Re: Spectre/Meltdown bug affecting Python ?
Le 06/01/2018 à 21:49, J.O. Aho a écrit : Not just Linux, but all other OS:es, Microsoft and Apple been patching in secret as they have a closed source approach, but ms-windows needs at least one more patch before it can breath out, which will be released on Tuesday. As a matter of fact, Apple kernel, xnu, is not closed source, https://opensource.apple.com/source/xnu/ -- https://mail.python.org/mailman/listinfo/python-list
Re: Spectre/Meltdown bug affecting Python ?
On 2018-01-06, Ian Kellywrote: > >> > Furthermore, I'd like to know if Python can mitigate hardware-specific >> > timing attacks. >> >> For CPython, probably not. Anything that Cpython tried to do could be >> trivially defeated by using something like ctypes to make calls to >> arbitrary machine code that was written to a file. >> > > It sounds like you're talking about the case where the malicious code is > hosted by Python. I agree that's probably not realistic to do anything > about -- if you can run malicious code then you're probably not restricted > to Python (and without knowing a lot about the attacks, I'm doubtful that > it's possible to implement them in pure Python anyway). Yes, that's what I was talking about. > I think the OP was talking about protecting the data of Python programs > from other malicious processes, however. The mitigation seems to be like it > could reasonably be accomplished (at least for core Python -- extension > code would be on its own). Ah, yes. Eventually it seems that just compiling CPython with a compiler that uses something like Google's "retpoline" should help: https://support.google.com/faqs/answer/7625886 Though I think I understand what the retpoline _is_, I don't really understand enough about the Spectre vulnerability say much else. -- Grant Edwards grant.b.edwardsYow! I'm having an at emotional outburst!! gmail.com -- https://mail.python.org/mailman/listinfo/python-list
Re: Spectre/Meltdown bug affecting Python ?
On Sat, Jan 6, 2018, 4:45 PM Grant Edwardswrote: > On 2018-01-06, Etienne Robillard wrote: > > > > > > Le 2018-01-06 à 15:49, J.O. Aho a écrit : > >> On 01/06/18 13:43, Etienne Robillard wrote: > >>> My understanding of this vulnerability is that speculative indirect > >>> calls in Linux kernel can be used to extract/filter memory content via > >>> side-channels. > >> Not just Linux, but all other OS:es, Microsoft and Apple been patching > >> in secret as they have a closed source approach, but ms-windows needs at > >> least one more patch before it can breath out, which will be released on > >> Tuesday. > > > > It's unclear to me whether AMD CPUs are affected by theses design flaws. > > Everybody seems to agree that AMD CPUs are not affected by Meltdown. > The consensus is that AMD CPUs are probably affected by 2 of the 3 > Spectre variants. > > > Furthermore, I'd like to know if Python can mitigate hardware-specific > > timing attacks. > > For CPython, probably not. Anything that Cpython tried to do could be > trivially defeated by using something like ctypes to make calls to > arbitrary machine code that was written to a file. > It sounds like you're talking about the case where the malicious code is hosted by Python. I agree that's probably not realistic to do anything about -- if you can run malicious code then you're probably not restricted to Python (and without knowing a lot about the attacks, I'm doubtful that it's possible to implement them in pure Python anyway). I think the OP was talking about protecting the data of Python programs from other malicious processes, however. The mitigation seems to be like it could reasonably be accomplished (at least for core Python -- extension code would be on its own). > -- https://mail.python.org/mailman/listinfo/python-list
Re: Spectre/Meltdown bug affecting Python ?
