A collection of Meltdown/Spectre postings
- Alan
Cox's advice for people wondering what they should be doing.
"
If your provider does not have a fix then now is a good time to practice that recovery plan you should have for what to do when your cloud provider goes down.
" - A summary of performance impacts from the mitigations, posted by Red Hat.
- Google's What you need to know posting.
- Red Hat's What you need to know posting. The CPU as a barista.
- Various cloud providers have provided updates: Amazon, Azure, Linode, and Open Telekom Cloud.
- A vague
statement from Intel that fixes are on the way. "
Intel has already issued updates for the majority of processor products introduced within the past five years. By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years.
" - Intel has published a white paper [PDF] on the vulnerabilities.
- AMD's update and ARM's update on which processors are vulnerable.
- General distributor/project updates (other than specific package alerts): Chromium, Mozilla, FreeBSD, OpenBSD, Qubes, Red Hat, SUSE, Ubuntu, WebKit, Xen, Fedora, Xen FAQ, Gentoo, CoreOS, and QEMU.
- Kernel patches: retpoline, IBRS control (for indirect branch speculation), speculative read inhibition. We'll be looking at these in detail soon.
- Why Raspberry Pi isn't vulnerable.
- XKCD
Posted Jan 4, 2018 19:46 UTC (Thu)
by sasha (guest, #16070)
[Link] (18 responses)
Posted Jan 4, 2018 19:50 UTC (Thu)
by jake (editor, #205)
[Link] (8 responses)
hmm, strange ... it works for me and I don't have a RHEL subscription ... maybe some other problem?
jake
Posted Jan 4, 2018 20:10 UTC (Thu)
by Frogging101 (guest, #113180)
[Link]
Posted Jan 4, 2018 20:10 UTC (Thu)
by armijn (subscriber, #3653)
[Link] (5 responses)
Posted Jan 4, 2018 20:23 UTC (Thu)
by jake (editor, #205)
[Link] (4 responses)
Even weirder. I just tried it in an icognito window and a browser I never use and had no trouble. Not sure what to suggest ... region-locked for only North American consumption? or some other misconfiguration? ... there's nothing in it that would appear to be any kind of company secret or bestow an advantage for competitors ...
jake
Posted Jan 4, 2018 20:31 UTC (Thu)
by atal (subscriber, #98720)
[Link]
Posted Jan 4, 2018 20:58 UTC (Thu)
by Anssi (subscriber, #52242)
[Link] (2 responses)
I.e. this one says "SUBSCRIBER EXCLUSIVE CONTENT": https://access.redhat.com/articles/3307751
Posted Jan 4, 2018 21:53 UTC (Thu)
by jake (editor, #205)
[Link] (1 responses)
Ah yes, now I see. I had forgotten about that link since I successfully looked at it earlier, which means that it was open access for a while, with luck, perhaps Red Hat will restore access soon.
jake
Posted Jan 5, 2018 0:06 UTC (Fri)
by Anssi (subscriber, #52242)
[Link]
Posted Jan 4, 2018 21:58 UTC (Thu)
by lwnwl (guest, #118220)
[Link]
Posted Jan 4, 2018 20:47 UTC (Thu)
by pbonzini (subscriber, #60935)
[Link] (1 responses)
Posted Jan 5, 2018 2:58 UTC (Fri)
by sasha (guest, #16070)
[Link]
Posted Jan 4, 2018 23:13 UTC (Thu)
by jcm (subscriber, #18262)
[Link]
Jon (who wrote much of the technical summary)
Posted Jan 5, 2018 1:55 UTC (Fri)
by brooksmoses (guest, #88422)
[Link] (5 responses)
Posted Jan 5, 2018 3:48 UTC (Fri)
by jcm (subscriber, #18262)
[Link] (1 responses)
Posted Jan 5, 2018 21:02 UTC (Fri)
by brooksmoses (guest, #88422)
[Link]
Posted Jan 5, 2018 7:36 UTC (Fri)
by pbonzini (subscriber, #60935)
[Link] (2 responses)
Posted Jan 5, 2018 16:34 UTC (Fri)
by jcm (subscriber, #18262)
[Link]
Posted Jan 6, 2018 9:26 UTC (Sat)
by roblucid (guest, #48964)
[Link]
Posted Jan 4, 2018 20:06 UTC (Thu)
by giggls (subscriber, #48434)
[Link] (9 responses)
I already found this:
https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b...
