Notes on the meltdown and spectre exploits
These are my notes for personal use on 2018-01-05, check authoritative sources and do not rely on what is written here.
As of today, here is a good source:
General strategy
Run sensitive stuff on dedicated computers
Google Chrome
Enable site isolation
chrome://flags/#enable-site-per-process
Firefox
Firefox 57 and onwards has a kind of timing resolution mitigation, which should help a bit.
Linux
Linux distros may have patched some already in December. Unclear right now how much it helps.
Brutally honest notes from the Xen project on these exploits, worth reading
https://xenbits.xen.org/xsa/advisory-254.html
Excerpts:
SP1, "Bounds-check bypass": Poison the branch predictor, such that
operating system or hypervisor code is speculatively executed past
boundary and security checks. This would allow an attacker to, for
instance, cause speculative code in the normal hypercall / emulation
path to execute with wild array indexes.
SP2, "Branch Target Injection": Poison the branch predictor.
Well-abstracted code often involves calling function pointers via
indirect branches; reading these function pointers may involve a
(slow) memory access, so the CPU attempts to guess where indirect
branches will lead. Poisoning this enables an attacker to
speculatively branch to any code that exists in the hypervisor.
SP3, "Rogue Data Load": On some processors, certain pagetable
permission checks only happen when the instruction is retired;
effectively meaning that speculative execution is not subject to
pagetable permission checks. On such processors, an attacker can
speculatively execute arbitrary code in userspace with, effectively,
the highest privilege level.
…
MITIGATION
==========
There is no mitigation for SP1 and SP2.
SP3 can be mitigated by running guests in HVM or PVH mode.
….
RESOLUTION
==========
There is no available resolution for SP1 or SP3.
We are working on patches which mitigate SP2 but these are not
currently available.