Meltdown, Spectre and MDS: Links compilation

Having recently come to light, meltdown and spectre are names given to a set of high impact security issues exploiting CPU instructions to read system memory. Provided below is a collection of links that relate to different aspects of these vulnerabilities.

Initial Disclosure

• https://googleprojectzero.blogspot.in/2018/01/reading-privileged-memory-with-side.html

Updates from Vendors

• https://blog.google/topics/google-cloud/answering-your-questions-about-meltdown-and-spectre/
• https://access.redhat.com/security/vulnerabilities/speculativeexecution
• https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/
• https://techcrunch.com/2018/01/03/cloud-infrastructure-vendors-begin-responding-to-chip-kernel-vulnerability/
• https://support.microsoft.com/en-in/help/4073757/protect-your-windows-devices-against-spectre-meltdown
• https://support.apple.com/en-us/HT208394
• https://newsroom.intel.com/press-kits/security-exploits-intel-products/
• https://www.amd.com/en/corporate/speculative-execution

Mitigations

Against meltdown

• KPTI: https://lwn.net/Articles/741878/
• PCID (to lessen the performance impact of KPTI): http://archive.is/ma8Iw

Against spectre

• Retpoline: https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html
• Intel Microcode update: https://news.ycombinator.com/item?id=16111433

Performance / Benchmarks

• https://access.redhat.com/node/3307751
• https://www.phoronix.com/scan.php?page=news_item&px=KPTI-Retpoline-Combined-Ubuntu

Bits from the web

• http://kroah.com/log/blog/2018/01/06/meltdown-status/
• https://lwn.net/Articles/743363/
• http://www.zdnet.com/article/security-flaws-affect-every-intel-chip-since-1995-arm-processors-vulnerable/
• https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/
• http://pythonsweetness.tumblr.com/post/169166980422/the-mysterious-case-of-the-linux-page-table
• https://twitter.com/aionescu/status/930412525111296000
• https://www.reddit.com/r/Amd/comments/7ojf47/spectre_fix_for_linux_to_impact_amd_retpoline_for/
• https://www.phoronix.com/forums/forum/software/bsd-mac-os-x-hurd-others/999876-dragonflybsd-s-meltdown-fix-causing-more-slowdowns-than-linux?p=1000112#post1000112
• https://xenbits.xen.org/gitweb/?p=people/andrewcoop/xen.git;a=blob;f=xen/arch/x86/spec_ctrl.c;h=79aedf774a390293dfd564ce978500085344e305;hb=refs/heads/sp2-mitigations-v6.5#l122
• https://github.com/marcan/speculation-bugs/blob/master/README.md

 

Edit 2019-11-12

New vulnerability variety of MDS  revealed, reported to be serious

• Website: https://mdsattacks.com/#ridl-ng
• Wired article: https://www.wired.com/story/intel-mds-attack-taa/
• LWN article: https://lwn.net/Articles/804462/

It can be mitigated by updating the kernel and microcode. Will add more details as they become available.

Advertisement