Seems like a sneaky reporting by Bloomberg - has Intel actually said that "all modern processors can be attacked by ... Meltdown"?
After reading several in-depth analysis of this vulnerability and then trying to explain my non-tech friends what this is all is about (disclaimer: I'm just a developer and don't work with assembly, processors or security), I have to admit that it's a pretty awesome executive summary of the issue for a non-technical reader.
Spectre fools the processor into running speculative operations -- ones that it usually executes "just in case" and then throws the result away if it is not needed -- and then uses information about how long the hardware takes to retrieve the data to infer the details of that information.
Intel was extremely lucky that Spectre was discovered at the same time as Meltdown, otherwise Intel would've been standing alone facing the industry.
The speculative branch predication vulnerability seems to basically depend on finding a specific instruction sequence in the target code and then going to some extraordinary lengths to exploit it via a highly convoluted side-channel.
My first thought when I started to appreciate the technical details were that this was a Bletchley Park level of exploit, or "nation state" as the man in the interview said. And whilst it's completely possible that the exploit could be packaged up for script kiddies, it seems to me unlikely that someone with the necessary skills would do that, because the return would be too low. But states spying on each other: that seems a much more likely scenario for this.
Isn't it usually the case that someone scripts (difficult parts of) the process and then it is a lot easier to exploit?
>I think the exploit would be extremely difficult,
>The idea nagged at Prescher, so when he got home he fired up his desktop computer and set about putting the theory into practice. At 2 a.m., a breakthrough: he’d strung together code that reinforced Fogh’s idea and suggested there was something seriously wrong.
Don't seem to match up. It may be hard, but even a security researcher doesn't bust a hard to exploit hole open in a few hours overnight. I believe that this was an area where no one was looking and now that its out in the open it will be much easier for others to exploit.
Oh, and it works (/worked) on browsers.
Usage is ./meltdown [hexadrr] [size]
Run.sh is first reading the adress where the value of linux_proc_banner is held, with a adequat sed on /proc/kallsyms, then running the meltdown binary to check that this adress has the value stored in /proc/version, which should be the case if the exploit is indeed working (which IS the case with my CPU and current kernel).
Meltdown.c is below 300 lines, the actual exploit being maybe half of that.
From here, it seems to me that you can extrapolate in reading any value anywhere in the memory.
1. Just download the POC, its a C program which reads the kernel memory at a speed of ~2KB/sec.
2. Deploy it to as many AWS instances as possible.
3. save the results somewhere and search it for stuff like CC card numbers or passwords.
Luckily this is not possible because the tech companies were really careful about this issue and deployed a fix very quickly.
These are researchers that see anything that can't stop a TLA in its tracks as fundamentally flawed.
And yes, you will likely find them congregating at defcon, laughing and cheering at the sheeple board, and playing spot the fed.
Host: Who could exploit this vulnerability...?
White: Those that have significant resources, for instance, Google... (mentions nation-states much later)
Nice FUD there.
White: what is important here, there are no known attacks ongoing right now...
Nice argument from ignorance there.
White: there is a lot of things we don't know but it reinforces two things to me, one is that increasingly the software we are operating is quite secure, coz now we are looking at kernel level problems...
Nice false cause fallacy.
The FUD is real though.
They are things that never should have been said in the first place because they're only made to deflect, detract, or support a nonsensical argument.
If you get caught up in trying to defend against these things you've already fallen into their trap.
"If you're explaining, you're losing." -- Lee Atwater
Do you have a link for a good one?
Similarly how there was a long and happy life of flash plugin before it was recognized as a massive vulnerability surface?
Anybody claiming to understand the consequences of adding any new feature to a processor (or software) is implicitly claiming they have solved the equivalent to halting problem. The only solution is to move as many problem as possible back to a simpler domain that is actually decidable.
 halting problem, Gödel’s Incompleteness Theorem
 "math" := ZF set theory
What I want to know is what happens next? Is Linus (or "Mr. Torvolds" to me) silently shocked? Does he go on a LKML-style rant? Immediately whip out his laptop and code up an exploit just to see if it's actually true? All of them?
(Mostly I just want to hear him rant, I love his well-informed, opinionated take-downs of lousy ideas. Although it's probably a toxic environment to work it.)
How many embedded CPU's with speculation might be affected? You may say "none" but there are Cortex CPUs embedded into FPGAs (either directly or form of IP cores). What if enterprise routers have them? What if TVs have them?
I know many Cortex's aren't affected. The point is, anything that needs a "fast enough" CPU to benefit from OoO scheduling is possibly at risk, right? So while most embedded devices use cheaper, less complex CPUs, there are plenty that don't--as more powerful CPUs (which offer speculation) are becoming cheaper and cheaper.
A Raspberry Pi 3 has a Cortex-A53 (because they're cheap). They're luckily not affected, but those CPUs and faster are cheap enough to throw onto a $35 retail price computer. What's running in your $800 internet-connected 4K TV?
Per the Pi 3 explaination page:
>Examples of out-of-order processors include the Intel Pentium 2 (and most subsequent Intel and AMD x86 processors with the exception of some Atom and Quark devices), and many recent ARM cores, including Cortex-A9, -A15, -A17, and -A57.
The A9, 15, 17, and A57 are all affected and used across TONS of devices in the world. They're very popular not just in chip form (as the primary CPU), but also in IP cores (inside an FPGA), as well as "secondary CPU" systems attached to FPGAs or other CPU's.
And that's just one brand of one type of CPU. Who knows what else is out there. PowerPCs are in everything. Even your dust-covered Gamecube has out-of-order speculation!
Here's a link mentioning that PowerPC CPUs are affected:
So there goes all your PowerMacs. (And likely the Gamecube
and Wii too!)
Not my banking website, for one thing. Your point is completely valid, but sadly no-one in the media cares whether your TV or toaster is vulnerable.
Perhaps they should be, because in reality, all these devices could be used in a botnet. But then again, it's so much easier to hack those devices with default admin/password123 than it is using speculative branch predication exploits...