News..............................
Patches to mitigate the vulnerabilities are coming thick and fast, but there are still ongoing problems to deal with…
Dealing with Spectre and Meltdown doesn’t get easier, we’re a little closer to the Librem 5 smartphone, and Mozilla donates to FOSS projects.
The Spectre and Meltdown vulnerabilities, which affect a huge range of processors and the machines that run on them, have been known for a while now, and the technology world is still reeling from the ramifications.
Since last issue, where we delved into the vulnerabilities, a number of patches have been release by both hardware and software makers to help mitigate these issues. Some of these fixes have been more successful than others. Intel had to ask people not to download its initial update, when it was discovered that it was causing machines to crash. It’s since released a working fix, as described in a blog post ( https://newsroom.intel.com/news/ security-issue-update- pr ogresscontinues-firmware -updates) that outlines the progress the chipmaker has made in addressing these issues.
There was also warnings that many – if not all – of the mitigations for Spectre and Meltdown would result in reduced performance on affected machines, and it looks like that has come to pass. In a blog post (which can be read at http://www.brendangregg. com/blog/2018-02-09/kpti-kaisermeltdown-performance.html), Brendan Gregg, an industry expert in computing performance and cloud computing, noted that “the patches that workaround Meltdown introduce the largest kernel performance regressions I’ve ever seen”, and looked at the Linux kernel page table isolation (KPTI) patches and KAISER patches for Meltdown, and what kind of performance impact that introduce. His post is well worth reading, as it gives you an excellent idea of what the performance impact is, why it happens and what can be done to help reduce that impact.In some areas, Brendan noted that the patches could increase overheads by up to 800 per cent, though with thorough system tuning these levels will be reduced.
Meanwhile, white hat hackers have been looking into Meltdown and Spectre to see what sort of exploits malicious users could utilise, and rather worryingly, they’ve already discovered plenty of potential exploits. Recently, security experts from Nvidia and Princeton University have authored a new research paper (read it at https:// arxiv.org/pdf/1802.03802.pdf), which details MeltdownPrime and SpectrePrime, exploits that leverage these flaws in modern processors via side-channel timing attacks.
The SpectrePrime proof-of-concept exploit has already been successfully used on a MacBook with an Intel Core i7 processor. There is concern that it’ll be only a matter of time before we see malicious code exploiting these vulnerabilities in the wild, so it’s worth getting those patches even with their impacts on performance.
Meanwhile, Linus Torvalds blew off more steam about the vulnerabilities with the release of Linux 4.15 ( http://lkml.iu.edu/hypermail/ linux/kernel/1801.3/02794.html), saying “This obviously was not a pleasant release cycle, with the whole Meltdown/Spectre thing coming in the middle of the cycle and not gelling with our normal release cycle… There’s more work pending (arm, spectre-v1, misc details), and equally importantly, to get the biggest fix for the indirect branch mitigations, you need not just the kernel updates, you need to have a compiler with support for the “retpoline” indirect branch model.”
“Many of the mitigations for Spectre and Meltdown would result in reduced performance…”