Slashdot Mirror
Academics Publish New Software-Level Protections Against Spectre and Rowhammer Attacks (bleepingcomputer.com)
Catalin Cimpanu, writing for BleepingComputer: Academics from multiple universities have announced fixes for two severe security flaws known as Spectre and Rowhammer. Both these fixes are at the software level, meaning they don't require CPU or RAM vendors to alter products, and could, in theory, be applied as basic software patches.
The first of these new mitigation mechanisms was announced on Thursday, last week. A research team from Dartmouth College in New Hampshire says it created a fix for Spectre Variant 1 (CVE-2017-5753), a vulnerability discovered at the start of the year affecting modern CPUs. Their fix uses ELFbac, an in-house-developed Linux kernel patch that brings access control policies to runtime virtual memory accesses of Linux processes, at the level of ELF binary executables.
[...] The second fix for a major flaw announced last week came on Saturday from the Systems and Network Security Group at VU Amsterdam. Researchers announced a new technique called ZebRAM that they said is a comprehensive software protection against Rowhammer attacks.
The first of these new mitigation mechanisms was announced on Thursday, last week. A research team from Dartmouth College in New Hampshire says it created a fix for Spectre Variant 1 (CVE-2017-5753), a vulnerability discovered at the start of the year affecting modern CPUs. Their fix uses ELFbac, an in-house-developed Linux kernel patch that brings access control policies to runtime virtual memory accesses of Linux processes, at the level of ELF binary executables.
[...] The second fix for a major flaw announced last week came on Saturday from the Systems and Network Security Group at VU Amsterdam. Researchers announced a new technique called ZebRAM that they said is a comprehensive software protection against Rowhammer attacks.
These are researchers in academia, where you're judged largely on your publications. While releasing a patch to the Linux kernel might be a useful synergistic activity, it simply doesn't have the impact of publications. As a researcher, I like releasing source code and, when feasible, my data sets. However, those simply don't have the same impact as publications. Publishing a paper isn't mutually exclusive from releasing the source code. Don't blame the researchers. Blame the system that disproportionately rewards publications over other contributions.
The one exception here might be if lots of other researchers use your software or data set in their research. In that case, your data or software could get a DOI and be highly cited in its own right. I doubt a patch to the Linux kernel would get cited much if at all, so the publication is probably the one thing that matters in academia.