- LINUX LITE MELTDOWN SPECTRE PATCH
- LINUX LITE MELTDOWN SPECTRE UPGRADE
- LINUX LITE MELTDOWN SPECTRE FULL
Do we still remember those Intel ME vulnerablities not long ago? Intel runs MINIX3-based OS on an old good independent x86 CPU since Skylake( 2015) and it seems doesn’t even have the basic mitigation which exists already in 90s. Tons of money spent on a bunch of fancy “fastfood” shows in some vendorcons each year only make things worse. The majority of security industry may not like to develop the mitigation/prevention( it’s hard, I know!).
LINUX LITE MELTDOWN SPECTRE UPGRADE
What if firmware upgrade failures in an old enough machine doesn’t compliant w/ NIST SP-193? Oh, you can re-flash it by SPI programmer manually but how about hundre thousands of machines error occurs. Assuming that the security experts can tune the system( e.g: L1TF) well but we’re likely to go through the whole process again( and again in the future?).
LINUX LITE MELTDOWN SPECTRE PATCH
Risk assessment, vulnerablity anaylsis, patch review, regression testing for important applications, upgrade failures and other bunch of work to deal w/ both ppl and technical issues. It’s been tough for those security engineering/consultant work w/ data center to deal w/ side channel vulnerablities in past years. How many Spectre variants do we have for now? 7? Ok, the magic number will continue to grow as always. It’s also a challenge for the operations at data center. The core infrastructures( SMM( part of firmware), SGX( supported by microcode, BIOS/UEFI firmware and Intel ME), OS and hypervisor) paid the price for CPU bugs. AWS provides dedicated instance and plz noted that the default policy is shared hardware.
LINUX LITE MELTDOWN SPECTRE FULL
It seems only GCP has done it before the full disclosure according to the public info. Btw, cloud vendors can isolate the vCORE for each VM by utilizing the CPU affinity. OS/SMM/VMM/SGX can utilize it to flush L1 cache only at runtime which avoid the performance hit. The current mitigation is a new MSR( IA32_FLUSH_CMD, 0x10B) introduced by Intel. Malicious user is able to gain the priviledge user’s data or priviledged user is able to gain the data from SMRAMĮnclave is able to launch the attack to the other enclaves Malicious guest OS is able to gain the data( shared L1D) from other guest OS or VMM itself L1TF affects multiple levels of system software, including OS, SMM, Hypervisor/VMM and SGX: Vulnerablity
L1TF is a new beast can perform side channel attack in Intel CPU by triggering unmapped memory resulted in a terminal fault where is L1TF comes into play. The SMAP-enhanced UDREF fixed Meltdown in v4.14.13 and the performance is better than KPTI, while it also provide more security features… PaX’s UDEREF implemented the per-cpu pgd back in 2013, which make it easy to implement the full kernel page isolation.
SMAP-enhanced PaX’s UDEREF made the performance improvement since PaX/Grsecurity v4.12. V3a( CVE-2018-3640 – Rogue System Register Read (RSRE) V3 Meltdown( rogue data cache load (CVE-2017-5754)) More info about v3a and v4, check Google project zero’s bug tracker and INTEL-SA-00115. Google project zero’s write-up explains how the vulnerablities( meltdown, spectre v1/v2) work.
Nightmares( Meltdown/Spectre/L1TF) never goes awayīy Shawn C Meltdown/Spectre
0 kommentar(er)
