Should security issues be disclosed in the following scenario

Discussion in 'other security issues & news' started by chrcol, Mar 30, 2018.

  1. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    1 - No active known malware exploiting the vulnerability.
    2 - Not possible to fix on millions of devices.
    3 - Fix is difficult to implement.
    4 - PoC can be used to create malware.
    5 - Fix has heavy performance penalty, setting industry back a decade.

    Ironically all 5 of these apply to spectre/meltdown.

    Spectre cannot be fixed on hardware out in the wild, it can only be partially mitigated. In addition the performance penalty is huge, it only seems low on desktops as Microsoft have implemented the mitigation only on kernel calls, and desktop is mostly userland, however kernel call heavy tasks such as loading chrome, are significantly slower still. On servers in some workloads its a complete disaster.

    Meltdown mitigation has caused compatibility issues, ironically my own laptop is affected, task manager hanging, nod32 hanging, all because of locked kernel threads getting stuck. This also can have huge impact on kernel heavy loads. On my main rig here is some performance delta for starting chrome with a set amount of tabs and extensions.

    Haswell no meltdown mitigation - 9 seconds before fully loaded and cpu idle.
    Coffeelake no meltdown mitigation - 3 seconds
    Coffeelake meltdown mitigation - 7 seconds

    All this because people couldnt keep their mouth shut and just keep quiet about a undiscovered vulnerability.
     
  2. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    That is a good point but, once one researcher knows about it, what are the chances they won't tell someone else?
    At the same time as that, if one researcher finds it and decided not to report it, the next guy to find it might be someone who informs their own government about it.
    One US state just made it illegal to do that kind of research in the first place. Of course that means the only people doing it in that state will be criminal hackers who definately wont be reporting it.
    They would be too busy exploiting it or selling it to the highest bidder.
     
  3. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    Thanks for your reply, its interesting to hear what people think about this. I am on the fence hence the question. :)

    My personal inclination is perhaps it should be reported to trusted large organisations like it was originally done in 2017, patches etc. can be developed, but then held back and not deployed if they have nasty downsides and especially when they not complete mitigation as is the case with spectre. So basically a risk assessment should be carried out on the risk of making something public when there is no active malware and there is also serious performance implications as well.

    My move may be stupid, but been honest I disabled meltdown mitigation on my desktop, havent even bothered to patch my bios for spectre.

    On my laptop the windows meltdown patch causes task manager to need 8 seconds to start up first time after boot, even if I disable it via the registry. Which suggests there is some kind of nasty overhead just from the patch alone (with mitigation disabled) or the registry tweak doesnt work on desktop versions of windows (microsoft added it for server administrators). I also get weird kernel locking issues on my laptop.

    On my desktop the laptop issues dont occur but I get stuttering in games, steam takes noticeably longer to load and chrome takes noticeable longer to startup. I havent done extensive testing on my desktop yet tho so I dont know if disabling via the registry brings the performance back or if the entire patch needs to be uninstalled.

    Since microsoft now do one big security patch in a rollup tho, it means the implications of not having the meltdown patch installed means having no security patches newer than Jan 2018 installed.
     
    Last edited: Apr 1, 2018
  4. guest

    guest Guest

    Assuming really no one knew the vulnerability...i won't bet on it...i'm not even saying the vulnerability could be 'implemented".
     
  5. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    Well yeah its possible a few individuals, and specialists used it in targeted attacks, my comment was more along the lines of malware used on masses of people for automated compromises.
     
  6. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
    How else do you expect Intel & Microsoft to increase the slumping numbers of PC sales?

    There's no fix, you must buy new hardware.
     
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    My view is that we've already been kept in the dark about this for a decade or more - I am sure the agencies and the processor companies were well aware of this class of vulnerability, and the TLAs were able to exploit it if required.

    So no, I don't believe it benefits us as consumers in the long term to have defective products sold to us, even if we're now facing mitigation rather than fix.

    The bad guys - sophisticated ones - would also have been able to find this class of thing without any proof of concept. Likely, they didn't need to so much because the overall software/hardware infrastructure is so "terrifically weak", target rich.

