Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device?
techcrunch.com ^ | 01/03/2017

Posted on 01/03/2018 8:32:08 PM PST by BenLurkin

Here’s what you need to know about Meltdown and Spectre, the two huge bugs that affect practically every computer and device out there.

What are these flaws?

Short answer: Bugs at a fundamental level that allow critical information stored deep inside computer systems to be exposed.

Security researchers released official documentation — complete with nicknames and logos —  of two major flaws found in nearly all modern central processing units, or CPUs.

It’s not a physical problem with the CPUs themselves, or a plain software bug you might find in an application like Word or Chrome. It’s in between, at the level of the processors’ “architectures,” the way all the millions of transistors and logic units work together to carry out instructions.

In modern architectures, there are inviolable spaces where data passes through in raw, unencrypted form, such as inside the kernel, the most central software unit in the architecture, or in system memory carefully set aside from other applications. This data has powerful protections to prevent it from being interfered with or even observed by other processes and applications.

Meltdown and Spectre are two techniques researchers have discovered that circumvent those protections, exposing nearly any data the computer processes, such as passwords, proprietary information, or encrypted communications.

(Excerpt) Read more at techcrunch.com ...


TOPICS: Computers/Internet
KEYWORDS: computers; computing; intel; meltdown; spectre

1 posted on 01/03/2018 8:32:08 PM PST by BenLurkin
[ Post Reply | Private Reply | View Replies]

To: BenLurkin

While there are POC exploits, it would be difficult to actually use them effectively against a target computer.

Difficult, but not impossible.


2 posted on 01/03/2018 8:49:09 PM PST by proxy_user
[ Post Reply | Private Reply | To 1 | View Replies]

To: proxy_user

We need someone from the NSA to post here.....


3 posted on 01/03/2018 9:14:43 PM PST by minnesota_bound
[ Post Reply | Private Reply | To 2 | View Replies]

To: minnesota_bound; BenLurkin; proxy_user
"We need someone from the NSA to post here....."

Not really. The flaw requires that a cracker have local access. These things are often over-hyped. However, you should update your operating system/kernel, as soon as the update is available.


4 posted on 01/03/2018 10:30:28 PM PST by familyop ("R-r-r-uff!" --Curly, "The Three Stooges")
[ Post Reply | Private Reply | To 3 | View Replies]

To: familyop

I think I know what an operating system is. But what’s a kernel?


5 posted on 01/03/2018 10:31:43 PM PST by BenLurkin (The above is not a statement of fact. It is either satire or opinion. Or both.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: minnesota_bound; BenLurkin; proxy_user

Local access could happen by way of an installed virus, BTW—something already installed on most popular commercial operating systems.


6 posted on 01/03/2018 10:35:51 PM PST by familyop ("R-r-r-uff!" --Curly, "The Three Stooges")
[ Post Reply | Private Reply | To 4 | View Replies]

To: BenLurkin

The kernel is the core of an operating system. It does low-level work. Oops. It’s loaded early during boot.

I should have simply mentioned updating the operating system. Do that, when the update is available. :-)


7 posted on 01/03/2018 10:42:07 PM PST by familyop ("R-r-r-uff!" --Curly, "The Three Stooges")
[ Post Reply | Private Reply | To 5 | View Replies]

To: BenLurkin; All

Relatively non-techie, here, thanks in advance if anyone feels like addressing the following:

I have a Dell laptop, with the following processor:

Intel(R) Core(TM) i5-6200U CPU @ 2.30 GHz

running Windows 10 with automatic updates.

Anyone know if I should be particularly concerned by the problems announced with Intel processors, etc.??

or should I be ok? thanks to anyone!!


8 posted on 01/03/2018 10:43:03 PM PST by Enchante (FusionGPS "dirty dossier" scandal links Hillary, FBI, CIA, Dept of Justice... "Deep State" is real)
[ Post Reply | Private Reply | To 1 | View Replies]

To: BenLurkin

I meant oops, I should have kept it simple. Trying to do two things at once here.


9 posted on 01/03/2018 10:44:20 PM PST by familyop ("R-r-r-uff!" --Curly, "The Three Stooges")
[ Post Reply | Private Reply | To 5 | View Replies]

To: BenLurkin

Wow, for meltdown, the Intel FUD machine is in overdrive. Not sure about Spectre, though. My discussion below is focused on Meltdown.

As I understand, Intel was doing speculative execution without memory protections in place on the instructions being speculatively executed (this is deep in Comp Eng, but if interested, it can be explained).

So for years they have dominated AMD in benchmarks, but turns out their method of perf extraction is a bit iffy!

I am not a AMD fan boy, but can’t really prove it here.

But needless to say I have been cheap for years and refused to pay the Intel tax for consumer grade hardware, so I lucked out. Not even my ten year old amd64 laptops will be impacted, unless MS insists upon subjecting AMD to the same WARs that Intel processors will be forced to execute.

