Memory management bug in Intel CPUs threatens massive performance hits.

[paulca]

To be honest I'm not all that concerned.  I mostly live in Linux.  Linux is vunerable of course, but it is far less likely to be running malicious code than your average home Windows box.  About 99% of my Linux software is open source and compiled from source.  Therefore if it has malware in it it would be spotted and removed.

There is still a risk, but it's much less than your average Windows box which are metaphorically like a Saigon hooker.  So much nasty stuff in it you can see them crawling down the desktop's legs!  (sorry you got that image).

I do have a Windows laptop and a gaming machine which will now be put on quarantine, so no online banking, no sensitive stuff etc.

Your hubris might be expensive. You browse the web, I presume? Javascript is seen as a major possible vector and will run just as happily on your box as it does on Windows. You can compile from source until the cows come home and still have your passwords taken from under your nose. Security through obscurity never works.

Fanboy stances on this OS or that also don't help. The problem almost always is the user and rarely ever the OS. If it really were the OS, Windows wouldn't be so dominant in the very security concious enterprise market.

I'll update my browsers, but on that front I'm angry.  I have warned people for years to keep the damn script kiddies at bay.  Now we even have Javascript on servers (NodeJS) FFS and Javascript with memory access.  WTF?  Idiots.  One of the worst, most annoying languages ever written.  It should have remained a junk interrupted, sandboxed, mickey mouse script tool for making text flash and modifying HTML. </rant>

Compiling from source.  It's not obscurity, that's not the point of compiling from source.  In fact it's the polar opposite.

Windows is popular in the security conscious enterprise market because of the centralized management AD et al, because of "single vendor", because of support, because of... on and on and on.  None of them are to do with it being secure.  Secure enterprises can afford the teams of people required to keep a windows network lock down enough to keep it secure.  I'm sitting in one right now.

[Mr. Scram]

I'll update my browsers, but on that front I'm angry.  I have warned people for years to keep the damn script kiddies at bay.  Now we even have Javascript on servers (NodeJS) FFS and Javascript with memory access.  WTF?  Idiots.  One of the worst, most annoying languages ever written.  It should have remained a junk interrupted, sandboxed, mickey mouse script tool for making text flash and modifying HTML. </rant>

Compiling from source.  It's not obscurity, that's not the point of compiling from source.  In fact it's the polar opposite.

Windows is popular in the security conscious enterprise market because of the centralized management AD et al, because of "single vendor", because of support, because of... on and on and on.  None of them are to do with it being secure.  Secure enterprises can afford the teams of people required to keep a windows network lock down enough to keep it secure.  I'm sitting in one right now.

My remark about obscurity wasn't related to self compiling code, though I doubt it helps much.

The truth is all OSs are unsafe and very leaky. Windows, macOS or Linux, it's all the same. The main difference is that Windows is much more popular, and is therefore targeted more. Any modern OS is such a huge pile of code that it's inevitable to be full of errors and vulnerabilities. No OS escapes this.

Besides, this isn't an OS vulnerability. This is a hardware vulnerabilty. OS updates can mitigate it, but won't solve it. We're in this together.

[nfmax]

The problem with Javascript in the browser is that nowadays, to get better performance, it is downloaded as (minified) source and then compiled to native machine code instead of bytecode (like Java) or interpreted from source. Since the process 'sandbox' is now broken, thanks to Meltdown & Spectre, it is unsafe to download, compile and run ANY language, be it Javascript, Erlang, Snobol or CORAL66. At least with Java you only have to worry about the security of the JVM, not the actual code you may download. We will have to wait and see what these forthcoming browser 'fixes' amount to.

Server-side Javascript is no more or less dangerous than any other compiled language. The 'good parts' of Javascript, in its latest versions, are quite a pleasant programming language.

[paulca]

The truth is all OSs are unsafe and very leaky. Windows, macOS or Linux, it's all the same. The main difference is that Windows is much more popular, and is therefore targeted more. Any modern OS is such a huge pile of code that it's inevitable to be full of errors and vulnerabilities. No OS escapes this.