It gives me a "vulnerable" on two machines and "Illegal instruction" on another.
All three of them are Debian 9.x and some of them use custom kernels.
Posted Jan 5, 2018 0:02 UTC (Fri)
by ras (subscriber, #33059)
[Link] (8 responses)
This is the most terrifying thing I've ever seen. Doubly so because from the straightforward bugs it contains it was written by a person who doesn't know C too well, and still managed to pull it off.
As the comments on the gist say, be sure to compile with -O0.
Posted Jan 5, 2018 0:06 UTC (Fri)
by excors (subscriber, #95769)
[Link] (7 responses)
(Not that that makes it any less terrifying.)
Posted Jan 5, 2018 2:19 UTC (Fri)
by ras (subscriber, #33059)
[Link] (6 responses)
Thanks. None of the obvious C errors are in the original paper.
It's looking a lot less terrifying now I've tried to get it to read the memory of a different process, and failed so far.
Posted Jan 5, 2018 16:39 UTC (Fri)
by jcm (subscriber, #18262)
[Link]
Posted Jan 5, 2018 16:52 UTC (Fri)
by ken (subscriber, #625)
[Link] (4 responses)
you need to do a lot more work if you intend to "weaponize it".
Posted Jan 6, 2018 12:07 UTC (Sat)
by ras (subscriber, #33059)
[Link] (3 responses)
I don't think so. My problem is more in understanding of what is going on.
Confusingly, there are two closely related issues, which have named Spectre and Meltdown. Spectre boils down to this: if you can make a process execute a very specific sequence of instructions another process can "read" it's memory using a cache timing. The demo program tries to show it in action, but since forcing a program to execute a series of instructions it didn't intend to is a tad difficult it a demonstrates a process reading it's own memory without, err, actually reading it. It's the reading memory without asking the CPU to execute any instructions that actually read it that's generating the ooooh's and aaah's here, as obviously reading your own memory by asking the CPU to do it for you is rather common place. Nonetheless it does causes problems for programs like web browsers that assume a JavaScript code can only access memory the browser allows it to read. Now it's come to light random JavaScript can bypass those control's and access anything in the browsers memory it damned well pleases, I'm sure there is much hair pulling going on. That aside, if you can make a program execute arbitrary code, you've got much bigger problems that cache timing attacks. Which is good, because (a) every CPU that speculatively executes more than a couple of instructions is vulnerable to this and (b) there is no hardware fix.
The second issue is called Meltdown. This is the one that apparently caused the Intel CEO to sell as much of his Intel stock as the company allowed. It appears that rather than first checking if you are allowed to access memory then fetching it only if you are allowed to do so, Intel CPU's execute the two operations in parallel to speed things up. So the fetch always happens and the data ends up in cache - it is only the final step of passing the data to the program that fails. This means you could then probe what the data was by doing memory fetches, and using timing to detect whether it came from cache or not. Or you could if it weren't for that fact that a program doing an invalid memory access fails in a fairly spectacular way, a way that destroys the cache foot print you are look for. I thought you could bypass that by ensuring the instructions were executed speculatively, which means the Spectre demo program would have been able to read kernel memory - but apparently not. The paper says they use a more convoluted method involving side effects of transactional memory, however they also imply that just a speeds things up. I'm not sure what the exact trigger is, but whatever it is, only Intel has it. I find that remarkable given I was reading papers 20 years ago on the speed ups that could be obtained by doing memory fetches and permission checks in parallel. Fortunately there is a simple software fix: don't put the kernel in the user processes page table. Sadly this slows things down a little, because now the kernel has give itself access on every syscall.
