[CRTech] Christian Radio Tech [MSG 81658]
[Thread Prev] [-- Thread Index --] [Thread Next] [Date Prev] [-- Date Index --] [Date Next]
Re: CPU security vulnerability
To: CRTech <crtech@crtech.org>
Subject: Re: CPU security vulnerability
From: Fred Gleason <fredg@paravelsystems.com>
Date: Mon, 8 Jan 2018 14:45:25 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paravelsystems-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:references:to:in-reply-to; bh=RNP4dO2LAwmtMyycE+soCm8siyBdA7iS4LrAU86c4Ik=; b=1bHYqdrFAyFpyedv6j6H8ousy+9ExmXDuVA6RaOv+HWPK8xUcS4V3vgck2FmyxhfUz 6hspbKmDQZMr17aWU1Y1tmKVSH/s5v5OyBXgr3S3smBMgSuAhG/JdUwT2lO9PWCPZMeY +XvWLGYLNH4H5aB7LHBN4oYO4o0EMCo4cLD6i+nN63hTp49LNIXxkC/wlVAQ7GGeuQOb 6ZOwBUIc4j7aM/nnPN1RsiM4AcomUhYwlj4RMaFPdTtYGplWp2STc9jMw4fy4JyUu5o5 JO3BfBj4hgDe/KGO4AS+WC/Aj0FMgVVskcNvg0BaFYJP3skWETQUWjzYnsJQch+3wrdA 2utw==
In-reply-to: <39BDB4B5A083864B9802AFB66985BC07C146DF@KSGN-DC.KSGNNET.local>
References: <CAOkhgWoMjjwszWXySMMGr=B=tDwe7xi2JHMBw0LsArEhLawk+A@mail.gmail.com> <CAOkhgWqy2to-JUQuJg=a0b5Djyg2YXBBJxKiCCzk1MD1RoEThg@mail.gmail.com> <2B4D9BC7-CD59-4B3B-8B7E-AEF3ADA2FB41@paravelsystems.com> <39BDB4B5A083864B9802AFB66985BC07C146DF@KSGN-DC.KSGNNET.local>
On Jan 8, 2018, at 13:20, Jon Foreman <Jon@ksgn.com> wrote:

Am I correct in saying that for Meltdown or Spectre to run on one of my systems and do their damaging work, the Meltdown or Spectre code must first get into my system? So should the anti-malware software be keeping me relatively safe from these?

It’s all rather theoretical at this point. There are no known exploits of Meltdown or Spectre outside of the lab. The vulnerabilities were stumbled upon by security researchers in the course of other work. Given the difficulties of performing an actual exploit, there may never be a ‘real world’ exploit, but the patches are being pushed on the policy of ‘better safe than sorry’.

The chip makers should have figured this out long before now, but in the mean time our systems need to keep running.

I'm finding that the more I learn about these vulnerabilities, the less I’m inclined to blame the chipmakers. These really are exotic phenomena that take rely on strange side-effects of doing certain uncommon things in the code (hence the ‘side-chain attack’ moniker in the formal names of the vulnerabilities). It’s rather amazing that the researchers were able to make this work even in the lab. It’s entirely possible (although not guaranteed of course) that a practical ‘real world’ exploit may turn out to be impossible.


| Frederick F. Gleason, Jr. |              Chief Developer             |
|                           |              Paravel Systems             |
|          A room without books is like a body without a soul.         |
|                                         -- Cicero                    |

Follow-Ups: Re: CPU security vulnerability
(Alan Kilgore <wrvm.engineer@gmail.com>, 8 Jan 2018 20:16:29 -0000)
References: CPU security vulnerability
(Willie Barnett <wbradiolists@gmail.com>, 8 Jan 2018 15:33:48 -0000)
Re: CPU security vulnerability
(Willie Barnett <wbradiolists@gmail.com>, 8 Jan 2018 17:18:04 -0000)
Re: CPU security vulnerability
(Fred Gleason <fredg@paravelsystems.com>, 8 Jan 2018 17:40:10 -0000)
RE: CPU security vulnerability
(Jon Foreman <Jon@ksgn.com>, 8 Jan 2018 18:20:57 -0000)
Prev by date: RE: Translator IDs
(nathaniel . steele, 8 Jan 2018 19:45:22 -0000)
Next by date: RE: Translator IDs
(Ben Barber, 8 Jan 2018 20:04:53 -0000)
Prev by thread: RE: CPU security vulnerability
(Jon Foreman, 8 Jan 2018 18:20:57 -0000)
Next by thread: Re: CPU security vulnerability
(Alan Kilgore, 8 Jan 2018 20:16:29 -0000)