Linux Kernel Gets Another Option To Disable Spectre Mitigations

Despite being more than one year old, the Meltdown or Spectre vulnerabilities have remained a theoretical threat, and no malware strain or threat actor has ever used any in a real-world attack. Over the course of the last year, system and network administrators have called on the Linux project for options to disable these protections. A report adds: Many argued that the threat is theoretical and could easily be mitigated with proper perimeter defenses, in some scenarios. Even Linus Torvalds has called for a slowdown in the deployment of some performance-hitting Spectre mitigations. The Linux kernel team has reacted positively towards these requests and has been slowly adding controls to disable some of the more problematic mitigations.

[...] The latest effort to have mitigations turned off -- and stay down -- is the addition of the PR_SPEC_DISABLE_NOEXEC control bit to the Linux kernel. This bit will prevent child processes from starting in a state where the protections for Spectre v4 are still activated, despite being deactivated in the parent process.

Lobby hard, Intel

Intel chips cheated the most on security, and therefore got burned the hardest by this. Of course they pushed hard to add options to disable the mitigations so that their benchmarks could still look good.

Re:Lobby hard, Intel

[Z00L00K]

I see that there's a difference between the problem and if that is actually a case where it would be a problem in your specific use of the server.

Re: Lobby hard, Intel

I manage approximately 10,000 servers which run some clustered processing software. Only about 100 of them can talk to anything outside the cluster, they just crunch data. There is zero reason for me to take a huge performance hit because they never run foreign workloads or untrusted code.

Never exploited?

That comment is a total red flag. Seems a little bit presumptuous.

Never exploited on a honeypot maybe, or never with with a exe.

The option should be at least available, but the claim it's never been used may be bs

Re:Never exploited?

That comment is a total red flag.

Reminds me of the NSA leaks a few years back where it came out that they influenced companies and projects to adopt weaker security.

Re:Never exploited?

[thegarbz]

but the claim it's never been used may be bs

It may be BS, but it suits Occams Razor quite well. It's a complicated attack requiring knowledge of the target so intimate that many countless easier attacks are available which could achieve a similar goal.

Re:Never exploited?

It's a complicated attack requiring knowledge of the target so intimate that many countless easier attacks are available which could achieve a similar goal.

That's what they said when it first came out. Then someone made a proof of concept that could read kernel memory via javascript from your web browser. The only thing standing between the internet accessing your kernel memory is web browsers all reduced the reported precision of timing.

This is pretty stupid

First you find out your CPU fucks up by the numbers.
Then you mitigate.
Then you need multiple options to turn the mitigations off again.

What the fsck are you silly fscks on about?

I want a decent CPU. And a decent OS, while at it. Thanks.

Re: This is pretty stupid

Sure, but at this scale we are talking about hundreds of thousands of U.S. Dollars to replace the processor, and associated components (new processor means a new motherboard, and maybe even new RAM, etc.).

Your home computer you bought in 2016 might be up for a replacement/upgrade by now, just spend $900 on a new computer/new parts.

Definately overblown risk

Were talking well over a year since this made news, and yet we haven't seen anything remotely a threat in the wild that would cause most of us concern. Yet we were told the sky would fall upon us if we didn't patch. Not only was the threat over inflated, but in my opinion the negative effects of the fixes were also inflated to make news. Obviously the sky did not fall, and the internet never came to a crashing halt.

Sounds like a good idea.

[serviscope_minor]

Spectre etc are dreadful if you're running a server with secrets on. Things that turn remote exploits into local ones are bad.

I don't want the slowdowns on compute machines though. It's not like there's remote access from anything untrusted anyway so the security holes aren't an issue.

Re:Sounds like a good idea.

This. It's that case of "not every X needs Y".
Many machines don't need networking, or any security systems that spawn from such a feature.
Likewise if a compute machine is running purely controlled code, having something that is mainly meant for uncontrolled code is utterly pointless.
Or a Point-of-sale machine only needing bare-bones UI systems and services since it is going to be wrapped over with a clients own UI, be it touchscreens, payment systems and such.

