Skip to content. | Skip to navigation

Personal tools
Log in
Sections
You are here: Home Notes on the meltdown and spectre exploits

Notes on the meltdown and spectre exploits

published Jan 05, 2018 12:30   by admin ( last modified Jan 05, 2018 12:44 )

These are my notes for personal use on 2018-01-05, check authoritative sources and do not rely on what is written here.

As of today, here is a good source:

https://www.bleepingcomputer.com/news/security/list-of-meltdown-and-spectre-vulnerability-advisories-patches-and-updates/

General strategy

Run sensitive stuff on dedicated computers

Google Chrome

Enable site isolation

chrome://flags/#enable-site-per-process

Firefox

Firefox 57 and onwards has a kind of timing resolution mitigation, which should help a bit.

Linux

Linux distros may have patched some already in December. Unclear right now how much it helps.

Brutally honest notes from the Xen project on these exploits, worth reading


https://xenbits.xen.org/xsa/advisory-254.html

Excerpts:

SP1, "Bounds-check bypass": Poison the branch predictor, such that
operating system or hypervisor code is speculatively executed past
boundary and security checks.  This would allow an attacker to, for
instance, cause speculative code in the normal hypercall / emulation
path to execute with wild array indexes.

SP2, "Branch Target Injection": Poison the branch predictor.
Well-abstracted code often involves calling function pointers via
indirect branches; reading these function pointers may involve a
(slow) memory access, so the CPU attempts to guess where indirect
branches will lead.  Poisoning this enables an attacker to
speculatively branch to any code that exists in the hypervisor.

SP3, "Rogue Data Load": On some processors, certain pagetable
permission checks only happen when the instruction is retired;
effectively meaning that speculative execution is not subject to
pagetable permission checks.  On such processors, an attacker can
speculatively execute arbitrary code in userspace with, effectively,
the highest privilege level.

MITIGATION
==========

There is no mitigation for SP1 and SP2.

SP3 can be mitigated by running guests in HVM or PVH mode.
….

RESOLUTION
==========

There is no available resolution for SP1 or SP3.

We are working on patches which mitigate SP2 but these are not
currently available.