You can't just bundle all operating systems together.  They are all susceptible to bugs and exploits yes, but there are fundamental differences.

The one that is relevant is the ability to install software.  In Windows software is "live" out of the box.  On most domestic systems it can install itself and run itself, anything with a .exe is fair game and fully trusted software.  The stupid notifications you get are just ignored by 90% of people who invariably click "OK".  You just can't do that on Linux, for one you have to be root, second you have to actually mark it executable, thirdly, outside of a distribution Linux is not binary compatible, so one size doesn't fit all.  This is why Linux viruses are incredibly rare and don't propagate anywhere near as easily.   There are dozens of other examples between the two OSes to compare security, but it's safe to say that it is a lot easier to sneak mal-code onto a windows machine than a Linux one.  More recent versions of Windows are improving, but the basic architecture remains insecure as a multi-user system, it can be tamed, but it takes a LOT of effort to lock it down.  But lets not delve into that rabbit hole of this OS verus that (though granted I started it).

To exploit these hardware vulnerabilities you need to execute malicious code.  That was my point.  This is harder to do on Linux, historically and architecturally.

[paulca]

Server-side Javascript is no more or less dangerous than any other compiled language. The 'good parts' of Javascript, in its latest versions, are quite a pleasant programming language.

I just hate it.  I hate it's history, I hate it ethos, I hate it's structure.

It's got nothing to do with Java, that was just because someone invited the marketing team to the naming meeting and Java was a new buzz word.   It was never meant to be a language in the first place just a browser automation engine.  If anything it's more like Clojure which was a clunky, bizarre 1970s recursive language that still survive today in places.  Everything is a function that takes a function which returns a function with takes a function. <shudder>

Newer Javascript with modern frameworks like Angular is 'tolerable', but only just and if you look under the hood of Angular or NodeJS you find it jumping through all the hundreds of hoops and work arounds to make the thing work.  I spent a number of years writing enterprise front ends in Angular.

It's just a personal opinion, but Javascript is a botch that should have remained consigned to making text marques and flashing banners.  A browser automation framework.  Pampering the it's proponents and allowing it to develop into a compiled application language with raw memory, file, network access was a mistake, IMHO.  But maybe I'm just being bitchy.

https://www.destroyallsoftware.com/talks/wat

[Mr. Scram]

You can't just bundle all operating systems together.  They are all susceptible to bugs and exploits yes, but there are fundamental differences.

The one that is relevant is the ability to install software.  In Windows software is "live" out of the box.  On most domestic systems it can install itself and run itself, anything with a .exe is fair game and fully trusted software.  The stupid notifications you get are just ignored by 90% of people who invariably click "OK".  You just can't do that on Linux, for one you have to be root, second you have to actually mark it executable, thirdly, outside of a distribution Linux is not binary compatible, so one size doesn't fit all.  This is why Linux viruses are incredibly rare and don't propagate anywhere near as easily.   There are dozens of other examples between the two OSes to compare security, but it's safe to say that it is a lot easier to sneak mal-code onto a windows machine than a Linux one.  More recent versions of Windows are improving, but the basic architecture remains insecure as a multi-user system, it can be tamed, but it takes a LOT of effort to lock it down.  But lets not delve into that rabbit hole of this OS verus that (though granted I started it).

To exploit these hardware vulnerabilities you need to execute malicious code.  That was my point.  This is harder to do on Linux, historically and architecturally.

I have absolutely no desire to start another war about OSs. Linux has been traditionally been less targeted because it's both less popular on the desktop and much more fragmented, as you state correctly. That's not the same as it being inherently secure, but whatever is the case, that's not a discussion suitable for this thread and not one I desire to pursue. Everyone can consider an OS of choice to be superior for whatever reasons he desires. I don't care.

It's also of no relevance to the current problem. Most Linux distributions have a browser in it out of the box and are therefore as susceptible to the kind of code execution that's needed for this vulnerability as any other OS. Linux, Windows, macOS, AMD, Intel - they're all at risk.

We really need to focus on solving this problem the best we can without getting sidetracked by irrelevant squabbles.

