Jack Winter wrote:Spectre is arguably the bigger problem...
Yes and No.
It's main attack vector is malicious javascript from compromised websites, and all the main browsers are rapidly pushing out patches to deal with it by both reducing the timer resolution available and also randomising it - the exploit relies on being able to accurately time cpu context switching actions.
Ultimately it needs to be sorted out in hardware, but this will take some time of course.
Jack Winter wrote:Spectre is arguably the bigger problem...
Yes and No.
It's main attack vector is malicious javascript from compromised websites, and all the main browsers are rapidly pushing out patches to deal with it by both reducing the timer resolution available and also randomising it - the exploit relies on being able to accurately time cpu context switching actions.
Ultimately it needs to be sorted out in hardware, but this will take some time of course.
Any other app running presents the same issue as a JS in a browser, it's just a question of how it gets on the computer. Granted us linux users are less prone to running binary blobs (disregarding the packaged binaries most of us install). IMO a huge problem for the other OSs, but still a potential issue for us as far as binary plugins, steam games, etc are concerned.
Reaper/KDE/Archlinux. i7-2600k/16GB + i7-4700HQ/16GB, RME Multiface/Babyface, Behringer X32, WA273-EQ, 2 x WA-412, ADL-600, Tegeler TRC, etc For REAPER on Linux information: https://wiki.cockos.com/wiki/index.php/REAPER_for_Linux
Jack Winter wrote:Any other app running presents the same issue as a JS in a browser, it's just a question of how it gets on the computer. Granted us linux users are less prone to running binary blobs (disregarding the packaged binaries most of us install).
That malicious code can be also in source code. Hiding something to what ever experimental code, and you will compile it yourself. Here is example spectre code, it is not perfect and will not work on all CPUs but on most of them, works: https://gist.github.com/ErikAugust/724d ... 2a9e3d4bb6
Jack Winter wrote:Any other app running presents the same issue as a JS in a browser, it's just a question of how it gets on the computer. Granted us linux users are less prone to running binary blobs (disregarding the packaged binaries most of us install).
That malicious code can be also in source code. Hiding something to what ever experimental code, and you will compile it yourself. Here is example spectre code, it is not perfect and will not work on all CPUs but on most of them, works: https://gist.github.com/ErikAugust/724d ... 2a9e3d4bb6
I think you missed my point which was the following: At the moment software needs to be compiled specifically to protect against spectre, something we can do with opensource. Hopefully this will be taken care of in the kernel thus protecting against all programs attempting a spectre style exploit.
Reaper/KDE/Archlinux. i7-2600k/16GB + i7-4700HQ/16GB, RME Multiface/Babyface, Behringer X32, WA273-EQ, 2 x WA-412, ADL-600, Tegeler TRC, etc For REAPER on Linux information: https://wiki.cockos.com/wiki/index.php/REAPER_for_Linux
We've tested spectre code on low-level developer's forum.
No one got it fully working.
Personally I tried to reproduce it on 4 linux machines:
AMD FX(tm)-4100 Quad-Core Processor - doesn't work even with changes from comments below.
AMD FX(tm)-8350 Eight-Core Processor - doesn't work.
AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ - doesn't work.
Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz - rare unstable matches of symbols, generally fail.
So people who tested the PoC, made a conclusion that even this works, this works sometimes under some special circumstances that are currently not well-known.
sadko4u wrote:We've tested spectre code on low-level developer's forum.
No one got it fully working.
Personally I tried to reproduce it on 4 linux machines:
AMD FX(tm)-4100 Quad-Core Processor - doesn't work even with changes from comments below.
AMD FX(tm)-8350 Eight-Core Processor - doesn't work.
AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ - doesn't work.
Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz - rare unstable matches of symbols, generally fail.
So people who tested the PoC, made a conclusion that even this works, this works sometimes under some special circumstances that are currently not well-known.
Me and my friends tested that, and there was AMD FX processors and old Intels where that PoC code did not work. On all Intel cpu's made after Core2Duo worked. Assumption is that this PoC code is just quick scratch, which does not work on all processors, but it is just matter of more careful engineering to get it working on those also.
42low wrote:You don't have to do anything if you update, incl kernel-updating.
With the updates FF is fixed for this. The kernel is fixed. And the microcode is fixed (to open source). All checked.
At the end my computer is fixed for this bug and i didn't have to do anything for it. And my computers didn't loose any speed.
1) Spectre is such vulnerability, that it won't get 100% fixed with microcode, firmware and all OS fixes together.
2) Those fixes do have speed penalty, but amount depends what you run.