Date: Mon, 8 Jan 2018 18:43:05 +0100 From: =?UTF-8?Q?Fernando_Apestegu=C3=ADa?= <fernando.apesteguia@gmail.com> To: Baho Utot <baho-utot@columbus.rr.com> Cc: Aryeh Friedman <aryeh.friedman@gmail.com>, User Questions <freebsd-questions@freebsd.org> Subject: =?UTF-8?B?UmU6IE1lbHRkb3duIOKAkyBTcGVjdHJl?= Message-ID: <CAGwOe2a_bUDx2rxyTGpeRJdJpQ_jxS3rQWCGY2dR0DCFCBzd=w@mail.gmail.com> In-Reply-To: <a5d48efc-7f83-527f-ba51-1edac3d112da@columbus.rr.com> References: <f9cc484e-be92-7aff-52fe-38655e85dbaa@columbus.rr.com> <CAH78cDqPnOUGoU=6x-BiugnpjmjYcd=CZS3fSNaX5tq-Uvma7g@mail.gmail.com> <bc9ad15b-a718-b901-76fa-bc43ce0c1f1a@columbus.rr.com> <3AECDC7F-8838-4C09-AC7F-117DFBAA326C@sigsegv.be> <20180108085756.GA3001@c720-r314251> <CAGBxaXnSRwtS=mbdsePyKvyZjTpu1tvo2O61SW60yQfdDJH4gA@mail.gmail.com> <48211515-cc6b-522b-ccd2-4d0c1f6a2072@columbus.rr.com> <CAGBxaXm=6NbZ%2Bcz6WGB7YY7NT_%2BxOhdxb17ORTsQs5e7RvqKaQ@mail.gmail.com> <44279dcb-7b15-865a-ca71-938b3832d0e7@columbus.rr.com> <CAGwOe2aZr5==KFdKb9SHLh9YRy5VCpxPN3d5AY1bLed5o5EV2w@mail.gmail.com> <a5d48efc-7f83-527f-ba51-1edac3d112da@columbus.rr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 8, 2018 at 6:36 PM, Baho Utot <baho-utot@columbus.rr.com> wrote= : > > > On 1/8/2018 12:15 PM, Fernando Apestegu=C3=ADa wrote: >> >> >> >> On Mon, Jan 8, 2018 at 1:53 PM, Baho Utot <baho-utot@columbus.rr.com >> <mailto:baho-utot@columbus.rr.com>> wrote: >> > >> > >> > On 1/8/2018 7:37 AM, Aryeh Friedman wrote: >> >> >> >> >> >> >> >> On Mon, Jan 8, 2018 at 7:28 AM, Baho Utot <baho-utot@columbus.rr.com >> <mailto:baho-utot@columbus.rr.com> >> >> <mailto:baho-utot@columbus.rr.com <mailto:baho-utot@columbus.rr.com>= >> >> wrote: >> >> >> >> >> >> >> >> On 1/8/2018 4:15 AM, Aryeh Friedman wrote: >> >> >> >> On Mon, Jan 8, 2018 at 3:57 AM, Matthias Apitz <guru@unixarea.de >> <mailto:guru@unixarea.de> >> >> <mailto:guru@unixarea.de <mailto:guru@unixarea.de>>> wrote: >> >> >> >> As I side note, and not related to FreeBSD: My Internet >> >> server is run by >> >> some webhosting company (www.1blu.de <http://www.1blu.de>; >> <http://www.1blu.de>), >> >> >> >> >> they use Ubuntu servers and since >> >> yesterday they have shutdown SSH access to the servers >> >> argumenting that >> >> they want >> >> protect my (all's) servers against attacks of Meltdown and >> >> Spectre. >> >> >> >> Imagine, next time we have to shutdown all IOT gadgets... >> >> >> >> >> >> >> >> Not always possible for things like medical test >> >> equipment/devices. For >> >> example I maintain a specialized EMR for interacting with Dr. >> >> prescribed >> >> remote cardiac monitors. Having those off line is not an >> >> option since >> >> they are used to detect if the patient needs something more >> >> serious like a >> >> pace maker (also almost always a IoT device these days) surgery. >> >> >> >> The actual monitoring is done on Windows and was attacked by some >> >> ransomeware via a bit coin miner that somehow installed it >> >> self. Since >> >> all the users claim that they don't read email/upload/download >> >> executables >> >> or any other of the known attack vectors this leaves something >> >> like >> >> Meltdown or Spectre. We have also detected issues on the >> >> CentOS that has >> >> the non-medical corporate site on it. The only machine left on >> >> touched on >> >> the physical server (running some bare metal virtualization >> >> tool) is the >> >> FreeBSD machine that runs the actual EMR we wrote. >> >> >> >> TL;DR -- It seems Linux and Windows already have issues with >> >> these holes >> >> but I have seen little to no evidence that FreeBSD (when run as >> >> a host). >> >> In general when ever any virtualization issue (like the bleed >> >> through on >> >> Qemu last year) comes up FreeBSD is the one OS that seems to be >> >> immune >> >> (thanks to good design of the OS and bhyve). This is the main >> >> reason why >> >> I chose FreeBSD over Linux as the reference host for PetiteCloud. >> >> >> >> >> >> This is not operating system specific, read the papers on theses >> >> two. it attacks the cpu, usally through a JIT >> >> >> >> >> >> Please learn a little OS design theory before making insane claims. >> >> Specifically it *ONLY* effects OS's that rely on the specific CPU >> >> architecture (vs. a generic one). Namely if you strictly partition t= he >> page >> >> table between userland and kernel space (which xxxBSD has always don= e >> and >> >> Linux has not) and don't use any CPU specific instructions to do so >> (except >> >> for protected vs. unprotected mode in the original 386 design FreeBS= D >> does >> >> not do this while yet again microslut and linux do). >> >> >> >> For more info go read the more technical thread then here in -hacker= s@ >> and >> >> -current@. >> > >> > >> > >> > Go read the papers Spectre and Meltdown. >> > This attacks Intel and Arm processors, AMD processors seems to not ha= ve >> the >> > issue. Intel is issuing new firmware for their processors. >> > Why is does then Apple have the problem as well? >> >> About AMD, they seem to be affected by at least two variants of these >> attacks: >> >> https://www.amd.com/en/corporate/speculative-execution >> > > Variant One Bounds Check Bypass Resolved by software / OS > updates to be made available by > system vendors and > manufacturers. Negligible > performance impact expected. > > Variant Two Branch Target Injection Differences in AMD > architecture mean there > is a near zero risk of > exploitation of this > variant. Vulnerability > to Variant 2 has not > been demonstrated on AMD > processors to date. > > Variant Three Rogue Data Cache Load Zero AMD vulnerability due to > AMD architecture differences. > > For Variant 1 OS fix > > For Variant 2 and 3 ZERO to near ZERO risk > > So yes my statement stands Sorry, I might have misunderstood. The statement was "AMD processors seems to not have the issue". But they acknowledge the issue. In variant 1 it exists and it is fixed by OS (so if it is fixed, it means it affects AMD's processors), in variant 2 exists (nearly zero is not zero), and in variant 3, yes, it is not affected. So it is kind of a 2/3 affected for AMD. Cheers. > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGwOe2a_bUDx2rxyTGpeRJdJpQ_jxS3rQWCGY2dR0DCFCBzd=w>