From owner-freebsd-questions@freebsd.org Mon Jan 8 12:37:35 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 74B84E69AD0 for ; Mon, 8 Jan 2018 12:37:35 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 37BBA790D8 for ; Mon, 8 Jan 2018 12:37:35 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: by mail-io0-x236.google.com with SMTP id n14so13258753iob.4 for ; Mon, 08 Jan 2018 04:37:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=toxNgA2Hvor5yKeKAzdMJaXVdXlYMELxH4jW3DAAh+U=; b=N3tRPwCu0Wul8T07RIRD+7GyqOLOJNMPlLwW8/UD5OnRvS4sy8/yz9DNfrE4mG3Y4p g6vcaJ7WioNahM4jeOceltC1ll4uE/dlW7E3L+/LuiBx//DLMy2CeCs9P9ACp+G/KfNc Z49gXsW4VWcpko5sdZulDcu9hKnK7hUpwZjdvf7NeJ8Zrov4txvFyK5Yqs+Lq7JnOObJ nACg2NCBaHfeNNgNxwDcaSr98QljLdRWPsozmhrCsPSrkYW0+VaYMFctf67mw6pHxgwp w9TezT6kWAzfH0HhKumMsDilT33RETtyxpV80ZccZjsqaMQOxe/Vr/KcPajODc+eM9ef y1ag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=toxNgA2Hvor5yKeKAzdMJaXVdXlYMELxH4jW3DAAh+U=; b=Ehkbe1vNZXHruc96dTP/N9g8CXlYarREvCKtJuYf4WKQvFyNz79I9JRqz07dAXZG+s rNkncTpfJqfnVO0hj+3TzpWW4Ay8Ov5IePdWR+u7dD+3u5Sq5fgC+MAToVmum8Cep7NC 1CoVeIjKRCfi3mSYmlH7W1PUs0IyT/tNS69LBFb5jQ7bPeMQiWdaGDfbUCbemBwVxgkx h0P2J8rD8ySuHw1/wFzD4YLtmsVunQrv/Moo/RIiWOJMa2aA5c3QnjZzMCTvjR+7+3Oz wETnS4w/nBlIIkvut5lpPmOniCoA0LeSgTU/39+dTzAQij4ZmZ+Nb6+jptfb+9H5GaT9 Oecw== X-Gm-Message-State: AKwxytfE9DKvTdPYi8rEjsCIBVhG/AD1rYPrq2V51Z7SgJTEG8VUan1D ad7fquRyloRreUxFfgmWwD/0OhXXcgzGRmnbcY8= X-Google-Smtp-Source: ACJfBovazIIia3u25gAMxTjp9BZy7xcK2jTtoFIxV4NhnJvrRWxWuTMMP2qSpyFrZ9nypN9pU2Jr9JQzPA52oQPM0hE= X-Received: by 10.107.180.200 with SMTP id d191mr11521467iof.249.1515415054644; Mon, 08 Jan 2018 04:37:34 -0800 (PST) MIME-Version: 1.0 Received: by 10.36.105.3 with HTTP; Mon, 8 Jan 2018 04:37:34 -0800 (PST) In-Reply-To: <48211515-cc6b-522b-ccd2-4d0c1f6a2072@columbus.rr.com> References: <3AECDC7F-8838-4C09-AC7F-117DFBAA326C@sigsegv.be> <20180108085756.GA3001@c720-r314251> <48211515-cc6b-522b-ccd2-4d0c1f6a2072@columbus.rr.com> From: Aryeh Friedman Date: Mon, 8 Jan 2018 07:37:34 -0500 Message-ID: Subject: =?UTF-8?B?UmU6IE1lbHRkb3duIOKAkyBTcGVjdHJl?= To: Baho Utot Cc: FreeBSD Mailing List Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jan 2018 12:37:35 -0000 On Mon, Jan 8, 2018 at 7:28 AM, Baho Utot wrote: > > > On 1/8/2018 4:15 AM, Aryeh Friedman wrote: > >> On Mon, Jan 8, 2018 at 3:57 AM, Matthias Apitz wrote: >> >> As I side note, and not related to FreeBSD: My Internet server is run by >>> some webhosting company (www.1blu.de), they use Ubuntu servers and since >>> yesterday they have shutdown SSH access to the servers argumenting that >>> they want >>> protect my (all's) servers against attacks of Meltdown and Spectre. >>> >>> Imagine, next time we have to shutdown all IOT gadgets... >>> >> >> >> Not always possible for things like medical test equipment/devices. For >> example I maintain a specialized EMR for interacting with Dr. prescribed >> remote cardiac monitors. Having those off line is not an option since >> they are used to detect if the patient needs something more serious like a >> pace maker (also almost always a IoT device these days) surgery. >> >> The actual monitoring is done on Windows and was attacked by some >> ransomeware via a bit coin miner that somehow installed it self. Since >> all the users claim that they don't read email/upload/download executables >> or any other of the known attack vectors this leaves something like >> Meltdown or Spectre. We have also detected issues on the CentOS that has >> the non-medical corporate site on it. The only machine left on touched >> on >> the physical server (running some bare metal virtualization tool) is the >> FreeBSD machine that runs the actual EMR we wrote. >> >> TL;DR -- It seems Linux and Windows already have issues with these holes >> but I have seen little to no evidence that FreeBSD (when run as a host). >> In general when ever any virtualization issue (like the bleed through on >> Qemu last year) comes up FreeBSD is the one OS that seems to be immune >> (thanks to good design of the OS and bhyve). This is the main reason why >> I chose FreeBSD over Linux as the reference host for PetiteCloud. >> >> > This is not operating system specific, read the papers on theses two. it > attacks the cpu, usally through a JIT Please learn a little OS design theory before making insane claims. Specifically it *ONLY* effects OS's that rely on the specific CPU architecture (vs. a generic one). Namely if you strictly partition the page table between userland and kernel space (which xxxBSD has always done and Linux has not) and don't use any CPU specific instructions to do so (except for protected vs. unprotected mode in the original 386 design FreeBSD does not do this while yet again microslut and linux do). For more info go read the more technical thread then here in -hackers@ and -current@.