On 1/12/18, mozilla-lists.mbou...@spamgourmet.com
wrote:
> Lee wrote:
>> I've got a dell, so I started here:
>> https://www.dell.com/support/article/us/en/19/sln308587/microprocessor-side-channel-vulnerabilities--cve-2017-5715--cve-2017-5753--cve-2017-5754---impact-on-dell-products?lang=en
>>
>> Apply the update, do the powershell bit:
>> PS C:\temp\2do\SpeculationControl> Get-SpeculationControlSettings
>> Speculation control settings for CVE-2017-5715 [branch target injection]
>>
>> Hardware support for branch target injection mitigation is present: True
>> Windows OS support for branch target injection mitigation is present:
>> True
>> Windows OS support for branch target injection mitigation is enabled:
>> True
>>
>> Speculation control settings for CVE-2017-5754 [rogue data cache load]
>>
>> Hardware requires kernel VA shadowing: True
>> Windows OS support for kernel VA shadow is present: True
>> Windows OS support for kernel VA shadow is enabled: True
>> Windows OS support for PCID performance optimization is enabled: True
>> [not required for security]
>>
>>
>> BTIHardwarePresent : True
>> BTIWindowsSupportPresent : True
>> BTIWindowsSupportEnabled : True
>> BTIDisabledBySystemPolicy : False
>> BTIDisabledByNoHardwareSupport : False
>> KVAShadowRequired : True
>> KVAShadowWindowsSupportPresent : True
>> KVAShadowWindowsSupportEnabled : True
>> KVAShadowPcidEnabled : True
>>
>> everything looks good .. except the POC still works :(
>> C:\cygwin\home\Lee\t>spectre.exe
>> Reading 40 bytes:
>> Reading at malicious_x = 0FE4... Success: 0x54='T' score=2
>> Reading at malicious_x = 0FE5... Success: 0x68='h' score=2
>> Reading at malicious_x = 0FE6... Success: 0x65='e' score=7 (second
>> best: 0x01 score=1)
>> Reading at malicious_x = 0FE7... Success: 0x20=' ' score=2
>> <.. snip ..>
>> Reading at malicious_x = 1008... Success: 0x61='a' score=2
>> Reading at malicious_x = 1009... Success: 0x67='g' score=2
>> Reading at malicious_x = 100A... Success: 0x65='e' score=2
>> Reading at malicious_x = 100B... Success: 0x2E='.' score=2
>>
>> *sigh* latest OS update + latest BIOS update + latest CPU microcode
>> and the proof of concept exploit still works.
>
> Don't the OS kernel / BIOS / CPU updates just mitigate against Meltdown,
> preventing applications (executing in ring3) from inferring content of
> kernel memory (in ring0)?
There were also a few other items in the BIOS update for my pc that
sounded good but yes -- it seems like most of the frenzy was about
Meltdown. Which is a big deal for cloud providers but probably
doesn't matter all that much to me. On the other hand, the powershell
Get-SpeculationControlSettings shows I've got [dunno what] mitigation
enabled for both categories:
Speculation control settings for CVE-2017-5715
Speculation control settings for CVE-2017-5754
and like the song - two out of three ain't bad (altho this one's
better https://www.youtube.com/watch?v=GMR3Hy3yrbw )
> As I understand it, I think Spectre requires workarounds in each
> application (or a fundamental change to CPU hardware to do something
> like somehow roll back the cache content along with other processor
> state when discarding speculatively executed instructions). Unless you
> patch the PoC code to mitigate Spectre, it will still demonstrate a
> successful attack.
Exactly. And how does a user end up with attacker controlled programs
running on their computer? I'm guessing far & away the biggest vector
is javascript running in the browser.
So people should be at least thinking about blocking javascript. And
thinking about what kind of exposure they have with their addons (like
a password/form-fill manager that might not be safe against spectre
attacks).
Regards,
Lee
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey