Spotted over on HN:
The mysterious case of the Linux Page Table Isolation patches (archive)
tl;dr: there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer.
Turns out 2018 might be more interesting than first thought. So grab some popcorn and keep those systems patched!
(Score: 4, Insightful) by Azuma Hazuki on Tuesday January 02 2018, @05:04AM (4 children)
This could be thought of as a logical bug, no? In other words, everything is syntactically correct and working as expected, but real-world usage produces unwanted results? I'm not a programmer and most of the linked article was juuuuuust with my comprehension, but the whole thing had me making painful noises throughout. This is *bad.*
I agree with the analyst that this is probably something that affects virtualization and VM separation, which is why it's being worked on in such secrecy and with such haste. The scary thought is that this is a hardware thing, an emergent behavior from the interplay of software and hardware, rather than just buggy code...
I am "that girl" your mother warned you about...
(Score: 2, Interesting) by Anonymous Coward on Tuesday January 02 2018, @07:19AM (3 children)
Perhaps it just is not possible for mere humans to think of every possible angle of attack and test for it.
Bring on AI?
(Score: 2) by takyon on Tuesday January 02 2018, @07:27AM
https://blogs.microsoft.com/ai/ai-for-security-microsoft-security-risk-detection-makes-debut/ [microsoft.com]
https://www.theregister.co.uk/2017/02/15/rsa_crypto_panel/ [theregister.co.uk]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by unauthorized on Tuesday January 02 2018, @03:02PM
There is no such thing as an AI in the real world, at least if you define AI as a human-designed construct capable of independently interpreting arbitrary set of data and generating useful new ideas from it.
Oh, it absolutely is possible, it just costs a lot more. If you choose to only buy the latest and greatest, you get the trailblazing product you paid for. There is no market interest in building safe hardware or developing safe software.
(Score: 2) by Azuma Hazuki on Tuesday January 02 2018, @10:28PM
In theory it is, though you very soon end up in "infinite monkeys" territory. In practice I think you're right. Though, what about "formally validated" hardware?
I am "that girl" your mother warned you about...