LinuxMusicians

Jack Winter wrote:Spectre is arguably the bigger problem...

Yes and No.
It's main attack vector is malicious javascript from compromised websites, and all the main browsers are rapidly pushing out patches to deal with it by both reducing the timer resolution available and also randomising it - the exploit relies on being able to accurately time cpu context switching actions.

Ultimately it needs to be sorted out in hardware, but this will take some time of course.

folderol wrote:

Jack Winter wrote:Spectre is arguably the bigger problem...

Yes and No.
It's main attack vector is malicious javascript from compromised websites, and all the main browsers are rapidly pushing out patches to deal with it by both reducing the timer resolution available and also randomising it - the exploit relies on being able to accurately time cpu context switching actions.

Ultimately it needs to be sorted out in hardware, but this will take some time of course.

Any other app running presents the same issue as a JS in a browser, it's just a question of how it gets on the computer. Granted us linux users are less prone to running binary blobs (disregarding the packaged binaries most of us install). IMO a huge problem for the other OSs, but still a potential issue for us as far as binary plugins, steam games, etc are concerned.

Jack Winter wrote:but still a potential issue for us as far as binary plugins, steam games, etc are concerned.

Oh lol. Steam asset flips made for the purposes of money laundering will now be stealing passwords, nice.

Jack Winter wrote:Any other app running presents the same issue as a JS in a browser, it's just a question of how it gets on the computer. Granted us linux users are less prone to running binary blobs (disregarding the packaged binaries most of us install).

That malicious code can be also in source code. Hiding something to what ever experimental code, and you will compile it yourself. Here is example spectre code, it is not perfect and will not work on all CPUs but on most of them, works: https://gist.github.com/ErikAugust/724d ... 2a9e3d4bb6

tavasti wrote:

Jack Winter wrote:Any other app running presents the same issue as a JS in a browser, it's just a question of how it gets on the computer. Granted us linux users are less prone to running binary blobs (disregarding the packaged binaries most of us install).

That malicious code can be also in source code. Hiding something to what ever experimental code, and you will compile it yourself. Here is example spectre code, it is not perfect and will not work on all CPUs but on most of them, works: https://gist.github.com/ErikAugust/724d ... 2a9e3d4bb6

I think you missed my point which was the following: At the moment software needs to be compiled specifically to protect against spectre, something we can do with opensource. Hopefully this will be taken care of in the kernel thus protecting against all programs attempting a spectre style exploit.

We've tested spectre code on low-level developer's forum.
No one got it fully working.
Personally I tried to reproduce it on 4 linux machines:
AMD FX(tm)-4100 Quad-Core Processor - doesn't work even with changes from comments below.
AMD FX(tm)-8350 Eight-Core Processor - doesn't work.
AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ - doesn't work.
Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz - rare unstable matches of symbols, generally fail.

So people who tested the PoC, made a conclusion that even this works, this works sometimes under some special circumstances that are currently not well-known.

sadko4u wrote:We've tested spectre code on low-level developer's forum.
No one got it fully working.
Personally I tried to reproduce it on 4 linux machines:
AMD FX(tm)-4100 Quad-Core Processor - doesn't work even with changes from comments below.
AMD FX(tm)-8350 Eight-Core Processor - doesn't work.
AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ - doesn't work.
Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz - rare unstable matches of symbols, generally fail.

So people who tested the PoC, made a conclusion that even this works, this works sometimes under some special circumstances that are currently not well-known.

Me and my friends tested that, and there was AMD FX processors and old Intels where that PoC code did not work. On all Intel cpu's made after Core2Duo worked. Assumption is that this PoC code is just quick scratch, which does not work on all processors, but it is just matter of more careful engineering to get it working on those also.

How to check Linux for Spectre and Meltdown vulnerability
https://www.cyberciti.biz/faq/check-lin ... erability/

Meltdown and Spectre: Security advisories and updates from hardware and software vendors
https://www.heise.de/newsticker/meldung ... 36141.html

khz wrote:How to check Linux for Spectre and Meltdown vulnerability
https://www.cyberciti.biz/faq/check-lin ... erability/

This checker does not execute PoC code, all checks are indirect. Are there better solutions?

42low wrote:You don't have to do anything if you update, incl kernel-updating.
With the updates FF is fixed for this. The kernel is fixed. And the microcode is fixed (to open source). All checked.
At the end my computer is fixed for this bug and i didn't have to do anything for it. And my computers didn't loose any speed.

1) Spectre is such vulnerability, that it won't get 100% fixed with microcode, firmware and all OS fixes together.

2) Those fixes do have speed penalty, but amount depends what you run.

3) Intel says even themselves that firmware fix is buggy https://www.computerworld.com/article/3 ... fixes.html

KPTI has arrived to Debian Testing and is not enabled on AMD CPUs. Just FYI.

Exclusive: Spectre-NG - Multiple new Intel CPU flaws revealed, several serious
https://www.heise.de/ct/artikel/Exclusi ... 40648.html

The show (since ~20 years) continues.
(German) https://www.heise.de/newsticker/meldung ... 21217.html

Here Intel has published details about the microcode updates: https://www.intel.com/content/dam/www/p ... 132019.pdf