I am very glad they are doing this.
These bugs are a potential disaster waiting to happen, but it won't affect everyone equally if it does even come to pass.
Some simply do not need these protections as a precaution when all it does is royally destroy throughput of certain heavy tasks.

Re:Sounds like a good idea.

[drinkypoo]

I don't want the slowdowns on compute machines though. It's not like there's remote access from anything untrusted anyway so the security holes aren't an issue.

This is what's so great about Linux, or for that matter *BSD. Sane defaults, but you control your computer. That's worth a whole lot of hassle.

Re:Sounds like a good idea.

[arth1]

This is what's so great about Linux, or for that matter *BSD. Sane defaults, but you control your computer. That's worth a whole lot of hassle.

For better and for worse, the reality these days is that most companies are migrating to cloud and devops, where you don't control your own computer, and don't have admins that understand the underlying architectures and the nitty gritty bits of how to configure a kernel or why.
Magic black boxes is the new standard, and control has become a negative word.

Re: Sounds like a good idea.

Point of Sale (PoS) is a bad example.

Point of Sale typically many stores, typically connected over a VPN. There may be servers at the local store, or a single server at the main office, depending on the size of the company.

At any rate, a breach in the network can result in an series of exploits granting access to the entire PoS network.

It gets worse with smaller companies whose PoS computers are more likely multipurpose, and all computers in the company are on a single domain, and a single VPN, and whose servers are not likely to be quarantined from their own internal users by firewalls and dmz zones, and separate hypervisor clusters.

Walmart and Target likely have super secure PoS infrastructure, but they are not the only ones with PoS systems.

There is an old quote "the network is the computer", and this is more true today than it was when it was spoken.

However, there are indeed applications which should not have internet or network access, and as such might never receive any patches for security vulnerabilities. These systems should never be accessed remotely.

Re:Sounds like a good idea.

I don't want the slowdowns on compute machines though. It's not like there's remote access from anything untrusted anyway so the security holes aren't an issue.

This is what's so great about Linux, or for that matter *BSD. Sane defaults, but you control your computer. That's worth a whole lot of hassle.

That's just something ignorant people believe, it's peddling a false sense of security. The hardware (and firmware in that hardware) does a whole lot of low-level functions that you do not control and have no visibility into at all.

Re:Sounds like a good idea.

And what is a "secret"? Does it mean that because I, you, or whoever run computers without "secrets" is OK to leave doors opened? Would you let people stalk you just because you don't have "secrets"?

I hope they implement it as an option (which _already is_), and don't impose it. Otherwise... I'll patch my fucking kernel >:(

Re: Sounds like a good idea.

Bingo. I haven't professionally touched bare metal in nearly a decade.

Do you trust Amazon? A six figure per month aws bill, for example, isn't worth them bending over to pick up. So do you trust them because of that? Trusting Intel has worked out so well, after all.

The good news is everything is cyclical and we're fast heading to the point where cloud madness fucking explodes in disaster.

Re: Sounds like a good idea.

This is why you should always deal with companies your own size.
Then you have a situation where the deal has the same value for both of you.
If you think the it costs a lot then your business have a lot of value to them too and they are willing to work to keep it.

Re: Sounds like a good idea.

[drinkypoo]

Problem is, cloud providers only deliver on their promise when they're big...

no threat actor has ever used these vulnerabilitie

> Meltdown or Spectre vulnerabilities have remained a theoretical
> threat, and no malware strain or threat actor has ever used any in
> a real-world attack.

Really? Has Dr. Xavier been using Cerebro to divine this?

And thus the low IQ have anointed themselves as our prophets through the power of media.

What's the problem?

There's always been kernel command line parameters to disable the mitigations.

While we're at it

[eclectro]

Let's just forego getting vaccinations for any kid because kid's don't get sick from measles or other things any more.

Re:While we're at it

Your analogy is a bit off. It's more like the 'protection' is unnecessary, in fact it's detrimental, if you want to get her pregnant.

Also, a quarantined computer is hardly a threat to gen pop.