Posted Jan 6, 2018 13:45 UTC (Sat)
by excors (subscriber, #95769)
[Link] (1 responses)
That sounds like underplaying it. I think you don't have to run arbitrary code in the target process - Project Zero's "variant 1" only needs to run very tightly restricted code in the target process, in the form of eBPF (either JITted or not), but anything that can be manipulated to perform a similar sequence of operations (safely bounds-checked memory read then a dependent read) should be similarly vulnerable, which could include lots of APIs that don't involve code-like input at all. "variant 2" doesn't even need the target to willingly run attacker-influenced operations, because it tricks the CPU into running code at an arbitrary address in target process's context.
Posted Jan 6, 2018 23:28 UTC (Sat)
by ras (subscriber, #33059)
[Link]
eBPF is same situation has JavaScript, and the latter is far worse IMO. They can restrict eBPF as much as necessary to mitigate the problem, right up to insisting only trusted users can load it so it is no longer "untrusted code". Browsers don't have that option with JavaScript.
> but anything that can be manipulated to perform a similar sequence of
The required code is a speculative read of the form:
array[*target_byte << 4096]
at best. This requires the external program to not only somehow arrange for the speculative read to be executed, but also into inject target_byte somehow. In the paper they say they looked at lots of programs to find one that happened to execute the right sequence occasionally, but unsurprising didn't find any.
All the variants are like this.
Timing attacks have been well known for a while, to the point that white hat guys I've mentioned Spectre to dismiss it as very old news. I too remember seeing stuff a couple of years ago about KVM instances using cache timing to communicate, and in one setup doing what Spectre does - one KVM instance reading the others memory. But that like Spectre it was proof of concept code. In reality getting the conditions required to pull it off in real life has proved impossible so far.
Posted Jan 7, 2018 22:53 UTC (Sun)
by sampablokuper (guest, #53150)
[Link]
The stock sale was covered here a few weeks after it occurred: https://www.fool.com/investing/2017/12/19/intels-ceo-just...
AFAIK, no-one has been able to definitively confirm that Brian Krzanich sold the stock due to insider knowledge about Meltdown or Spectre.
Even so, it doesn't look good that Krzanich sold *as much stock as was contractually allowable* after being (presumably) briefed on these serious, not-yet-publicly-known flaws in Intel products.
Perhaps he was getting investment advice from John Gamble? https://www.bloomberg.com/news/articles/2017-09-07/three-...
Posted Jan 4, 2018 20:59 UTC (Thu)
by clugstj (subscriber, #4020)
[Link]
Posted Jan 4, 2018 21:46 UTC (Thu)
by sytoka (guest, #38525)
[Link] (2 responses)
https://blog.xenproject.org/2018/01/04/xen-project-spectr...
Please note I just report the URL, I am not a Xen expert !
Posted Jan 6, 2018 20:52 UTC (Sat)
by sampablokuper (guest, #53150)
[Link] (1 responses)
> "SP2 can be mitigated in two ways, both of which essentially prevent speculative execution of indirect branches. The first is to flush the branch prediction logic on entry into the hypervisor. This requires microcode updates, which Intel and AMD are in the process of preparing, as well as patches to the hypervisor which are also in process and should be available soon."
Given the Spectre, Meltdown, ME and PSP vulnerabilities, it is clear that Intel, AMD and ARM cannot be trusted to create secure systems, or even to adequately accept responsibility when their systems are shown to contain gross vulnerabilities.
As such, no-one should trust these forthcoming microcode updates not to make their host systems *less* secure.
Unless, that is, Intel and AMD break with recent traditions and make the microcode updates' contents open for public scrutiny and security auditing.
I'm not holding my breath.
Posted Feb 2, 2018 13:14 UTC (Fri)
by sampablokuper (guest, #53150)
[Link]
> no-one should trust these forthcoming microcode updates not to make their host systems *less* secure. > Unless, that is, Intel and AMD break with recent traditions and make the microcode updates' contents open for public scrutiny and security auditing. > I'm not holding my breath. Bunnie Huang (as is so often the case) puts it well: Sounds good to me.
