Thursday, January 04, 2018

(in)security: CPU vulnerabilities: Meltdown, Spectre

From being a main concern to overcome when considering "move to cloud"
security is now becoming a prominent reason to do such move.

While there will always be computer security issues
cloud service providers are in the best position to respond quickly,
and handle such serious situations before such issues become a big problem.
Recently discovered CPU security issues are an excellent example.

Having learned details how CPUs work and are designed,
as well as OS, virtualization etc, I could appreciate complexity of this.

Meltdown (security vulnerability) - Wikipedia

Spectre (security vulnerability) - Wikipedia

Meltdown and Spectre

The Azure Podcast : Episode 210 - CPU Vulnerability

Securing Azure customers from CPU vulnerability | Blog | Microsoft Azure

Google Online Security Blog: Today's CPU vulnerability: what you need to know

"Last year, Google’s Project Zero team discovered serious security flaws caused by “speculative execution,” a technique used by most modern processors (CPUs) to optimize performance....

These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them."

Project Zero: Reading privileged memory with a side-channel

"CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts."

Spectre (variants 1 and 2)
  • "Update your operating system
  • Check for firmware updates
  • Update your browser
  • Keep your antivirus active
Microsoft pushed out an emergency Windows patch late in the day on January 3"

No comments: