subject:"Spectre\/Meltdown bug affecting Python \?"

Re: Spectre/Meltdown bug affecting Python ?

2018-01-07 Thread Julien Salort


Le 06/01/2018 à 21:49, J.O. Aho a écrit :


Not just Linux, but all other OS:es, Microsoft and Apple been patching
in secret as they have a closed source approach, but ms-windows needs at
least one more patch before it can breath out, which will be released on
Tuesday.


As a matter of fact, Apple kernel, xnu, is not closed source,
https://opensource.apple.com/source/xnu/

--
https://mail.python.org/mailman/listinfo/python-list

Re: Spectre/Meltdown bug affecting Python ?

2018-01-06 Thread Grant Edwards

On 2018-01-06, Ian Kelly  wrote:
>
>> > Furthermore, I'd like to know if Python can mitigate hardware-specific
>> > timing attacks.
>>
>> For CPython, probably not.  Anything that Cpython tried to do could be
>> trivially defeated by using something like ctypes to make calls to
>> arbitrary machine code that was written to a file.
>>
>
> It sounds like you're talking about the case where the malicious code is
> hosted by Python. I agree that's probably not realistic to do anything
> about -- if you can run malicious code then you're probably not restricted
> to Python (and without knowing a lot about the attacks, I'm doubtful that
> it's possible to implement them in pure Python anyway).

Yes, that's what I was talking about.

> I think the OP was talking about protecting the data of Python programs
> from other malicious processes, however. The mitigation seems to be like it
> could reasonably be accomplished (at least for core Python -- extension
> code would be on its own).

Ah, yes.  Eventually it seems that just compiling CPython with a
compiler that uses something like Google's "retpoline" should help:

  https://support.google.com/faqs/answer/7625886

Though I think I understand what the retpoline _is_, I don't really
understand enough about the Spectre vulnerability say much else.

-- 
Grant Edwards   grant.b.edwardsYow! I'm having an
  at   emotional outburst!!
  gmail.com

-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Spectre/Meltdown bug affecting Python ?

2018-01-06 Thread Ian Kelly

On Sat, Jan 6, 2018, 4:45 PM Grant Edwards 
wrote:

> On 2018-01-06, Etienne Robillard  wrote:
> >
> >
> > Le 2018-01-06 à 15:49, J.O. Aho a écrit :
> >> On 01/06/18 13:43, Etienne Robillard wrote:
> >>> My understanding of this vulnerability is that speculative indirect
> >>> calls in Linux kernel can be used to extract/filter memory content via
> >>> side-channels.
> >> Not just Linux, but all other OS:es, Microsoft and Apple been patching
> >> in secret as they have a closed source approach, but ms-windows needs at
> >> least one more patch before it can breath out, which will be released on
> >> Tuesday.
> >
> > It's unclear to me whether AMD CPUs are affected by theses design flaws.
>
> Everybody seems to agree that AMD CPUs are not affected by Meltdown.
> The consensus is that AMD CPUs are probably affected by 2 of the 3
> Spectre variants.
>
> > Furthermore, I'd like to know if Python can mitigate hardware-specific
> > timing attacks.
>
> For CPython, probably not.  Anything that Cpython tried to do could be
> trivially defeated by using something like ctypes to make calls to
> arbitrary machine code that was written to a file.
>

It sounds like you're talking about the case where the malicious code is
hosted by Python. I agree that's probably not realistic to do anything
about -- if you can run malicious code then you're probably not restricted
to Python (and without knowing a lot about the attacks, I'm doubtful that
it's possible to implement them in pure Python anyway).

I think the OP was talking about protecting the data of Python programs
from other malicious processes, however. The mitigation seems to be like it
could reasonably be accomplished (at least for core Python -- extension
code would be on its own).

>
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Spectre/Meltdown bug affecting Python ?

2018-01-06 Thread Grant Edwards

On 2018-01-06, Etienne Robillard  wrote:
>
>
> Le 2018-01-06 à 15:49, J.O. Aho a écrit :
>> On 01/06/18 13:43, Etienne Robillard wrote:
>>> My understanding of this vulnerability is that speculative indirect
>>> calls in Linux kernel can be used to extract/filter memory content via
>>> side-channels.
>> Not just Linux, but all other OS:es, Microsoft and Apple been patching
>> in secret as they have a closed source approach, but ms-windows needs at
>> least one more patch before it can breath out, which will be released on
>> Tuesday.
>
> It's unclear to me whether AMD CPUs are affected by theses design flaws.

Everybody seems to agree that AMD CPUs are not affected by Meltdown.
The consensus is that AMD CPUs are probably affected by 2 of the 3
Spectre variants.

> Furthermore, I'd like to know if Python can mitigate hardware-specific 
> timing attacks.

For CPython, probably not.  Anything that Cpython tried to do could be
trivially defeated by using something like ctypes to make calls to
arbitrary machine code that was written to a file.