Posted Jan 4, 2018 22:11 UTC (Thu)
by ms (subscriber, #41272)
[Link] (2 responses)
Posted Jan 4, 2018 23:16 UTC (Thu)
by jcm (subscriber, #18262)
[Link] (1 responses)
Posted Jan 5, 2018 12:36 UTC (Fri)
by ms (subscriber, #41272)
[Link]
Posted Jan 4, 2018 22:46 UTC (Thu)
by mbanck (subscriber, #9035)
[Link]
Posted Jan 4, 2018 23:20 UTC (Thu)
by brooksmoses (guest, #88422)
[Link] (3 responses)
LLVM (and LLD linker) patch to add "retpolines" for mitigating indirect-call attacks ("variant 2" in the Project Zero description): https://reviews.llvm.org/D41723]
Gold linker patch adding retpolines to the PLT: https://sourceware.org/ml/binutils/2018-01/msg00030.html
GCC patch to add support for intrinsics to limit speculation past bounds-checked memory access ("variant 1" in the Project Zero description): https://gcc.gnu.org/ml/gcc-patches/2018-01/msg00205.html
Posted Jan 6, 2018 15:43 UTC (Sat)
by nix (subscriber, #2304)
[Link] (2 responses)
This just gets worse and worse. I guess the only programs that need to use this are programs that are likely to be Spectre-impacted significantly (so it'll slow our web browsers down but probably not our desktops -- the desktops run JS these days but not hostile JS).
I hope distros don't rebuild *everything* with -z retpolineplt. An extra massive performance hit on top of the other massive performance hits... fairly soon at this rate the machine will be as slow as a 1989 PC (but with software that expects a far faster machine). I'm starting to see why CERT recommended to just throw your existing machines away.
Posted Jan 7, 2018 0:39 UTC (Sun)
by dtlin (subscriber, #36537)
[Link] (1 responses)
Posted Jan 7, 2018 0:44 UTC (Sun)
by dtlin (subscriber, #36537)
[Link]
Posted Jan 5, 2018 0:53 UTC (Fri)
by NightMonkey (subscriber, #23051)
[Link] (2 responses)
Posted Jan 5, 2018 2:16 UTC (Fri)
by brooksmoses (guest, #88422)
[Link]
Posted Jan 5, 2018 5:02 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Jan 5, 2018 4:18 UTC (Fri)
by ms-tg (subscriber, #89231)
[Link] (1 responses)
> Estimates posted on Linux message boards suggested computer performance
Posted Jan 8, 2018 10:09 UTC (Mon)
by rsidd (subscriber, #2582)
[Link]
Posted Jan 5, 2018 7:44 UTC (Fri)
by arekm (guest, #4846)
[Link] (1 responses)
Is microcode from 20171117 being that mentioned "update" ?
https://downloadcenter.intel.com/search?keyword=Linux*+Pr...
Posted Jan 5, 2018 14:24 UTC (Fri)
by xjtuwjp (subscriber, #91330)
[Link]
Posted Jan 5, 2018 9:41 UTC (Fri)
by pabs (subscriber, #43278)
[Link] (3 responses)
Posted Jan 5, 2018 12:59 UTC (Fri)
by joib (subscriber, #8541)
[Link] (2 responses)
Posted Jan 5, 2018 18:03 UTC (Fri)
by gioele (subscriber, #61675)
[Link] (1 responses)
Jacob Bachmeyer has posted a followup proposal: https://groups.google.com/a/groups.riscv.org/d/msg/isa-de...
The privileged ISA is going to change.
I hope the SiFive people and their Freedom U500 will not be affected too much.
Posted Jan 6, 2018 14:16 UTC (Sat)
by joib (subscriber, #8541)
[Link]
Yes, I know, I posted that link myself a week ago: https://lwn.net/Articles/742301/ :) Not that I'm blaming you for missing it, considering the amount of posts left and right about this topic.
That being said, now that we have more information, I don't think that split page tables are strictly necessary. It seems Meltdown is due to a microarchitectural bug (or misfeature, if you will) in Intel CPU's, not an ISA level vulnerability. Split page tables could still be a good idea, in a belt-and-suspenders kind of way.