On 2018-01-06, Etienne Robillardwrote: > > > Le 2018-01-06 à 15:49, J.O. Aho a écrit : >> On 01/06/18 13:43, Etienne Robillard wrote: >>> My understanding of this vulnerability is that speculative indirect >>> calls in Linux kernel can be used to extract/filter memory content via >>> side-channels. >> Not just Linux, but all other OS:es, Microsoft and Apple been patching >> in secret as they have a closed source approach, but ms-windows needs at >> least one more patch before it can breath out, which will be released on >> Tuesday. > > It's unclear to me whether AMD CPUs are affected by theses design flaws. Everybody seems to agree that AMD CPUs are not affected by Meltdown. The consensus is that AMD CPUs are probably affected by 2 of the 3 Spectre variants. > Furthermore, I'd like to know if Python can mitigate hardware-specific > timing attacks. For CPython, probably not. Anything that Cpython tried to do could be trivially defeated by using something like ctypes to make calls to arbitrary machine code that was written to a file. -- Grant Edwards grant.b.edwardsYow! Do I have a lifestyle at yet? gmail.com -- https://mail.python.org/mailman/listinfo/python-list
Re: Spectre/Meltdown bug affecting Python ?
On 01/06/2018 10:23 PM, Etienne Robillard wrote: > It's unclear to me whether AMD CPUs are affected by theses design flaws. As far as I understand, AMD (and possibly ARM) is unaffected by Meltdown (except for possibly some very new processors). It seems like basically all modern out of order processors are affected by spectre. Obviously there are many details/caveats. Here is a starting point: Quoted from: https://spectreattack.com/ - Which systems are affected by Meltdown? Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown. Which systems are affected by Spectre? Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors. - Cheers, Thomas -- https://mail.python.org/mailman/listinfo/python-list
Re: Spectre/Meltdown bug affecting Python ?
Le 2018-01-06 à 15:49, J.O. Aho a écrit : On 01/06/18 13:43, Etienne Robillard wrote: My understanding of this vulnerability is that speculative indirect calls in Linux kernel can be used to extract/filter memory content via side-channels. Not just Linux, but all other OS:es, Microsoft and Apple been patching in secret as they have a closed source approach, but ms-windows needs at least one more patch before it can breath out, which will be released on Tuesday. It's unclear to me whether AMD CPUs are affected by theses design flaws. Furthermore, I'd like to know if Python can mitigate hardware-specific timing attacks. Best regards, Etienne -- Etienne Robillard tkad...@yandex.com https://www.isotopesoftware.ca/ -- https://mail.python.org/mailman/listinfo/python-list
Re: Spectre/Meltdown bug affecting Python ?
On 01/06/18 13:43, Etienne Robillard wrote: > My understanding of this vulnerability is that speculative indirect > calls in Linux kernel can be used to extract/filter memory content via > side-channels. Not just Linux, but all other OS:es, Microsoft and Apple been patching in secret as they have a closed source approach, but ms-windows needs at least one more patch before it can breath out, which will be released on Tuesday. -- https://mail.python.org/mailman/listinfo/python-list
Re: Spectre/Meltdown bug affecting Python ?
My understanding of this vulnerability is that speculative indirect calls in Linux kernel can be used to extract/filter memory content via side-channels. So, is it time to implement --enable-retpoline to CPython ? [1] Etienne 1. https://www.bleepingcomputer.com/news/google/google-unveils-new-retpoline-coding-technique-for-mitigating-spectre-attacks/ Le 2018-01-06 à 05:42, Etienne Robillard a écrit : Hi all, What do you think about the latest Spectre/Meltdown security flaw found in Intel processors and Apple smartphones? Are Python 2.7 and 3.6 affected by speculative execution side-channel attacks when using the Linux kernel and Intel CPUs? Best regards, Etienne -- Etienne Robillard tkad...@yandex.com https://www.isotopesoftware.ca/ -- https://mail.python.org/mailman/listinfo/python-list
Spectre/Meltdown bug affecting Python ?
Hi all, What do you think about the latest Spectre/Meltdown security flaw found in Intel processors and Apple smartphones? Are Python 2.7 and 3.6 affected by speculative execution side-channel attacks when using the Linux kernel and Intel CPUs? Best regards, Etienne -- Etienne Robillard tkad...@yandex.com https://www.isotopesoftware.ca/ -- https://mail.python.org/mailman/listinfo/python-list