Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Notice and thinkin.. R.Brown.

  1. #1
    Join Date
    Oct 2009
    Location
    Sweden
    Posts
    1,010

    Default Notice and thinkin.. R.Brown.

    Hei!
    Richard B have punch about mem exploit. Boot on AMD and INTEL

    **Strange; AMD and kernel dev having a different opinion. Have to reboot on my desktop. .. Spectre.

    Regards.

  2. #2
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    1,536

    Cool Re: Notice and thinkin.. R.Brown.

    My view from 30 000 feet (10 000 metres):
    • Some CPUs have a feature which has been marketed as being a performance booster for ** some ** CPU intensive tasks.
    • Catch-22: this feature allows the strict separation between kernel-space and user-space to be violated.
    • The Linux world jumped the gun on the 'within the industry agreed' 9th January 2018 press release date.
    • To (almost but, not quite) quote "Woody on Windows":

    Buy a very large bucket of popcorn and a crate of beer; settle down into your favourite armchair and watch the game.

    IMHO, this may be simply a "Super Bowl" preview.

  3. #3
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    17,384
    Blog Entries
    13

    Default Re: Notice and thinkin.. R.Brown.

    in short: Meltdown hits only Intel, Spectre hits 'm (almost) all.

    BTW This is not a request for help, I will move this to Chit-Chat in 10 minutes. Closed for now.
    Last edited by Knurpht; 05-Jan-2018 at 03:16.
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    https://en.opensuse.org/openSUSE:Board#Members
    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  4. #4
    Join Date
    Sep 2012
    Posts
    4,358

    Default Re: Notice and thinkin.. R.Brown.

    Quote Originally Posted by Knurpht View Post
    in short: Meltdown hits only Intel
    ARM Cortex A75 is also affected.

  5. #5
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    8,698
    Blog Entries
    1

    Default Re: Notice and thinkin.. R.Brown.

    Quote Originally Posted by dcurtisfra View Post
    My view from 30 000 feet (10 000 metres):
    • Some CPUs have a feature which has been marketed as being a performance booster for ** some ** CPU intensive tasks.
    • Catch-22: this feature allows the strict separation between kernel-space and user-space to be violated.
    • The Linux world jumped the gun on the 'within the industry agreed' 9th January 2018 press release date.
    • To (almost but, not quite) quote "Woody on Windows":



    IMHO, this may be simply a "Super Bowl" preview.
    It's my understanding that there aren't many CPUs today (except maybe low capability, embedded processors) that don't do "speculative execution." You shouldn't need to enable, should be enabled by default. And, I'm pretty sure there is no option to enable/disable, if that were the case then addressing the vulnerabilities wouldn't be so big a deal (just disable the feature).

    From what I've read, "Meltdown" is likely considered addressed... at a price. Early comment is that the penalty is much higher on MSWindows (20-30%) compared to published Linux benchmarks (17-23%), but of course YMMV and those numbers may not reflect real world experiences.

    Problem from what I've read is that Spectre
    - Is not addressed by the Meltdown patch although the vulnerability is similar
    - Exploit code has already be published
    - Is exploitable over a network.
    - Affects all CPU architectures, although as I've noted above some very low capacity "mobile" CPUs might not be affected if they don't have that feature (I'll have to look at lesser known CPUs like MIPS for verification). But, at least x86/x64 and ARM CPUs have been identified as affected.

    So, Spectre is literally the worse computing flaw that can ever be imagined.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  6. #6
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    1,536

    Cool Re: Notice and thinkin.. R.Brown.

    This Raspberry Pi statement (issued a few minutes ago) may help to understand the issues being discussed in this thread: <https://www.raspberrypi.org/blog/why...e-or-meltdown/>.

  7. #7
    Join Date
    Nov 2013
    Location
    Kamloops, BC, Canada
    Posts
    3,104

    Default Re: Notice and thinkin.. R.Brown.

    So far, any information I have found about this problem states only that "a local attacker" can take advantage of this serious flaw.

    Can anyone confirm that? Has anyone seen any official or authoritative mention that it can be used by a remote attacker?

    If not, that certainly mitigates the problem for a lot of us whose computers are not accessed by "a local attacker".
    -Gerry Makaro
    Fraser-Bell Info Tech
    Solving Tech Mysteries since the Olden Days!
    ~~
    If I helped you, consider clicking the Star at the bottom left of my post.

  8. #8

    Default Re: Notice and thinkin.. R.Brown.

    Likely not going to get a response from Mr Brown for a bit, he's on vacation.

  9. #9
    Join Date
    Sep 2012
    Posts
    4,358

    Default Re: Notice and thinkin.. R.Brown.

    Quote Originally Posted by Fraser_Bell View Post
    Has anyone seen any official or authoritative mention that it can be used by a remote attacker?
    JavaScript PoC are available. Any language can be used to write it, the only prerequisite is to have high resolution time source (you need to distinguish between cache hit and cache miss), so e.g. Firefox disabled access to high resolution timer recently.

    So yes, remote attack is certainly technically possible.

  10. #10
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    17,384
    Blog Entries
    13

    Default Re: Notice and thinkin.. R.Brown.

    Quote Originally Posted by DorianDS View Post
    Likely not going to get a response from Mr Brown for a bit, he's on vacation.
    And, just for anybody's information: Richard is the Chairman of the Board, not some kind of master-dev of -packager.
    @jonte1 Please stop addressing individuals.
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    https://en.opensuse.org/openSUSE:Board#Members
    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •