[svlug] Intel CPUs' Kernel Page Table Isolation (KPTI) fix

Rick Moen rick at linuxmafia.com
Thu Jan 4 12:56:31 PST 2018


Quoting Sarah Newman (newmans at sonic.net):

> There are actually 3 different classes of vulnerabilities. It's not just intel. https://developer.arm.com/support/security-update

Good point.  Google's Security Blog has a very general rundown about
these findings from the Project Zero researcher:
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
It's pretty woefully deficient on specifics.  
https://meltdownattack.com/ (from the researchers) is better, and 
the ARM page at least outlines the three attacks and gives their CVEs:

Variant 1: bounds check bypass (CVE-2017-5753)    [RM: Spectre]
Variant 2: branch target injection (CVE-2017-5715)[RM: Spectre]
Variant 3: rogue data cache load (CVE-2017-5754)  [RM: Meltdown - Intel-specific]

Which ARM cores aren't and aren't affected by Spectre is shown on the
ARM page.  In general terms, _some_ 64-bit Intel, AMD, and ARM
processors are affected by Spectre, specifically those with 'speculative
execution'.  https://developer.arm.com/support/security-update

C code to test for the Spectre vulnerability:
https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6

As to Meltdown and Intel CPUs, researchers' claim is that 'every Intel
processor which implements out-of-order execution is potentially
affected, which is effectively every processor since 1995 (except Intel
Itanium and Intel Atom before 2013)'.
https://meltdownattack.com/#faq-systems-meltdown
They says it's not been confirmed yet on anything but Intel CPUs, e.g.,
not yet on ARM, AMD, MIPS, SPARC64, etc.

The patches for Linux, MS-Windows, and OS X adress Meltdown; fixing
Spectre is a work in progress, i.e., there are experimental Linux
patches for one of the two Spectre attacks, Variant 2:
http://lists.llvm.org/pipermail/llvm-commits/Week-of-Mon-20180101/513630.html
https://lwn.net/Articles/743019/

Here's part of the work on Variant 1:
https://lwn.net/Articles/742754/


I have to say that 'Don't worry and just run Javascript from arbitrary
locations on the Web' is looking like an even worse idea than before,
given these side-channel exploits against system RAM.

I think _way_ more people other than VPS vendors need to be worried.




More information about the svlug mailing list