[paulca]

We really need to focus on solving this problem the best we can without getting sidetracked by irrelevant squabbles.

True but I really don't think the desktop is the issue we have right now.  Why hack one person when you can hack a million people?

[metrologist]

What is the exposure really? If I go home and watch youtube all night, my yt password might be exposed? Assuming MS and Google don't just automatically load up all my passwords in memory. They probably do...

[Monkeh]

We really need to focus on solving this problem the best we can without getting sidetracked by irrelevant squabbles.

True but I really don't think the desktop is the issue we have right now.  Why hack one person when you can hack a million people?

Because the admins running the server with a million people to hack are paying attention, and the million people at home are burying their heads in the sand.

[Mr. Scram]

True but I really don't think the desktop is the issue we have right now.  Why hack one person when you can hack a million people?

The biggest threat by far is indeed the server space, where many servers often share the same hardware. This allows code execution on or from a server completely separated from yours, outside of your control. Obviously, most servers are maintained well and will therefore be patched properly. It's likely that malicious people will then target individual users, like ransomware has been doing lately. Code running from a website that's able to recover your administrator or sudo password or encryption passwords or keys from the computer's memory is an absolute nightmare, though websites aren't the only vector imaginable. There are many ways of running scrips in userspace, mainly because we have always counted on the separation doing its job. There is very little mitigation, because we never counted on it being a possibility. Even worse, some forms of mitigation in other areas make a system more vulnerable to this problem.

[Mr. Scram]

What is the exposure really? If I go home and watch youtube all night, my yt password might be exposed? Assuming MS and Google don't just automatically load up all my passwords in memory. They probably do...

Anything that's in memory can be read if someone manages to run code in userspace, the latter typically not being considered high risk. When you visit a website, this happens all the time. This vulnerability means malicious people can intercept any password, like your administrator password, encryption passwords and keys, SSL keys, you name it. In fact, they can intercept anything they want, but it makes more sense to go for short snippets of valuable data that give access to the other data. They can help themselves to everything that keeps the internet, your data and your money safe. You use encryption all the time without even realizing it, like when you browse this website. Our modern world is literally built on the protection this grants us and that protection is potentially gone. Obviously, with your passwords being exposed, you can then completely own a system and all the data on it.

At the same time, we shouldn't overstate the reach of this vulnerability. It doesn't mean attackers can take over your system without executing code on your side and it also doesn't mean they can just alter data or take over a system directly. That can be a consequence of what they learn, but the primary issue is that data that is supposed to be inaccessible and secret can be recovered and funnelled away.

When you know this, you might also understand why people are so worried about enterprise and cloud environments, where many customers often share the same underlying hardware thanks to virtualization. It means that a fully patched and completely up to date server can be attacked by code run on another virtual server sharing the same hardware, recovering passwords, databases, encryption keys and more. This is the primary worry everyone has, as it's how almost the whole internet is constructed. Only after that there are worries about individual systems. When criminals can't attack well maintained servers, they might very well attack much less well maintained computers at home.

However, with the flaw being in the hardware and not in the software it seems we might be able to mitigate the risk, but experts aren't sure it can actually be made safe without changing the hardware. Obviously, changing all the hardware in the world isn't done overnight, and isn't very economically and logistically feasible. We're still learning about the vulnerabilities, so it may turn out to be workable in the end or we may discover that we really do need to replace everything eventually to be completely safe.

If this were just about your Youtube password being exposed, we wouldn't have heard about it.

[paulca]

It's also not that easy to exploit to full potential, if I understand it correctly.  A lot of it is poking around randomly in the dark.

To get a full targeted exploit of something like a browser the attacker needs to be very specific about memory addresses and vectors so needs an understanding of the running programs memory in addition to a good understanding the kernel address space routines that will yield the details they need.   Such as the TLB maps and process descriptors.

Not saying because it's difficult it won't be done, but it's not like every script kiddy malware writer out there will do it either.

