Ross Mcilroy et al. (via Hacker News):
This paper examines speculative side channel attacks and their programming language implications. These attacks leak information through micro-architectural side channels that we display are not only wrong, but actually based on optimization. […] As a result of our work, we now believe that speculative vulnerabilities in today's hardware are fighting all language-enforced confidentiality without known extensive software reductions, as we have discovered that non-credible code can construct a universal read gadget to read all memory in same address space via side channels. In light of this reality, we have changed the security model to the Chrome browser and V8 to process isolation.
Liam Tung (via Reddit):
Large deceleration caused by the new Linux 4.20 kernel is tracked to a limitation for Specter variant 2 that Linux founder Linus Torvalds now wants limited.
It's hard to believe that it has been more than a year since the disclosure of Meltdown and Specter. There was so much frenzy in the early days and weeks that it may have hidden the fact that some of the solutions we currently have are temporary, barely secure, spackle-everywhere, stop resistance reductions, and now that the dust has settled on it, I thought that I would look at which scientists and other contributors have emerged in the past year to provide secure processors – without demanding that we all rewrite our entire software from scratch.
Apple (via Benjamin Mayo):
Intel has revealed vulnerabilities called Microarchitectural Data Sampling (MDS) for desktop and laptop computers with Intel processors, including all modern Macs.
Although there are no known exploits that affect customers at the time of writing, customers who believe in their computer At increased attack risk, you can use the Terminal app to activate an extra CPU instruction and disable processing technology that provides full protection against these security systems
Testing conducted by Apple in May 2019 showed as much as a 40 percent reduction in performance with tests that include multithreaded workloads and public references.
It is good that there are no known exploits using these techniques, but even if it were, the overwhelming majority of Mac users – almost all – would not need to activate this limitation. These MDS vulnerabilities cause malicious software on your computer to do bad things. However, these vulnerabilities are not ways of malicious software to enter your computer.
However, it sounds like the fix is finally a way to work around with hyper-threading bug that can cause data corruption on my iMac, including Macs.
Stay updated by subscribing to the RSS feed for this post.