-- 
Grant Edwards   grant.b.edwardsYow! Do I have a lifestyle
  at   yet?
  gmail.com

-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Spectre/Meltdown bug affecting Python ?

2018-01-06 Thread Thomas Nyberg

On 01/06/2018 10:23 PM, Etienne Robillard wrote:
> It's unclear to me whether AMD CPUs are affected by theses design flaws.

As far as I understand, AMD (and possibly ARM) is unaffected by Meltdown
(except for possibly some very new processors). It seems like basically
all modern out of order processors are affected by spectre. Obviously
there are many details/caveats. Here is a starting point:

Quoted from: https://spectreattack.com/
-
Which systems are affected by Meltdown?
Desktop, Laptop, and Cloud computers may be affected by Meltdown. More
technically, every Intel processor which implements out-of-order
execution is potentially affected, which is effectively every processor
since 1995 (except Intel Itanium and Intel Atom before 2013). We
successfully tested Meltdown on Intel processor generations released as
early as 2011. Currently, we have only verified Meltdown on Intel
processors. At the moment, it is unclear whether ARM and AMD processors
are also affected by Meltdown.

Which systems are affected by Spectre?
Almost every system is affected by Spectre: Desktops, Laptops, Cloud
Servers, as well as Smartphones. More specifically, all modern
processors capable of keeping many instructions in flight are
potentially vulnerable. In particular, we have verified Spectre on
Intel, AMD, and ARM processors.
-

Cheers,
Thomas
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Spectre/Meltdown bug affecting Python ?

2018-01-06 Thread Etienne Robillard




Le 2018-01-06 à 15:49, J.O. Aho a écrit :

On 01/06/18 13:43, Etienne Robillard wrote:

My understanding of this vulnerability is that speculative indirect
calls in Linux kernel can be used to extract/filter memory content via
side-channels.

Not just Linux, but all other OS:es, Microsoft and Apple been patching
in secret as they have a closed source approach, but ms-windows needs at
least one more patch before it can breath out, which will be released on
Tuesday.


It's unclear to me whether AMD CPUs are affected by theses design flaws.

Furthermore, I'd like to know if Python can mitigate hardware-specific 
timing attacks.


Best regards,

Etienne

--
Etienne Robillard
tkad...@yandex.com
https://www.isotopesoftware.ca/

--
https://mail.python.org/mailman/listinfo/python-list

Re: Spectre/Meltdown bug affecting Python ?

2018-01-06 Thread J.O. Aho

On 01/06/18 13:43, Etienne Robillard wrote:
> My understanding of this vulnerability is that speculative indirect
> calls in Linux kernel can be used to extract/filter memory content via
> side-channels.

Not just Linux, but all other OS:es, Microsoft and Apple been patching
in secret as they have a closed source approach, but ms-windows needs at
least one more patch before it can breath out, which will be released on
Tuesday.
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Spectre/Meltdown bug affecting Python ?

2018-01-06 Thread Etienne Robillard

My understanding of this vulnerability is that speculative indirect 
calls in Linux kernel can be used to extract/filter memory content via 
side-channels.


So, is it time to implement --enable-retpoline to CPython ? [1]

Etienne

1. 
https://www.bleepingcomputer.com/news/google/google-unveils-new-retpoline-coding-technique-for-mitigating-spectre-attacks/



Le 2018-01-06 à 05:42, Etienne Robillard a écrit :

Hi all,

What do you think about the latest Spectre/Meltdown security flaw 
found in Intel processors and Apple smartphones?


Are Python 2.7 and 3.6 affected by speculative execution side-channel 
attacks when using the Linux kernel and Intel CPUs?



Best regards,

Etienne



--
Etienne Robillard
tkad...@yandex.com
https://www.isotopesoftware.ca/

--
https://mail.python.org/mailman/listinfo/python-list

Spectre/Meltdown bug affecting Python ?

2018-01-06 Thread Etienne Robillard


Hi all,

What do you think about the latest Spectre/Meltdown security flaw found 
in Intel processors and Apple smartphones?


Are Python 2.7 and 3.6 affected by speculative execution side-channel 
attacks when using the Linux kernel and Intel CPUs?



Best regards,

Etienne

--
Etienne Robillard
tkad...@yandex.com
https://www.isotopesoftware.ca/

--
https://mail.python.org/mailman/listinfo/python-list

Re: Spectre/Meltdown bug affecting Python ?

Re: Spectre/Meltdown bug affecting Python ?

Re: Spectre/Meltdown bug affecting Python ?

Re: Spectre/Meltdown bug affecting Python ?

Re: Spectre/Meltdown bug affecting Python ?

Re: Spectre/Meltdown bug affecting Python ?

Re: Spectre/Meltdown bug affecting Python ?

Re: Spectre/Meltdown bug affecting Python ?

Spectre/Meltdown bug affecting Python ?

9 matches

Site Navigation

Mail list logo

Footer information