Note that the original 'authors' of the exploit determined they could read out kernel memory at something like 500Kbps.  So to dump the whole kernel would take quite a while.  Then they have to analyse that and find various offsets to the programs running, then know specifics about those programs to re-run the exploit and try and access the correct physical memory locations via the cached out-of-order executions access those locations.

As I understand it anyway. 

There are a lot of moving parts to a successful exploit and making it generic enough to run in Javascript in a browser and target any PC or any random application will not be easy or potentially even possible.   I expect attacks will need to be much more targetted.

Password managers have been mentioned and might probably be a primary target.  As will browser password auto-complete stores etc. 

One good thing is it's read only.  So they can't hack bits of memory to hijack things directly.

[nfmax]

One good thing is it's read only.  So they can't hack bits of memory to hijack things directly.

Of course, if they can find and read the root/administrator password somewhere in kernel memory, then they can easily leverage that into total ownership of the system...

[nctnico]

And ofcourse only Windows7 & 8 get slower 

[bd139]

On Unixes, passwords never exist in kernel memory. The kernel is only aware of UID and GID which it keeps in the kernel data structure. It has no idea what a password even is.

Only passwd and login handle passwords and they are user mode programs. passwd is setuid and login is only executable by root.

At best if there are stale pipes in memory then those could be revealed but that’s it. Even ssh is a user mode process and the kernel will only handle encrypted streams.

If they unmap the kernel and only the process and any libraries it talks to are loaded into the address space then this is total isolation. The process can’t see the kernel nor read any other processes. All it does is put some shit in some registers, pray to the kernel and it falls entirely out of existence when god (Linux) answers the prayer. If you get the prayer wrong or poke around the wrong bits of the universe,  behold for you are killed, unless you’re slightly attached to the universe still at which point you are a zombie. I don’t like zombies.  Zombies eat your brains.

Windows: fuck knows. Between COM, bits of msgina, lsass, bits of kernel OM, some sticky tape, string and some dead rodents, your guess is as good as mine. This is the company that managed to put LSASS in a little Hyper-V sponsored pit of despair, declare security victory and only the next day end up with a CVE. MSFT can’t outrun some crap kicked out by some hippies from the 1970s on way too much green that hasn’t changed a whole lot.

Psss idiots.

Disclaimer: slightly too much wine this evening.

[Mr. Scram]

And ofcourse only Windows7 & 8 get slower 

Is that speculation on your part or based on numbers?

[Mr. Scram]

On Unixes, passwords never exist in kernel memory. The kernel is only aware of UID and GID which it keeps in the kernel data structure. It has no idea what a password even is.

Only passwd and login handle passwords and they are user mode programs. passwd is setuid and login is only executable by root.

At best if there are stale pipes in memory then those could be revealed but that’s it. Even ssh is a user mode process and the kernel will only handle encrypted streams.

If they unmap the kernel and only the process and any libraries it talks to are loaded into the address space then this is total isolation. The process can’t see the kernel nor read any other processes. All it does is put some shit in some registers, pray to the kernel and it falls entirely out of existence when god (Linux) answers the prayer. If you get the prayer wrong or poke around the wrong bits of the universe,  behold for you are killed, unless you’re slightly attached to the universe still at which point you are a zombie. I don’t like zombies.  Zombies eat your brains.

Windows: fuck knows. Between COM, bits of msgina, lsass, bits of kernel OM, some sticky tape, string and some dead rodents, your guess is as good as mine. This is the company that managed to put LSASS in a little Hyper-V sponsored pit of despair, declare security victory and only the next day end up with a CVE. MSFT can’t outrun some crap kicked out by some hippies from the 1970s on way too much green that hasn’t changed a whole lot.

Psss idiots.

Disclaimer: slightly too much wine this evening.

All OSs are vulnerable. The traditional flame wars can be omitted, this one hits everyone.

[bd139]

The mitigation strategies are different and the surface area is smaller on Unixes. Way smaller.

Also there is secondary mitigation with MAC (SELinux) which kills off a huge portion of entry vectors. Bar timing attacks via browsers, which are now pretty much mitigated by reducing timer resolution, the main attack vector is system access because you need to run arbitrary code on the target.