Re: While we're at it

I would say the analogy is less like protection to prevent pregnancy as it is more what happens when she starts throwing up and all the other things that happen. Getting pregnant is mostly a non event compared with not getting pregnant because you are protected

Re:While we're at it

[arth1]

(Forego still means precede, even though so many incorrectly use it when meaning forgo.)

I gladly advocate forgoing vaccinations for endemic and childhood diseases, because the vaccines are so effective. They reduce culling, and long term cause harm to humanity by saving individual children.
New harmful or detrimental mutations in the human genome that in themselves are not enough to kill someone, but in combination with diseases like measles have a statistically significant higher morbidity are allowed to spread undiluted into our gene pool. These saved children have children of their own, where they otherwise would have died. When some ignorant anti-vaxxer says that vaccines cause autism, they may very well be right, but for the wrong reasons. It's not the vaccine itself, but that children who might have died now live to reproduce. If children with autism have any lower survival rate if they catch measles than children without autism do, no matter how small that difference is, by vaccinating against measles, the prevalence of autism will increase. There's a significant correlation between vaccinations against childhood illlnesses and the next generation being sicker from other illnesses like autism, asthma and spectrum disorders.

And we get superbugs. Through vaccination against endemic diseases, we instigate an arms race, where new and worse strains appear, which we have little protection against, unlike the milder versions that outcompeted any bad ones because we didn't wage war on them.

Re:While we're at it

It doesn't matter to the bugs that you survived a measles attack due to you being vaccinated or due to having superior genes. They will mutate into superbugs just as much for both cases so your whole reasoning there is completely illogical. If you survive the you have waged war on them, how you survived is useless information.

Re:While we're at it

[thegarbz]

False equivalency. There are other mitigation available that avoid Spectre and Meltdown, such as not letting people run code on your computer.

Re:While we're at it

[arth1]

It doesn't matter to the bugs that you survived a measles attack due to you being vaccinated or due to having superior genes.

This is incorrect. If you've had measles, your immune system is a lot more hardened than with vaccines. If you've been vaccinated, you need booster vaccines, but if you've had measles, you get a fever instantly if you get a vaccine, as your immune system goes into full attack mode. It won't just attack that one strain either, but anything that's close. The weaker "attack" of the disabled pathogens in a vaccine just triggers the immune system "enough" to protect you - not enough to put it in defcon 1.

The problem superbugs have in a "normal" environment without vaccines is that they're outcompeted by the less lethal strains. The milder versions of diseases will always win in the long run - killing your host is not a good strategy for bugs. Adding vaccines changes that, as you fight the strains that are prevalent, taking them away as competition for other strains.

Re:no threat actor has ever used these vulnerabili

the power of media.

The media has no power. The audience chooses to be gullible. Then they can blame the 'tube' for their own lack of self control and absolve themselves of all responsibility.

"no threat actor has ever used any"

Guys nobody gets measles anymore. That means we don't have to vaccinate against it anymore!

No, he's God. He knows ALL the things. ;)

... no malware strain or threat actor has ever used any in a real-world attack.

He's probably a doctor. They always claim that something is "incurable". In all of the universe forever. When really, they just haven't heard of the cure / read the research paper yet.

It's called having a God complex. (Or being one of the spying industry's professional liars.)

I don't see how the vulnerabilities could be so hard to use in the real world. Especially with things like WebAssembly and in-browser virtualization

Re: No, he's God. He knows ALL the things. ;)

Its not that they are too hard to use, its that any usable application has minimal benefit. There are much more effective exploits still in the wild.

There is a subset of users this might be useful against. Those who run with 30+ tabs in a browser at work, where some of those tabs are sensitive information, and some are pure entertainment.

Slashdot, and other websites with external advertising or plugins should be opened in a separate browser. Internet Explorer for Intranet, Firefox for script blocking or Tech news, Chrome for entertainment and general web browsing. Formerly I would have included Edge with tech news browsing, but with its push for Chrome Compatibility, its place in web browsing is non-existent.

Re:No, he's God. He knows ALL the things. ;)

[arglebargle_xiv]

He's probably a doctor. They always claim that something is "incurable". In all of the universe forever. When really, they just haven't heard of the cure / read the research paper yet.

In that case I'm eagerly awaiting the research paper that contains the cure for stupidity.

