[sf-lug] DON'T PANIC! :-) Re: Two new variants of Spectre vulnerability

Michael Paoli Michael.Paoli at cal.berkeley.edu
Thu May 31 07:48:02 PDT 2018 

"DON'T PANIC!" - is generally a very good starting point.
Heck, even in the midst of some major ongoing incident,
panic will generally only make things worse (e.g. lots of mistakes
and stupid decisions/reactions often occur in panic situations).

So ...

> From: aaronco36 <aaronco36 at SDF.ORG>
> Subject: [sf-lug] Two new variants of Spectre vulnerability
> Date: Wed, 23 May 2018 01:36:43 +0000 (UTC)

> Two new variants of the Spectre CPU vulnerabaility were revealed yesterday.
>
> Quoting from CERT's Alert (TA18-141A) 'Side-Channel Vulnerability  
> Variants 3a and 4' in ref [1]
>
> Further thoughts or suggestions regarding these new Spectre variants  
> from Rick M, Michael P, and/or anyone else reading this?
>
> [1]https://www.us-cert.gov/ncas/alerts/TA18-141A

In a bit more detail/specifics ...

What makes these (Spectre/Meltdown) attacks somewhat unique, is they are
*hardware* exploits - or at least mostly or entirely so, as to where the
fundamental underlying weakness exists.  However(!!!) ...

There's *nothing* in these attacks/vulnerability that makes them
particularly high risk/vulnerability compared to most/many typical
Linux operating system security vulnerabilities.  Probably most notably,
the Spectre/Meltdown are rather to quite difficult to exploit ... and
rather to perhaps even quite more so with the most recently announced
variants.

So, perhaps by way of (likely poor) analogy ...
Let's say we're talkin' latest Spectre variants, that'd be like, oh ...
3m square slab of hardened plate steel, 10cm thick.  But ... there's a
microscopic fissure/hole in it ... it doesn't run straight through, but
it's enough for some Hydrogen ... maybe even Helium to make it
through ... at least slowly, and given a very large pressure
differential.  Perhaps even H2O vapor might possibly be able to get
through, but significant larger gas molecules ... probably not, but
still being investigated.
And, ... let's say we're talking our typical fairly reasonably secured
Linux installation ... probably fairly caught up on patches, updates,
but not entirely so, and maybe some other bits not fully up-to-snuff,
but pretty well maintained, and not riddled with unaddressed known flaws.
That'd be like ... Swiss cheese, 3m square, 10cm thick.  Okay, if it
was like 1mm thick, the holes and passage through would be highly
obvious, but at 10cm ... whether or not there are actually any holes,
and more significantly any holes that actually go all the way through,
well, that's not so immediately obvious.  Definitely not as strong as
steel armor plate of same thickness, so sure, maybe the "right" poking,
prodding, or sufficiently forceful implements, can probably go through
it ... but just looking at it, can't easily tell if it's 10cm thick, or if
that Swiss cheese is 3cm thick, 10cm thick, or 100m thick, ... if it's
100m, that would be pretty dang hard to get all the way through, and
without knowing how thick, difficult to predict how difficult it would be
to make it all the way through.

So, anyway, if both are 10cm thick ... Swiss cheese, or almost perfectly
solid and almost devoid of the smallest of fissures in armored steel plate,
well, which one are you going to want to focus your security efforts on?

So ... *maybe* if you've got a whole lot of steel plate or other
reinforcement added around your Swiss cheese, ... then *maybe* you want to
look at further hardening your 10cm thick armored steel, but in the meantime
probably mostly want to focus security attention/efforts on the much more
probable to be exploited and/or where there's much higher risk.

And it doesn't hurt to stay reasonably current - notably what is being
actively exploited - or even attempted and probabilities of successful
exploit thereof.  Sometimes things change.  But be reasonably careful
to not overreact ... a.k.a. "DON'T PANIC!"

And the (of course imperfect) analogy might be a fair bit of
exaggeration - notably to illustrate the point, but one needs to
look reasonably objectively at relative risks, and hardware security
risks do also occur - not all that uncommonly really.  And evaulating
and responding to them ought be part of a general over-all security
plan and approach (including also physical security, etc.).

Why do I now want Swiss cheese on my sandwich?  ;-)

references:
http://linuxmafia.com/pipermail/sf-lug/2018q2/013244.html

More information about the sf-lug mailing list