    We need - again, as consumers, which means it may well not happen - to insist on the hard work and lowered profit necessary to have trustworthy systems. But we are facing powerful entities that are incentivised in the opposite way, either through profit or the collect-it-all attack mentality.
     
  8. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
    A LOT of these security issues are backdoors for the 3letters that have been leaked or found.
     
  9. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,001
    Location:
    Member state of European Union
    Yes, is should.
    Security through obscurity is never a good thing.
     
  10. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    reasonableprivacy so how does disclosure improve security on devices that cannot be patched.

    Scenario before - no malware using vulnerability, unpatched.
    Scenario after - malware authors probably trying to write code for it, and devices will be vulnerable for life.

    For reference it turns out the task manager issues and kernel locks on my laptop go away when nod32 is uninstalled, so even tho nod32 adds the compatibility registry key indicating it has no issues with the patch, it does have a conflict of sorts on my laptop. My desktop doesnt have nod32 installed hence the same issues not present on it.
     
  11. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,001
    Location:
    Member state of European Union
    It is not realistic to assume that no one is going to figure out that vulnerability in close future. Not disclosing you would only postpone inevitable, potentially making things even worse.

    In Meltdown scenario devices can be secured by mix of firmware and software updates.
    In potentially harder to mitigate scenarios devices can be replaced by other devices or can be secured by other new devices.

    Potential buyers (those who would buy vulnerable devices after disclosure) of vulnerable devices are aware of the security bug, so then can make informed decision what to buy.
     
  12. guest

    guest Guest

    Analogy: It is not because few people have bad side effects from the medicine, than the disease should be ignored.
     
  13. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    I disagree its inevitable, there will be many undiscovered, undisclosed vulnerabilities that never get discovered, it took them over a decade to get a PoC.

    I also disagree on the security via obscurity, its proven that is effective against exploits that are automated and concentrate on low hanging fruit, e.g. simply changing the port a sshd service listens on stops it been scanned by automated scanners for vulnerabilities. Granted it wont do much if you are the victim of a targeted attack, but the vast majority of individuals wont be.

    Now we come to the "security ALWAYS come first". If that applied in the real world, then every banking branch would have guards posted outside at night, multiple external walls, complicated locks and so on. As an example on servers I manage for a living I do not deploy "every single" possible security mitigation possible, a decision is made on the efficiency of such mitigation, impact on end users, performance, breakage etc. as well as risk. Likewise I dont install 20+ pieces of security software on my computer. Its a unrealistic proposal that there should be no risk analysis on security mitigation.

    Meltdown which can be mitigated via software patches alone is clearly the more acceptable one, but spectre variant 2 has no full mitigation available, and its possible all existing hardware will never ever be able to mitigate, for that reason alone, disclosing it to the public is pretty irresponsible. The mitigation deployed by microsoft has no mitigation for spectre at all on userland code, simply because the performance hit would cause a internet meltdown. Its also why its disabled by default on windows server OS.

    We then come to the performance penalty of these mitigations, for meltdown and especially spectre it is high enough that clearly the end user should be in control if the mitigation is applied, as the penalty for the mitigations can be severe. Remember again these are not exploits that just ignore all other security barriers, easily remotely exploitable and out in the wild in huge numbers, they simply proof of concept.

    I suppose it depends on how you look at it, some always look at as a "what if" scenario, piece of mind. This is why I said maybe disclosing it to the large companies so they can prepare patches etc., but then it should have stopped there, the patches would be ready for fast deployment if actually needed. Intel and AMD definitely should have been allowed to get products on the market immune to spectre before they even considered disclosing it.

    As another example it is a bit like e.g. someone publicly disclosing a security bug for software, whilst there is no known patch or mitigation for the vulnerability, thats also irresponsible. Although not quite as bad as there may be alternative unvulnerable software available.

    I find it interesting to learn that some consider that this kind of thing shouldnt even be legal, and now I understand the merits of that thinking.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.