[Arm-netbook] Meltdown and Spectre

Discussion:

Louis Pearson

2018-01-04 21:25:15 UTC

Has anybody else seen the recently published exploits Meltdown and Spectre?
Here's a link: https://meltdownattack.com/

I'm wondering if this will increase in Risc-V processors, as most will not
be vulnerable to this exploit. It relies on speculative and out-of-order
execution which most current Risc-V processors do not have.
_______________________________________________
arm-netbook mailing list arm-***@lists.phcomp.co.uk
http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook
Send large attachments to

Adam Van Ymeren

2018-01-04 23:13:45 UTC

Permalink

Post by Louis Pearson
Has anybody else seen the recently published exploits Meltdown and Spectre?
Here's a link: https://meltdownattack.com/

The thing about Meltdown/Spectre is that they're really only problems if
you rely on sandboxing to run untrusted code.

This should be more incentive to run on fully free software. If the
only code you run on your machine is free software, then there's
essentially zero risk of Meltdown/Spectre being an issue. An important
point to highlight is that this includes JavaScript that most people run
in the browser. The JavaScript Trap [1] as Stallman explained a few
years ago.

If people can take back control of their computing but running free
software and moving off virtual servers to dedicated serveres or their
own product like FreedomBox [2] then issues like meltdown/spectre don't
matter.

[1] - https://www.gnu.org/philosophy/po/javascript-trap.ja-en.html
[2] - https://freedomboxfoundation.org/

_______________________________________________
arm-netbook mailing list arm-***@lists.phcomp.co.uk
http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook
Send large attachments to arm-***@files.phcomp.co.u

Hendrik Boom

2018-01-05 01:18:21 UTC

Permalink

Post by Adam Van Ymeren

Post by Louis Pearson
Has anybody else seen the recently published exploits Meltdown and Spectre?
Here's a link: https://meltdownattack.com/

The thing about Meltdown/Spectre is that they're really only problems if
you rely on sandboxing to run untrusted code.

It doesn't care whether you sandbox. It makes a privilege escalation
possible. If untrustworthy code runs with few privileges, it can
exfiltrate enough information to accomplish a privilege escalation. The
point of mentioneing the sandbox is simply that the sandbox doesn't
help.

Of courses it doesn't matter if you trust the code. It matters if it is
trustworthy.

-- hendrik

_______________________________________________
arm-netbook mailing list arm-***@lists.phcomp.co.uk
http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook
Send large attachments to arm-***@files.phco

Adam Van Ymeren

2018-01-05 02:32:42 UTC

Permalink

Post by Hendrik Boom

Post by Adam Van Ymeren

Post by Louis Pearson
Has anybody else seen the recently published exploits Meltdown and Spectre?
Here's a link: https://meltdownattack.com/

The thing about Meltdown/Spectre is that they're really only problems if
you rely on sandboxing to run untrusted code.

Yeah I didn't phrase that quite right. I meant that these vulnerabilites
make it impossible to sandbox malicious code.

Post by Hendrik Boom
Of courses it doesn't matter if you trust the code. It matters if it is
trustworthy.

Indeed.

_______________________________________________
arm-netbook mailing list arm-***@lists.phcomp.co.uk
http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook
Send large attachments to ar

Jack Hill

2018-01-05 04:09:33 UTC

Permalink

Post by Adam Van Ymeren
The thing about Meltdown/Spectre is that they're really only problems if
you rely on sandboxing to run untrusted code.

I'm not convinced that sandboxing is only useful for untrusted code.
Sometimes my trusted code has bugs (e.g. I would like to be able to look
at random images or documents or expose my webapp to the world), and
I would really like for it to not be able to be tricked into doing
something it shouldn't. I would also like to be able to compute in shared
environments.

Best,
Jack

_______________________________________________
arm-netbook mailing list arm-***@lists.phcomp.co.uk
http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook
Send large attachments to arm-

Jack Hill

2018-01-05 04:55:49 UTC

Permalink

Post by Jack Hill

Post by Adam Van Ymeren
The thing about Meltdown/Spectre is that they're really only problems if
you rely on sandboxing to run untrusted code.

Oh, I guess it might be helpful to explain a little bit more why I would
like to be able to continue to use shared computing environments. I've
been increasing amazed and intimidated by what it takes to understand
modern computing. One of my outlets for these emotions is Hcoöp [0], which
is an internet service hosting coöperative. We run services such as email,
web, and file collaboratively, which saves any one person for having to do
all that work on their own. I appreciate the work of projects like
Freedombox, but why stop the collaborating after writing the code? I want
to be able to collaborate on running it as well!

In addition, some things just don't make sense for all of us to own on our
own. I might not often need a large memory or hundreds of core compute
cluster, but when I do, it is nice to be able to use a shared resource
rather than purchasing my own.

Best,
Jack

[0] https://hcoop.net
_______________________________________________
arm-netbook mailing list arm-***@lists.phcomp.co.uk
http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook
Send large attachments to arm