large scale Internet services).
Meltdown paper describes working exploit demo against live Amazon cloud server returning 500 Kb/sec from protected address space. To be good cloud citizens they did not breech other tenants’ memory but could have. This is NOT just proof-of-concept!
Here’s some info. Links to company security advisories for companies at the bottom.
On Linux (November...heh)...
KAISER: hiding the kernel from user space
https://lwn.net/Articles/738975/
Something from Linus on Linux performance (small hit with good array setup).
https://lkml.org/lkml/2018/1/2/703
Too much BS for Me.
All I want to know is does it have real butter, S&P and come on the Cob.
Yeah, but is it non-GMO!?
Knowing My luck, No!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.