11 Replies - 396 Views - Last Post: 28 January 2018 - 05:27 AM

#1 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 6010
  • View blog
  • Posts: 20,654
  • Joined: 05-May 12

Spectre/Meltdown: Is the threat over-inflated?

Posted 24 January 2018 - 07:02 AM

My understanding of the spectre/meltdown is that to successfully be able to exploit the flaws, I need to have malicious code running on the machine. In a past life, my security training had always stated that if the bad guy successfully gets physical access to the machine or can get malicious code running on the machine, it's considered game over -- bad guys won.

So what am I missing here? Has the definition of "game over" changed? Now its okay to have malware running on the machine as long as it can't elevate its privilege or break out of its sandbox?

Is the major concern here that a bad guy can legitimately buy some space on AWS, Azure, or Google Cloud, and then from his VM be able to steal secrets from other VMs? If so, then shouldn't the home user be allowed to opt-in/opt-out of getting the patches?

Is This A Good Question/Topic? 0
  • +

Replies To: Spectre/Meltdown: Is the threat over-inflated?

#2 no2pencil  Icon User is offline

  • Professor Snuggly Pants
  • member icon

Reputation: 6595
  • View blog
  • Posts: 30,788
  • Joined: 10-May 07

Re: Spectre/Meltdown: Is the threat over-inflated?

Posted 24 January 2018 - 07:52 AM

View PostSkydiver, on 24 January 2018 - 09:02 AM, said:

Now its okay to have malware running on the machine as long as it can't elevate its privilege or break out of its sandbox?

stuxnet ...

View PostSkydiver, on 24 January 2018 - 09:02 AM, said:

Is the major concern here that a bad guy can legitimately buy some space on AWS, Azure, or Google Cloud, and then from his VM be able to steal secrets from other VMs? If so, then shouldn't the home user be allowed to opt-in/opt-out of getting the patches?

I think Microsoft did more damage than the malware did.
Was This Post Helpful? 0
  • +
  • -

#3 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 13755
  • View blog
  • Posts: 54,926
  • Joined: 12-June 08

Re: Spectre/Meltdown: Is the threat over-inflated?

Posted 24 January 2018 - 07:59 AM

From what I read I believe it is a legitimate concern.

Yes, folks have created malicious ads that get served up and could be used as a vector for it.

I am not sure if a regular plain old user has the foresight of being able to know if they should opt in or not.
Was This Post Helpful? 0
  • +
  • -

#4 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 6010
  • View blog
  • Posts: 20,654
  • Joined: 05-May 12

Re: Spectre/Meltdown: Is the threat over-inflated?

Posted 24 January 2018 - 01:00 PM

So if only Javascript were to go back to being interpreted instead of just-in-time compiled, then the Spectre exploit using Javascript would not be an issue. Of course, now everybody expects Javascript to run as fast as it is now, so there is no going back.

This post has been edited by jon.kiparsky: 25 January 2018 - 09:37 AM
Reason for edit:: removed double-posted content

Was This Post Helpful? 0
  • +
  • -

#5 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 6010
  • View blog
  • Posts: 20,654
  • Joined: 05-May 12

Re: Spectre/Meltdown: Is the threat over-inflated?

Posted 25 January 2018 - 09:27 AM

Slightly off topic: what about a Javascript co-processor? Compile Javascript to assembly only for execution on the co-processor. Any information leaking across will be from other Javascript running on the machine.

Back on topic: All of the variants, whether exploitable from Javascript or not all require malware to be running on the machine. Why is this a must fix issue, but the flaws in Intel's remote management suite which can also go in at a low level not a must fix?
Was This Post Helpful? 0
  • +
  • -

#6 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 13755
  • View blog
  • Posts: 54,926
  • Joined: 12-June 08

Re: Spectre/Meltdown: Is the threat over-inflated?

Posted 25 January 2018 - 09:33 AM

Coprocessor like an actual chip? Something inherently vile about that. Like it should be a quick hit Shadworun campaign. In, out, geek some goons at a lab with a pair of wired up street samaris, have the troll street mage burn the lab while the elven decker burn all traces from the matrix to save the meta world from that abomination.
Was This Post Helpful? 0
  • +
  • -

#7 jon.kiparsky  Icon User is offline

  • Beginner
  • member icon


Reputation: 10882
  • View blog
  • Posts: 18,573
  • Joined: 19-March 11

Re: Spectre/Meltdown: Is the threat over-inflated?

