Academics Publish New Software-Level Protections Against Spectre and Rowhammer Attacks

Catalin Cimpanu, writing for BleepingComputer: Academics from multiple universities have announced fixes for two severe security flaws known as Spectre and Rowhammer. Both these fixes are at the software level, meaning they don't require CPU or RAM vendors to alter products, and could, in theory, be applied as basic software patches.

The first of these new mitigation mechanisms was announced on Thursday, last week. A research team from Dartmouth College in New Hampshire says it created a fix for Spectre Variant 1 (CVE-2017-5753), a vulnerability discovered at the start of the year affecting modern CPUs. Their fix uses ELFbac, an in-house-developed Linux kernel patch that brings access control policies to runtime virtual memory accesses of Linux processes, at the level of ELF binary executables.

[...] The second fix for a major flaw announced last week came on Saturday from the Systems and Network Security Group at VU Amsterdam. Researchers announced a new technique called ZebRAM that they said is a comprehensive software protection against Rowhammer attacks.

So why should AMD systems slow down to cover Intel

[Joe_Dragon]

So why should AMD systems slow down to cover Intel? or say in a system where I don't need security like this but need speed?

At least with linux I can force it off at the kernel level.

diffs != funding

[WoodstockJeff]

Publicity for an academic paper, on the other hand, can lead to funding.

Re:diffs != funding

[DamonHD]

That's a little harsh. If paying the rent requires getting grants, you'll aim to get grants. What do you call what you do to get money? (Plus let's not insult in passing other groups that you clearly consider beneath contempt...)

not buying it

[iggymanz]

Software can be subverted, these flaws have to be addressed in hardware redesign

Re:Research BS

These are researchers in academia, where you're judged largely on your publications. While releasing a patch to the Linux kernel might be a useful synergistic activity, it simply doesn't have the impact of publications. As a researcher, I like releasing source code and, when feasible, my data sets. However, those simply don't have the same impact as publications. Publishing a paper isn't mutually exclusive from releasing the source code. Don't blame the researchers. Blame the system that disproportionately rewards publications over other contributions.

The one exception here might be if lots of other researchers use your software or data set in their research. In that case, your data or software could get a DOI and be highly cited in its own right. I doubt a patch to the Linux kernel would get cited much if at all, so the publication is probably the one thing that matters in academia.

Re:So why should AMD systems slow down to cover In

[HiThere]

This is Spectre 1, not Meltdown. I believe it also affects AMD. IIRC, it was also expected to be quite difficult to implement, though I didn't hear any follow-up about that.

I also didn't hear that Rowhammer was specific to Intel. Do you have reason to believe differently?

FWIW, and IIUC, while Linux allows you to disable the protection against Spectre (or was it Meltdown), the kernel automatically optimizes it away if the processor is not vulnerable. (IIUC, the original patch submitted by Intel didn't do that, but AMD submitted a revised patch.)