It’s going to play hell with Amazon, etc. who export cloud compute services, and more than likely are exclusive Intel shops. You don’t take the fix, and you could compromise customer security.


10 posted on 01/03/2018 10:54:35 PM PST by Aqua225 (Realist)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Enchante; minnesota_bound; BenLurkin; proxy_user

Microsoft says January 9th according to this. Don’t know how dependable the following news source is.

https://www.dailydot.com/debug/intel-kernel-bug-spectre-meltdown/

I don’t use Microsoft. Linux and *BSD core teams are working on updates now and have made some progress.


11 posted on 01/03/2018 11:05:26 PM PST by familyop ("R-r-r-uff!" --Curly, "The Three Stooges")
[ Post Reply | Private Reply | To 8 | View Replies]

To: Aqua225

I just read up on Spectre - it exploits natural architectural features of modern processors (speculative execution) to snoop around outside of the scope of a given piece of code.

I could think of ways to fix this, but they are pretty heavy handed. I would think the best way is to enhance IPC, and force sandboxes into true sandboxes (not sandboxes sitting in a bigger process).

The hw changes needed to clean up this vulnerability across the board, would be onerous. For example you would have to have cache history, and when invalidating speculative execution results, if access was legal, you would need to be able to back out every memory action (down to the RAM chips, through the cache, etc.).

I would assume best practice will be to spin a new process for any untrusted code module, and talk across process boundaries.

I guess we will see what the big players do...


12 posted on 01/03/2018 11:16:44 PM PST by Aqua225 (Realist)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Aqua225; Enchante; minnesota_bound; BenLurkin; proxy_user

Here’s some news. Cloud services should be updated today.

https://www.bleepingcomputer.com/news/security/os-makers-preparing-patches-for-secret-intel-cpu-security-bug/

Hopefully, seeing the big vendors operating just fine will calm the stock market herds. Linux is already partially patched and will complete that shortly (re. large scale Internet services).


13 posted on 01/03/2018 11:38:12 PM PST by familyop ("R-r-r-uff!" --Curly, "The Three Stooges")
[ Post Reply | Private Reply | To 10 | View Replies]

To: proxy_user

Meltdown paper describes working exploit demo against live Amazon cloud server returning 500 Kb/sec from protected address space. To be good cloud citizens they did not breech other tenants’ memory but could have. This is NOT just proof-of-concept!


14 posted on 01/03/2018 11:52:28 PM PST by steve86 (Prophecies of Maelmhaedhoc O'Morgair (Latin form: Malachy))
[ Post Reply | Private Reply | To 2 | View Replies]

To: Aqua225; Enchante; minnesota_bound; BenLurkin; proxy_user

Here’s some info. Links to company security advisories for companies at the bottom.

https://meltdownattack.com/

On Linux (November...heh)...

KAISER: hiding the kernel from user space
https://lwn.net/Articles/738975/

Something from Linus on Linux performance (small hit with good array setup).

https://lkml.org/lkml/2018/1/2/703


15 posted on 01/04/2018 12:02:17 AM PST by familyop ("R-r-r-uff!" --Curly, "The Three Stooges")
[ Post Reply | Private Reply | To 12 | View Replies]

To: Aqua225

https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)


16 posted on 01/04/2018 12:45:00 AM PST by familyop ("R-r-r-uff!" --Curly, "The Three Stooges")
[ Post Reply | Private Reply | To 10 | View Replies]

To: BenLurkin

Too much BS for Me.

All I want to know is does it have real butter, S&P and come on the Cob.


17 posted on 01/04/2018 12:51:31 AM PST by mabarker1 (Progress- the opposite of congressl)
[ Post Reply | Private Reply | To 1 | View Replies]

To: mabarker1
All I want to know is does it have real butter, S&P and come on the Cob.

Yeah, but is it non-GMO!?

18 posted on 01/04/2018 5:11:54 AM PST by Prov1322 (Enjoy my wife's incredible artwork at www.watercolorARTwork.com! (This space no longer for rent))
[ Post Reply | Private Reply | To 17 | View Replies]

To: Prov1322

Knowing My luck, No!


19 posted on 01/04/2018 1:09:39 PM PST by mabarker1 (Progress- the opposite of congressl)
[ Post Reply | Private Reply | To 18 | View Replies]

To: familyop

https://techcrunch.com/2018/01/04/apple-says-meltdown-and-spectre-flaws-affect-all-mac-systems-and-ios-devices-but-not-for-long/


20 posted on 01/04/2018 6:45:04 PM PST by Enchante (FusionGPS "dirty dossier" scandal links Hillary, FBI, CIA, Dept of Justice... "Deep State" is real)
[ Post Reply | Private Reply | To 13 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson