[svlug] Intel CPUs' Kernel Page Table Isolation (KPTI) fix

Alex Keller axkeller at stanford.edu
Thu Jan 4 13:17:57 PST 2018

Jann Horn's (Google Project Zero) superb write-up is here:

These flaws were apparently discovered independently by multiple teams at roughly the same time. 


-----Original Message-----
From: svlug-bounces+axkeller=stanford.edu at lists.svlug.org [mailto:svlug-bounces+axkeller=stanford.edu at lists.svlug.org] On Behalf Of Rick Moen
Sent: Thursday, January 4, 2018 12:57 PM
To: svlug at lists.svlug.org
Subject: Re: [svlug] Intel CPUs' Kernel Page Table Isolation (KPTI) fix

Quoting Sarah Newman (newmans at sonic.net):

> There are actually 3 different classes of vulnerabilities. It's not 
> just intel. https://developer.arm.com/support/security-update

Good point.  Google's Security Blog has a very general rundown about these findings from the Project Zero researcher:
It's pretty woefully deficient on specifics.  
https://meltdownattack.com/ (from the researchers) is better, and the ARM page at least outlines the three attacks and gives their CVEs:

Variant 1: bounds check bypass (CVE-2017-5753)    [RM: Spectre]
Variant 2: branch target injection (CVE-2017-5715)[RM: Spectre] Variant 3: rogue data cache load (CVE-2017-5754)  [RM: Meltdown - Intel-specific]

Which ARM cores aren't and aren't affected by Spectre is shown on the ARM page.  In general terms, _some_ 64-bit Intel, AMD, and ARM processors are affected by Spectre, specifically those with 'speculative execution'.  https://developer.arm.com/support/security-update

C code to test for the Spectre vulnerability:

As to Meltdown and Intel CPUs, researchers' claim is that 'every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013)'.
They says it's not been confirmed yet on anything but Intel CPUs, e.g., not yet on ARM, AMD, MIPS, SPARC64, etc.

The patches for Linux, MS-Windows, and OS X adress Meltdown; fixing Spectre is a work in progress, i.e., there are experimental Linux patches for one of the two Spectre attacks, Variant 2:

Here's part of the work on Variant 1:

I have to say that 'Don't worry and just run Javascript from arbitrary locations on the Web' is looking like an even worse idea than before, given these side-channel exploits against system RAM.

I think _way_ more people other than VPS vendors need to be worried.

svlug mailing list
svlug at lists.svlug.org

More information about the svlug mailing list