Retrospective enforcement

[goombah99]

Here's another possible way to work this in a low risk low hazard environment that makes the most sense to me.

1. Don't prevent it or impede it in any way.
2. Except, periodically poll the system state with a hypervisor that looks for evidence of timing based attacks. it could also scoop up row hammer attacks in the same way.
3. Freeze the processes and report them to the admin, and if you opt-in, report suspect behavior with code snippets or fingerprints to a central database

Re:Retrospective enforcement

[MrKaos]

That implies that the hypervisor doing the monitoring is in the CPU scheduler and running on a core all the time. Wouldn't that introduce exactly the same performance penalty as just disabling the branch prediction in first place?

Re: Retrospective enforcement

No.

Protect your server, not your video encoder

[raymorris]

This is about process-level options. Your workstation or server might have a server process that is network accessible, and another proces that is CPU-intensive. You probably do want to enable protection for your file sharing server process or IMAP; you probably want your ray tracer to run at full speed.

An example I've worked with many times is a web server that has videos in several bitrates or formats. In the background, it transcodes videos from whatever format they are in when they are uploaded. That's CPU intensive. You'd want protections on the web server daemon, probably wouldn't want to slow down the transcoding process by adding protections there.

IBM and Microsoft Will Decide

The people have no say in the matter. Learn to serve the corporate state and its subsidiary corporation like a good goy.

It's poor cybersecurity.

One password of 9 ASCII characters can fit in one 64-bit long register.

Proof: 9 x 7-bit = 63-bit < 64-bit

None in the wild?

I guess that must be news to all the secuirty firms, who have been seeing malware exploiting the spectre vulnerabilities (and adding antivirus definitions for) since the beginning of 2018. Methinks the post author has an axe to grind here with their truthy description.

Claiming no malware uses these bugs is hilarious

[ffkom]

Do people seriously expect malware authors to tout: "Hey look, we just used Spectre successfully and extracted a thousand private keys from software that ran on the same physical cloud servers than our malware!"...?

The thing with Spectre and Meltdown is that there is no need to alter the software on the (virtual) CPU cores the victim uses.

Until the current targeted exploits get hacked

And the specifically precise Meltdown attacks out there now are captured and modified by less intense hackers to bother a wider range of systems. Then it's everybody's problem and the option to disable will not be an issue.

Re:Claiming no malware uses these bugs is hilariou

[thegarbz]

Do people seriously expect malware authors to tout: "Hey look, we just used Spectre successfully and extracted a thousand private keys from software that ran on the same physical cloud servers than our malware!"...?

No, people rely on the large security industry which analyses malware in detail to determine how it works and have identified that no known strains of Malware use this attack.

No surprise really either, it's not like this can be packaged in a general purpose attack. To pull this off in any meaningful way requires knowledge of the target detailed enough that there are easier attack vectors available.

You may be laughing, but no one else is.

Spectre/Meltdown's target is limited

[guruevi]

It is only of interest if you are allowing any user to execute random code. Eg. desktops (JavaScript and the like) and cloud/virtual servers MAY be affected by it. But for the vast majority of servers and environments, if these bugs are exploited, you typically have bigger issues to fix.

Re:Spectre/Meltdown's target is limited

[thegarbz]

I disagree. Due to the actual attack vector executing random code won't get you much joy at all. Issuing *targeted* code for a specific machine which you know a lot about may net you something useful. As a result, the random desktop machine isn't really at risk at all. Virtual servers however are as by their nature you've given a customer a wide scope to execute code within their OS.

Re: Claiming no malware uses these bugs is hilario

Really? It's almost as if a certain chip vendor would like to downplay the seriousness of their shite hardware design or something.

We already have it.

You're just actively fighting getting any of it.

And we're not forcing you. We've tried.

The cure is not fucking up your children. Esp. with crap pseudo-food, toxins in the environment, pedagogically incompetent immature "parents", and a degenerated cancerous "culture" of hailing the money god over literally ALL the things.
The kids are mostly already born super-smart. You're just intentionally ruining them because of clinging to your stupid cancerous cultural mindset.