Automated Spectre/Meltdown Checker for Linux OSes

Discussion in 'all things UNIX' started by longshots, Jan 17, 2018.

  1. longshots

    longshots Registered Member

    Joined:
    Oct 20, 2017
    Posts:
    260
    Location:
    Australia
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,283
    Thanks I downloaded this from github and I am running tests with it. As expected Meltdown has been fixed in my Linux but Spectre not so much. I have also heard that my laptop has a new bios to fix it. Going to go on the hunt for that later too.
     
  3. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    Thanks for the script. Meltdown? Yeah. Spectre? Afraid not. Hope this is all sorted out soon.
     
  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    Actually, newer kernel versions should be able to report the state of the patches against Meltdown and Spectre themselves. Note, though, that this only works for x86-64 based kernels.

    This is what Fedora kernel 4.14.13 reports:
    Code:
    grep . /sys/devices/system/cpu/vulnerabilities/*
    /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
    /sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
    /sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline
    GKH says:
    Kernel 4.14.14 (which is in the Fedora testing repo) "includes some PPC mitigations, and has been built with a retpoline capable compiler for improved Spectre mitigation on x86_64." Kernel 4.15 will contain further mitigations.

    EDIT: I just installed 4.14.14 and got:
    Code:
    grep . /sys/devices/system/cpu/vulnerabilities/*
    /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
    /sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
    /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
     
    Last edited: Jan 21, 2018
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,030
    Location:
    Canada
    Unfortunately it's going to take more than simple, common patching to fix the Spectre vulnerability. Think compiling changes and re-compiling of existing code. Iow, not a walk in the park.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,875
    But Spectre isn't such a big deal really, so it's fine.
    Mrk
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,030
    Location:
    Canada
    True it may not be as reliable an exploit as Meltdown, but it is (or certainly will be) capable of being used to remotely exploit browsers using malicious javascript embedded in, for example, an advertisement. The concern is that user's login tokens could be stolen from one open tab via another tab opened running malicious javascript. Spectre is also capable of bypassing ALSR, so it could potentially exploit browser vulnerabilities as well. That said, browser vendors will no doubt patch their products to defend against it. Chrome beta already has the site isolation flag which defends against the exploit nearly 100%. Firefox, I believe, has a similar option available.

    I do agree it's not as bad as the media has made it seem with its sensationalizing of the exploit. Still, it's out there and the tech security industry believes there will more exploits against hardware, at least the cpu, in coming years.

    Sandboxie uses the motto: "Trust no program". Maybe end users should adopt: "Trust no hardware" :D
     
    Last edited: Jan 22, 2018
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.