Date: Mon, 8 Jan 2018 12:36:59 -0500 From: Baho Utot <baho-utot@columbus.rr.com> To: =?UTF-8?Q?Fernando_Apestegu=c3=ada?= <fernando.apesteguia@gmail.com> Cc: Aryeh Friedman <aryeh.friedman@gmail.com>, User Questions <freebsd-questions@freebsd.org> Subject: =?UTF-8?Q?Re:_Meltdown_=e2=80=93_Spectre?= Message-ID: <a5d48efc-7f83-527f-ba51-1edac3d112da@columbus.rr.com> In-Reply-To: <CAGwOe2aZr5==KFdKb9SHLh9YRy5VCpxPN3d5AY1bLed5o5EV2w@mail.gmail.com> References: <f9cc484e-be92-7aff-52fe-38655e85dbaa@columbus.rr.com> <CAH78cDqPnOUGoU=6x-BiugnpjmjYcd=CZS3fSNaX5tq-Uvma7g@mail.gmail.com> <bc9ad15b-a718-b901-76fa-bc43ce0c1f1a@columbus.rr.com> <3AECDC7F-8838-4C09-AC7F-117DFBAA326C@sigsegv.be> <20180108085756.GA3001@c720-r314251> <CAGBxaXnSRwtS=mbdsePyKvyZjTpu1tvo2O61SW60yQfdDJH4gA@mail.gmail.com> <48211515-cc6b-522b-ccd2-4d0c1f6a2072@columbus.rr.com> <CAGBxaXm=6NbZ%2Bcz6WGB7YY7NT_%2BxOhdxb17ORTsQs5e7RvqKaQ@mail.gmail.com> <44279dcb-7b15-865a-ca71-938b3832d0e7@columbus.rr.com> <CAGwOe2aZr5==KFdKb9SHLh9YRy5VCpxPN3d5AY1bLed5o5EV2w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/8/2018 12:15 PM, Fernando ApesteguĂa wrote: > > > On Mon, Jan 8, 2018 at 1:53 PM, Baho Utot <baho-utot@columbus.rr.com > <mailto:baho-utot@columbus.rr.com>> wrote: > > > > > > On 1/8/2018 7:37 AM, Aryeh Friedman wrote: > >> > >> > >> > >> On Mon, Jan 8, 2018 at 7:28 AM, Baho Utot <baho-utot@columbus.rr.com > <mailto:baho-utot@columbus.rr.com> > >> <mailto:baho-utot@columbus.rr.com > <mailto:baho-utot@columbus.rr.com>>> wrote: > >> > >> > >> > >> On 1/8/2018 4:15 AM, Aryeh Friedman wrote: > >> > >> On Mon, Jan 8, 2018 at 3:57 AM, Matthias Apitz <guru@unixarea.de > <mailto:guru@unixarea.de> > >> <mailto:guru@unixarea.de <mailto:guru@unixarea.de>>> wrote: > >> > >> As I side note, and not related to FreeBSD: My Internet > >> server is run by > >> some webhosting company (www.1blu.de <http://www.1blu.de>; > <http://www.1blu.de>), > >> > >> they use Ubuntu servers and since > >> yesterday they have shutdown SSH access to the servers > >> argumenting that > >> they want > >> protect my (all's) servers against attacks of Meltdown and > >> Spectre. > >> > >> Imagine, next time we have to shutdown all IOT gadgets... > >> > >> > >> > >> Not always possible for things like medical test > >> equipment/devices. For > >> example I maintain a specialized EMR for interacting with Dr. > >> prescribed > >> remote cardiac monitors. Having those off line is not an > >> option since > >> they are used to detect if the patient needs something more > >> serious like a > >> pace maker (also almost always a IoT device these days) surgery. > >> > >> The actual monitoring is done on Windows and was attacked by some > >> ransomeware via a bit coin miner that somehow installed it > >> self. Since > >> all the users claim that they don't read email/upload/download > >> executables > >> or any other of the known attack vectors this leaves something > >> like > >> Meltdown or Spectre. We have also detected issues on the > >> CentOS that has > >> the non-medical corporate site on it. The only machine left on > >> touched on > >> the physical server (running some bare metal virtualization > >> tool) is the > >> FreeBSD machine that runs the actual EMR we wrote. > >> > >> TL;DR -- It seems Linux and Windows already have issues with > >> these holes > >> but I have seen little to no evidence that FreeBSD (when run as > >> a host). > >> In general when ever any virtualization issue (like the bleed > >> through on > >> Qemu last year) comes up FreeBSD is the one OS that seems to be > >> immune > >> (thanks to good design of the OS and bhyve). This is the main > >> reason why > >> I chose FreeBSD over Linux as the reference host for PetiteCloud. > >> > >> > >> This is not operating system specific, read the papers on theses > >> two. it attacks the cpu, usally through a JIT > >> > >> > >> Please learn a little OS design theory before making insane claims. > >> Specifically it *ONLY* effects OS's that rely on the specific CPU > >> architecture (vs. a generic one). Namely if you strictly partition > the page > >> table between userland and kernel space (which xxxBSD has always > done and > >> Linux has not) and don't use any CPU specific instructions to do so > (except > >> for protected vs. unprotected mode in the original 386 design > FreeBSD does > >> not do this while yet again microslut and linux do). > >> > >> For more info go read the more technical thread then here in > -hackers@ and > >> -current@. > > > > > > > > Go read the papers Spectre and Meltdown. > > This attacks Intel and Arm processors, AMD processors seems to not > have the > > issue. Intel is issuing new firmware for their processors. > > Why is does then Apple have the problem as well? > > About AMD, they seem to be affected by at least two variants of these > attacks: > > https://www.amd.com/en/corporate/speculative-execution > Variant One Bounds Check Bypass Resolved by software / OS updates to be made available by system vendors and manufacturers. Negligible performance impact expected. Variant Two Branch Target Injection Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date. Variant Three Rogue Data Cache Load Zero AMD vulnerability due to AMD architecture differences. For Variant 1 OS fix For Variant 2 and 3 ZERO to near ZERO risk So yes my statement stands
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a5d48efc-7f83-527f-ba51-1edac3d112da>