Meltdown & Spectre

This is for all discussions related to IT and technology. Hardware, software, programming, it all goes here.
Post Reply
User avatar
Valerion
Alpha Wolf
Posts: 2803
Joined: Fri Apr 11, 2008 8:50 pm
Gender: Male
Sexual preference: Gay
Species: Werewolf
Region: Gauteng
Location: ::1
Contact:

Meltdown & Spectre

#1

Post by Valerion »

Two of the most serious vulnerabilities ever have been identified. Meltdown is currently exploitable on all Intel x86_64 CPUs, while Spectre is theoretical and hard to do, but affects Intel, AMD and ARM chips. And perhaps some other RISC-based ones as well.

Less technical details: https://spectreattack.com/
Project Zero: https://googleprojectzero.blogspot.co.z ... -side.html
Wired: https://www.wired.com/story/critical-in ... computers/

This is a hardware issue, that can be fixed in the OS, but at a cost. Due to the nature of it there will be a performance penalty of between 5% and 30%, depending on the exact workload the CPU handles.

And I recommend updating as soon as the patches for this drops. Linux kernel devs, Microsoft and Apple are working on fixes.
ArtyLoop
Posts: 180
Joined: Wed Dec 20, 2017 7:37 pm
Gender: Male
Sexual preference: Straight

Re: Meltdown & Spectre

#2

Post by ArtyLoop »

At this stage, it is apparent this only affects the x86 architecture. The ARM architecture is too different and the instruction set is totally different, as is the whole programmer's model.
We are aware of this issue at the office, we received the advisory, and so far, it appears to be impossible to implement on the ARM platforms we have under our control.
User avatar
Valerion
Alpha Wolf
Posts: 2803
Joined: Fri Apr 11, 2008 8:50 pm
Gender: Male
Sexual preference: Gay
Species: Werewolf
Region: Gauteng
Location: ::1
Contact:

Re: Meltdown & Spectre

#3

Post by Valerion »

Lucky you.

ARM have published a short list of vulnerable CPUs, but it is a really short list. Not "Every 64-bit CPU from at least 2011 and possibly 1995" short, like Intel ...
https://developer.arm.com/support/security-update

I see the ARM Linux Git repo contains all the fixes now, so at least if you run Linux and the absolutely latest kernel in git you should be protected on all platforms. I am confident the Linux vendors will include these in kernel updates soon, and MS will likely drop it this Patch Tuesday. Apple will fix it when Apple releases the latest update, probably soonish.
ArtyLoop
Posts: 180
Joined: Wed Dec 20, 2017 7:37 pm
Gender: Male
Sexual preference: Straight

Re: Meltdown & Spectre

#4

Post by ArtyLoop »

Whatever we find out here I will share with you on the forum. For the moment it seems the patches are what we need to roll out on our Linux boxen, and workstations. Will advise when we start with this.
User avatar
Valerion
Alpha Wolf
Posts: 2803
Joined: Fri Apr 11, 2008 8:50 pm
Gender: Male
Sexual preference: Gay
Species: Werewolf
Region: Gauteng
Location: ::1
Contact:

Re: Meltdown & Spectre

#5

Post by Valerion »

Seems Windows desktop performance won't be much affected. Servers on the other paw ...

ArtyLoop
Posts: 180
Joined: Wed Dec 20, 2017 7:37 pm
Gender: Male
Sexual preference: Straight

Re: Meltdown & Spectre

#6

Post by ArtyLoop »

To be clear:
Spectre: The name for a class of vulns that exploit out-of-order execution on modern microprocessors
Meltdown: A Spectre class exploit specific to the x86 architecture

More names will probably appear as the exploits become proven for other architectures.
So to clarify, the Spectre class vulnerabilities, although mostly theoretical, affect nearly every type of processor architecture and sadly this includes ARM. As of my knowledge the only architecture that might not be affected is the humble SuperH RISC (SEGA consoles and office machines) but that's merely my opinion.
Spectre has the potential thus to even affect residential routers that run Linux, Raspberry Pi, etc, etc.. even network switches.
We will watch it for now, but as I mentioned we received the advisory and my boss and I are on this.
User avatar
Rakuen Growlithe
Fire Puppy
Posts: 6718
Joined: Tue Apr 01, 2008 2:24 pm
Gender: Male
Sexual preference: Bi
Species: Growlithe (pokemon)
Region: Other
Location: Pretoria
Contact:

Re: Meltdown & Spectre

#7

Post by Rakuen Growlithe »

There are even more exploits being found in 2018! The password protection for Xerox Alto disks has been completely bypassed and there are major flaws with the hash algorithm. If you're storing data on password-protected Xerox Alto disks then you need to find a more secure method of storage.
http://www.righto.com/2018/01/xerox-alt ... -disk.html
"If all mankind minus one, were of one opinion, and only one person were of the contrary opinion, mankind would be no more justified in silencing that one person, than he, if he had the power, would be justified in silencing mankind."
~John Stuart Mill~

“Give me the liberty to know, to utter, and to argue freely according to conscience, above all liberties.”
~John Milton~
User avatar
Rakuen Growlithe
Fire Puppy
Posts: 6718
Joined: Tue Apr 01, 2008 2:24 pm
Gender: Male
Sexual preference: Bi
Species: Growlithe (pokemon)
Region: Other
Location: Pretoria
Contact:

Re: Meltdown & Spectre

#8

Post by Rakuen Growlithe »

I feel worse and worse about getting an Intel processor when I could've got AMD...
http://m.dw.com/en/new-security-flaw-de ... a-42122823
"If all mankind minus one, were of one opinion, and only one person were of the contrary opinion, mankind would be no more justified in silencing that one person, than he, if he had the power, would be justified in silencing mankind."
~John Stuart Mill~

“Give me the liberty to know, to utter, and to argue freely according to conscience, above all liberties.”
~John Milton~
Post Reply