Re: How are you handling Meltdown and Spectre? - Page 2

Kaity · ‎01-04-2018

Another day, another exploit. Or two. For now. News of Meltdown and Spectre is all around us...

Here are a few articles:

Meltdown and Spectre: How chip hacks work - BBC

A Critical Intel Flaw Breaks Basic Security for Most Computers - WIRED

Meltdown and Spectre CPU Flaws Expose Modern Systems to Risk - eWeek

Critical Microprocessor Flaws Affect Nearly Every Machine - Dark Reading

So what are you - and your organization - doing to respond? Advice to share? Warnings?

Let us know!

Clive · ‎01-05-2018

Opinions are my own and not my employer

Would BIOS lock and Micro segmentation using VMware NSX work to isolate this threat (and future ones)

The National Institute of Standards and Technology (NIST) Special publication on BIOS protection guidelines stated the following:

Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS’s unique and privileged position within the PC architecture. A malicious BIOS modification could be part of a sophisticated, targeted attack on an organization

NIST 800-17

Badfilemagic · ‎01-05-2018

BIOS locking and microsegmentation address other threats, not these.

These have to do separation of memory protection rings where, due to various performance optimizations in hardware and at the OS level, data can leak between boundaries (userland process gaining state knowledge of kernel-space memory, or one user process able to gain state knowledge of memory in a process running in a different context on the same os instance).

Microsegementation really addresses network traversal and lateral movement issues, particularly inside virtual environments. BIOS locking is important and you should do it, but isn't going to help you here.

Apply your OS patches and any firmware/microcode updates as may be appropriate; newer Intel processors which use PCID in the context switches shouldn't have the major (30%) performance impact that will be caused by KAISER-type mitigations (unmapping user virtual address space from TLB on entry to system call, then unmapping kernel virtual address space when leaving and returning to the userland process's execution context). Allegedly newer Intel processors should only have a 5% hit there, more or less, and depending on workload. AMD processor are allegedly not vulnerable to "Meltdown" because they made the sane choice of actually checking security context before going down the predictive execution rabbit hole.

-- wdf//CISSP, CSSLP

Clive · ‎01-05-2018

WOW Badfilemagic you know your stuff - Thank you

Badfilemagic · ‎01-05-2018

I spent a good bit of time last year digging through FreeBSD kernel code, writing some, and having to get some major refreshers on "how computers work" at the low level, so the pump was primed to follow this issue with great interest 🙂

-- wdf//CISSP, CSSLP

Caute_cautim · ‎01-05-2018

What do you think of this guidance from the University which disclosed the vulnerability to Intel?

https://meltdownattack.com/

Badfilemagic · ‎01-06-2018

The guidance seems to be to apply os patches, update your browser and when llvm updates are in place, rebuild your whole stack with it using the appropriate compiler flag (advice which is of little to no use to the average user or average corporation).

This is bad news for the cloud. Updating browsers and limiting use of Javascript (which is the major attack surface these days anyway) limits end user exposure on PCs and other endpoints, though, but apply patches.

-- wdf//CISSP, CSSLP

Bayshob · ‎01-06-2018

These are 2018 vulnerabilities. Thanks for sharing this. This is a hot topic because it is new, recent and hot. Installing latest patches, using a good security solution, security awareness and avoiding insecure website are among the security tips that I recommend

Tolga · ‎01-06-2018

I have to say this is one of the quite tricky things I've encountered in my career.

On one hand, there is media coverage that hypes this issue to more than it is, on the other hand there is a technical explanation to it, however no one at this point has really been able to quantify the risk (e.g. with CVSS et al).

However, as far as I've been able to digest this issue it would be a great idea in my humble opinion for enterprises to narrow the attack surface, such as by updating their browsers to certain levels that they aren't affected by outside factors on the big world bad wide tangled web.

Then I would pursue going down the hatch, by starting off with VM's, stand-alone servers, clients et al and get to the bottom as quick as possible.

Again, as far as I've heard from other people who have already applied this patch, it seems like there is a loss of approximately 5% to 10% CPU processing power. This would surely lead to some discussion within a few IT Ops-Depts.

And to some extent, unless there is something done on the processor everything sounds to me like an "Workaround-Patch".

Anyway, I'd be delighted to hear and see some of the other ideas, sugesstions on this topic.

Bayshob · ‎01-07-2018

Thanks for sharing

JoePete · ‎01-10-2018

I think the more pressing question is "How are your service providers handling Meltdown and Spectre?" While the vulnerabilities could be exploited by something like a malicious web site (http://www.tomshardware.com/news/meltdown-spectre-exploit-browser-javascript,36221.html), I think the higher risk, higher target exploits will involve cloud based attacks where one malicious cloud users gets access to the data of all users sharing the same physical hardware. Conceivably, this could result in the compromise of a service provider's management plane and with it an entire data center. Really, this shows how one flaw - inspired by the desire to do more, faster - can undermine everything on top of it.