Spectre, OTOH, while not as serious as Meltdown right away, seems much more difficult to protect against without a significant performance penalty. And even so, I'm not sure there's much that can be specified at the ISA level.
Posted Jan 5, 2018 10:45 UTC (Fri)
by Herve5 (subscriber, #115399)
[Link]
Posted Jan 5, 2018 14:46 UTC (Fri)
by cesarb (subscriber, #6266)
[Link]
> While network-based attacks are conceivable, situations where an attacker can run code on the same CPU as the victim pose the primary risk.
Think of a network service which receives a packet, and does some conditional processing on it. An attacker could send several packets priming the branch predictor to go one way, then send a packet where the branch should go the other way but is speculated wrongly, and finally send a packet where the timing of the response is affected by some microarchitectural state which was changed by the speculated code. This should be really hard to pull off, but I see nothing preventing it, and attacks only get better.
Posted Jan 5, 2018 17:14 UTC (Fri)
by ufa (subscriber, #56005)
[Link]
Posted Jan 5, 2018 21:48 UTC (Fri)
by freemars (subscriber, #4235)
[Link]
Posted Jan 5, 2018 22:32 UTC (Fri)
by garloff (subscriber, #319)
[Link]
Posted Jan 5, 2018 23:24 UTC (Fri)
by cesarb (subscriber, #6266)
[Link]
Posted Jan 6, 2018 2:23 UTC (Sat)
by JoeBuck (subscriber, #2330)
[Link] (1 responses)
The issue is that when an invalid read to memory is speculatively read, the resulting fault has to be deferred until the processor knows that we really branch in that direction, but nevertheless the value that is read is kept in the pipeline and can affect a subsequent read, which can be exploited to find out one bit at a time of an arbitrary location by preparing two memory locations, one of which is in cache and of which is not, and designing code that will read one or the other address based on some bit of the word we should have no access to.
But the processor should be able to read the state of protection of a memory word just as quickly as we read that memory word, and logic can do that operation in parallel In the article's example we conditionally read a kernel memory address, and the value of that read is stored in an internal register in the pipeline, even though we have no permission to read it. Instead, the read could be ANDed with a mask that would be all-ones if the data are accessible and all-zeros if not. Information would no longer be leaked: the true value of inaccessible memory could not influence anything else. Perhaps similar approaches could be used to deal with the branch-prediction issues as well. It should be possible to do this by spending a bit of area for the additional logic without slowing things down perceptibly; it might not be possible to fix it just with microcode though.
I guess this is what Linus was ranting about when it appeared Intel wasn't saying anything about real fixes. But the problem is, if Intel admits that this is a serious hardware design fault that they should compensate for with respins, it will cost them billions. Perhaps it's an opening for AMD though.
Posted Jan 6, 2018 7:22 UTC (Sat)
by roc (subscriber, #30627)
[Link]
Posted Jan 10, 2018 14:22 UTC (Wed)
by mariuz (guest, #24892)
[Link]
https://sourceforge.net/p/firebird/mailman/message/36183029/
Posted Jan 11, 2018 12:55 UTC (Thu)
by tcarrez (subscriber, #53314)
[Link]
Posted Jan 12, 2018 2:48 UTC (Fri)
by pabs (subscriber, #43278)
[Link]
Posted Jan 12, 2018 3:22 UTC (Fri)
by pabs (subscriber, #43278)
[Link]
Red Hat post is for RHEL customers only
Red Hat post is for RHEL customers only
Red Hat post is for RHEL customers only
Red Hat post is for RHEL customers only
Red Hat post is for RHEL customers only
Red Hat post is for RHEL customers only
Red Hat post is for RHEL customers only
Red Hat post is for RHEL customers only
Red Hat post is for RHEL customers only
Red Hat post is for RHEL customers only
Red Hat post is for RHEL customers only
Red Hat post is public now
Red Hat post is for RHEL customers only
Red Hat post is for RHEL customers only
Red Hat post is for RHEL customers only
Red Hat post is for RHEL customers only
Red Hat post is for RHEL customers only
Red Hat post is for RHEL customers only
Red Hat post is for RHEL customers only
A detection tool or even a monitoring plugin would be nice
2. If so which Kernel/patches should I use
A detection tool or even a monitoring plugin would be nice
A detection tool or even a monitoring plugin would be nice
A detection tool or even a monitoring plugin would be nice
A detection tool or even a monitoring plugin would be nice
A detection tool or even a monitoring plugin would be nice
A detection tool or even a monitoring plugin would be nice
A detection tool or even a monitoring plugin would be nice
A detection tool or even a monitoring plugin would be nice
> in the form of eBPF (either JITted or not),
> operations (safely bounds-checked memory read then a dependent read)
> should be similarly vulnerable, which could include lots of APIs that
> don't involve code-like input at all.
