Meltdown and Spectre attack

5 Antworten [Letzter Beitrag]
Piriponzolo
Offline
Beigetreten: 02/19/2016

Hi to everyone!
I did notice with Hardinfo that my cpu is affected by a Meltdown and Spectre attack, see picture. What is possible doing in order to face this problem? Thanks for the attention. Regards

AnhangGröße
IMG_HardwareInfos.jpg1.68 MB
andyprough
Offline
Beigetreten: 02/12/2015

Aren't all meltdown and spectre attacks merely theoretical? I don't think I've ever heard of an actual exploit in the wild that can take advantage of those theoretical vulnerabilities.

jxself
Offline
Beigetreten: 09/13/2010
quidam

I am a member!

I am a translator!

Offline
Beigetreten: 12/22/2004

That article makes for dangerous advice. Any unmitigated vulnerability allows other vulnerabilities to compound, and even the most careful of computer users is exposed to some vectors of attack. Every data file parsed and loaded into memory can exploit vulnerabilities in the program doing the parsing. Every server receives requests that must be parsed and some execution must be done to provide an answer to the client. There are countless examples of exploits that have affected key free programs, and meltdown/spectre provides ways to escalate them towards full-on control of the attacked machine.

"We have no reason to fear Spectre, Meltdown or similar side channels when we do our computing using only trustworthy Free Software[...]"

How do you know which of your free software is trustworthy in terms of security? Just because the licensing is trustworthy does not mean that you don't need to secure your systems. Advocating for disabling the free software mitigations because they reduce performance is reckless. Pointing out that all of our software can be audited only dismisses the problem.

--

To answer the initial question (What is possible doing in order to face this problem?), all existing free software mitigations are included in Trisquel, here is some information from upstream sources:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown/
https://wiki.debian.org/DebianSecurity/SpectreMeltdown

Some key takeaways:
* There is no mitigation for Meltdown on i386.
* Complete mitigation of SpectreV2 at userspace level requires each package to be compiled with retpolines or apply mitigations specific to that software. This is the case for some key components like Abrowser.
* You can see the list of active kernel mitigations at /sys/devices/system/cpu/vulnerabilities/ I'm not sure what program is displayed in the screenshot from the first post, but it seems to be listing applied mitigations.
* You can use online checkers to test web browsers, like https://xlab.tencent.com/special/spectre/spectre_check.html

andyprough
Offline
Beigetreten: 02/12/2015

jxself's AMD chips are immune to the theoretical Meltdown vulnerability.

Piriponzolo
Offline
Beigetreten: 02/19/2016

Based on reading even this article https://www.techrepublic.com/article/spectre-and-meltdown-explained-a-comprehensive-guide-for-professionals/

I understand that Spectre and Meltdown are wide-ranging hardware flaws that affect the vast majority of devices currently available for sale, devices currently deployed, and legacy devices dating back to the 2000s. I hope I haven't done something stupid in the past using Windows XP e Windows Vista on my old machines where Trisquel is now.