Posted 25 January 2018 - 09:43 AM

I'm actually curious about the Meltdown exposure on cloud services. It seems to me, naive as I am, that if AWS (to pick a cloud service at random) has updated the OS on the hosting machine, then Evil Igor can't exploit Meltdown to get from his instance to someone else's instance on that machine, right?
I ask because apparently AWS had a patch on their machines before the story broke, or at least soon after, but my team still lost a lot of time making sure that the OSes on our instances all got updates when they came available - which now seems like a waste of time and effort.
Or am I misunderstanding?
Was This Post Helpful? 0
  • +
  • -

#8 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 6010
  • View blog
  • Posts: 20,654
  • Joined: 05-May 12

Re: Spectre/Meltdown: Is the threat over-inflated?

Posted 25 January 2018 - 11:36 AM

View Postmodi123_1, on 25 January 2018 - 11:33 AM, said:

Coprocessor like an actual chip?

Separate chip or same chip, but different instruction set. Something like the way Jazelle was built to run Java bytecodes directly in ARM hardware, come up with a standard instruction set for Javascript and then execute on (isolated) hardware.
Was This Post Helpful? 0
  • +
  • -

#9 Martyr2  Icon User is offline

  • Programming Theoretician
  • member icon

Reputation: 5145
  • View blog
  • Posts: 13,834
  • Joined: 18-April 07

Re: Spectre/Meltdown: Is the threat over-inflated?

Posted 25 January 2018 - 12:21 PM

I guess the latest version of Chrome out now (version 64) also has additional mitigation mechanisms against Meltdown/Spectre. So might be something to consider upgrading if you are really worried about it. :)
Was This Post Helpful? 1
  • +
  • -

#10 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 6010
  • View blog
  • Posts: 20,654
  • Joined: 05-May 12

Re: Spectre/Meltdown: Is the threat over-inflated?

Posted 25 January 2018 - 12:48 PM

View Postjon.kiparsky, on 25 January 2018 - 11:43 AM, said:

I'm actually curious about the Meltdown exposure on cloud services. It seems to me, naive as I am, that if AWS (to pick a cloud service at random) has updated the OS on the hosting machine, then Evil Igor can't exploit Meltdown to get from his instance to someone else's instance on that machine, right?
I ask because apparently AWS had a patch on their machines before the story broke, or at least soon after, but my team still lost a lot of time making sure that the OSes on our instances all got updates when they came available - which now seems like a waste of time and effort.
Or am I misunderstanding?

For Meltdown, my understanding was all that was needed was an OS level software patch so that the OS stops using an optimization of keeping a table in memory when transitioning from kernel mode to user mode. With the patch, the OS clears the in kernel side memory table, goes into user mode. On return from user mode, the kernel repopulates the table that it needs.

So the OS level patching at the host level is to protect their host from the guests as well as any malicious code that may end up running on their host. The OS level patching in your instances is to protect your VM from any malicious code that may end up running within your VM.
Was This Post Helpful? 0
  • +
  • -

#11 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 6010
  • View blog
  • Posts: 20,654
  • Joined: 05-May 12

Re: Spectre/Meltdown: Is the threat over-inflated?

Posted 25 January 2018 - 02:28 PM

View PostMartyr2, on 25 January 2018 - 02:21 PM, said:

I guess the latest version of Chrome out now (version 64) also has additional mitigation mechanisms against Meltdown/Spectre. So might be something to consider upgrading if you are really worried about it. :)/>/>

The price for peace of mind: Visual distraction of the descenders breaking underlines:
Posted Image
(Left part of image is Chrome 63. Right part of image is Chrome 64.)
Was This Post Helpful? 0
  • +
  • -

#12 Skydiver  Icon User is offline

  • Code herder
  • member icon

Reputation: 6010
  • View blog
  • Posts: 20,654
  • Joined: 05-May 12

Re: Spectre/Meltdown: Is the threat over-inflated?

Posted 28 January 2018 - 05:27 AM

I just realized something. Good security programming practice dictates that one keep secrets in memory in unencrypted form only long enough for use, and then it should be overwritten 3 times before freeing the memory. Are people simply ignoring this practice and thereby magnifying the risk presented by Spectre?

On another tangent, what is the difference between the malware peeking at memory that does not belong to it via Spectre and malware forcing core dump and reading the core dump?
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1