This isn’t an OS war, it’s a mitigation architecture war now.

Plus it looks like we can get some performance back now in a few months, looking at Linux 4.14. PCID is coming in. Incidentally OSX already uses thisnas does Hyper-V but not windows server (wtf)

This has been my life since it dropped for ref.

[Mr. Scram]

The mitigation strategies are different and the surface area is smaller on Unixes. Way smaller.

Also there is secondary mitigation with MAC (SELinux) which kills off a huge portion of entry vectors. Bar timing attacks via browsers, which are now pretty much mitigated by reducing timer resolution, the main attack vector is system access because you need to run arbitrary code on the target.

This isn’t an OS war, it’s a mitigation architecture war now.

Plus it looks like we can get some performance back now in a few months, looking at Linux 4.14. PCID is coming in. Incidentally OSX already uses thisnas does Hyper-V but not windows server (wtf)

This has been my life since it dropped for ref.

Please note that this paragraph is a generic rant, not aimed at you. I'm so sick of the petty pissing contests that break out whenever an OS is mentioned. "My OS better because..." Nobody cares. Every OS has merits the others don't. Every OS has some serious problems the others don't. They all sorta kinda work. Nobody cares that you compile from source [Linux], or have the biggest software library [Windows], or have a market share too small to make malware viable [macOS]. Shoo, go call your mother. She'll be happy to hear from you, as opposed to the rest of the world.

I don't believe reducing the resolution solves the problem. So far it only seems to make the attack noisier, but we all know that's just a matter of integrating a bigger dataset. But sure, maybe all the little bits add up and make an attack impractical.

Besides, it doesn't matter what the size of the hole is if the ship is sunk. We're all boned, and working as hard as we can to get unboned. That's all we can do right now.

[bd139]

Indeed. Couldn’t agree more.

I’ve actually got about 500 machines on all platforms to save from this mess. There are no winners really. Everything is fucked, slow or on fire. Also some vendors who have patched their appliances have patched too quickly and botched it. Total nightmare.

Reducing resolution is adding a work factor yes. Is it enough, we don’t know yet. A good point.

So back in about 1995 I should have taken the the other coloured pill at this moment in time. Any one want to hire an EE. Will solder for pennies.

[Mr. Scram]

Indeed. Couldn’t agree more.

I’ve actually got about 500 machines on all platforms to save from this mess. There are no winners really. Everything is fucked, slow or on fire. Also some vendors who have patched their appliances have patched too quickly and botched it. Total nightmare.

Reducing resolution is adding a work factor yes. Is it enough, we don’t know yet. A good point.

So back in about 1995 I should have taken the the other coloured pill at this moment in time. Any one want to hire an EE. Will solder for pennies.

"There are no winners really. Everything is fucked, slow or on fire. Also some vendors who have patched their appliances have patched too quickly and botched it. Total nightmare."

Yeah. Companies are just throwing out updates, which are obviously not thoroughly tested, will probably not fix the whole problem and likely cause other issues. We've seen a number of those already. Everyone is running around confused and making it up as they go along.

As it happens, I have some CCTV footage from actual IT departments. It's fairly grim stuff:

[BravoV]

And ofcourse only Windows7 & 8 get slower 

Is that speculation on your part or based on numbers?

Claim made by Microsoft and obviously it is a golden opportunity to cripple kill Win 7 & 8 and forcing users to upgrade to Win 10.

Quote :
With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.

Straight from Microsoft's Executive Vice President, Windows and Devices Group ...

https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/

[nctnico]

And ofcourse only Windows7 & 8 get slower 

Is that speculation on your part or based on numbers?

Dutch news article.

[nfmax]

On Unixes, passwords never exist in kernel memory.

They are never left hanging around for their sentimental value, naturally, but they do exist transiently in the buffers of the HID input driver or console serial driver.

Disclaimer: slightly too much wine this evening.

Entirely understandable, given the circumstances

[DimitriP]

And ofcourse only Windows7 & 8 get slower 

All those years most people thought "Intel inside" meant something different

It was just like the warning on every windows machine "Starting Windows"...