A detection tool or even a monitoring plugin would be nice
A collection of Meltdown/Spectre postings
Xen FAQ
Xen FAQ
Xen FAQ
"Instead of suing Intel for money, what if we sue Intel for documentation? If documentation and transparency have real value, then this is a chance to finally put that value in economic terms that Intel shareholders can understand. I propose a bargain somewhere along these lines: if Intel releases comprehensive microarchitectural hardware design specifications, microcode, firmware, and all software source code (e.g. for AMT/ME) so that the community can band together to hammer out any other security bugs hiding in their hardware, then Intel is absolved of any payouts related to the Spectre/Meltdown exploits."
A collection of Meltdown/Spectre postings
A collection of Meltdown/Spectre postings
A collection of Meltdown/Spectre postings
Debian Security Update
A collection of Meltdown/Spectre postings
A collection of Meltdown/Spectre postings
A collection of Meltdown/Spectre postings
A collection of Meltdown/Spectre postings
A collection of Meltdown/Spectre postings
You're assuming that patches only flow from upstream Xen to Amazon. That's likely backwards in this case; it's fair to assume Amazon would be one of the companies Intel would have notified about this in advance, and they're a major contributor to the codebase. My (completely uninformed!) guess is that they have internal Xen patches, and if those haven't been publicly sent to the Xen project yet, the reason would be simply because of last-minute internal i-dotting and t-crossing before they can send them -- note that the planned embargo-release date was the 9th, but it got pushed earlier, so people are scrambling.
And then, of course, the patches will need upstream review, which should be fast but won't be instantaneous.
See also https://news.ycombinator.com/item?id=16065771 for evidence that Amazon was rolling something out a couple of days ago, just before the official news broke.
A collection of Meltdown/Spectre postings
A collection of Meltdown/Spectre postings
A collection of Meltdown/Spectre postings
http://money.cnn.com/2018/01/03/technology/computer-chip-...
> could slow down between 5% and 30% once patched, however Intel said
> users will not see significant performance changes.
The link is to an archived LKML post -- not exactly a quote from LWN :)
A collection of Meltdown/Spectre postings
A collection of Meltdown/Spectre postings
A collection of Meltdown/Spectre postings
https://tracker.debian.org/news/899110
A collection of Meltdown/Spectre postings
A collection of Meltdown/Spectre postings
A collection of Meltdown/Spectre postings
A collection of Meltdown/Spectre postings
FWIW, mitigations from Firefox
A collection of Meltdown/Spectre postings
A collection of Meltdown/Spectre postings
A collection of Meltdown/Spectre postings
Open Tekekom Cloud patching
https://imagefactory.otc.t-systems.com/Blog-Review/SpecEx...
A collection of Meltdown/Spectre postings
The Raspberry PI article is worth reading because it has the most intuitively clear explanation of how Meltdown works and how these attacks arise from speculative execution. It looks to me like this kind of attack could be easily prevented by a minor hardware design change.
Raspberry PI article is worth reading / fixing this in hardware ...
Raspberry PI article is worth reading / fixing this in hardware ...
A collection of Meltdown/Spectre postings
A collection of Meltdown/Spectre postings
https://ttx.re/openstack-spectre-meltdown-faq.html
A collection of Meltdown/Spectre postings
A collection of Meltdown/Spectre postings