Recompiling is unlikely to be a catch-all solution for a recently unveiled Intel CPU vulnerability known as TLBleed, the details of which were leaked on Friday, the head of the OpenBSD project Theo de Raadt says.
The details of TLBleed, which gets its name from the fact that the flaw targets the translation lookaside buffer, a CPU cache, were leaked to the British tech site, The Register; the side-channel vulnerability can be theoretically exploited to extract encryption keys and private information from programs.
Former NSA hacker Jake Williams said on Twitter that a fix would probably need changes to the core operating system and were likely to involve "a ton of work to mitigate (mostly app recompile)".
But de Raadt was not so sanguine. "There are people saying you can change the kernel's process scheduler," he told iTWire on Monday. "(It's) not so easy."
(Score: 3, Informative) by http on Tuesday June 26 2018, @02:37AM (3 children)
The "what to do" seems straightforward -
...but that means spending money and time, something few businesses are willing to do if they've gotten used to 'not doing' up to now.
I browse at -1 when I have mod points. It's unsettling.
(Score: 4, Informative) by Knowledge Troll on Tuesday June 26 2018, @03:05AM (2 children)
This analysis seems to focus specifically on servers. And according to our devs we should trust our devs and I do in fact trust our devs. I do not think our devs would do anything malicious. That's not the problem.
You can trust the developers to be good people but you can't trust the developer accounts to only be used by the developers. The workstations the developers use are also vulnerable to these problems as well and security in their workstations is probably more important than security in our servers because our servers aren't running javascript from random websites.
This is what I mean by we can't just have our developers stop working - they need to interact with the world to work. And do it on a machine that is demonstrating it is not fit for the task.
W-T-F
(Score: 1, Interesting) by Anonymous Coward on Tuesday June 26 2018, @07:45AM
So you're afraid their workstations will get compromised.
I guess it sucks for some usecases, but the penalty for slowing down workstations is not that great, so just do your best to disable hyperthreading.
(Score: 1, Interesting) by Anonymous Coward on Tuesday June 26 2018, @09:38PM
First, I assume you're a high value private company, but not military or centrifuge manufacturing or anything. That said:
Buy your devs $150 laptops.
Put those on a different network.
Let them bring in data that way. But take the in-office network off the internet.
Thusly, it becomes very hard for your devs to browse to stackoverflow, load a poisoned ad, and compromise your perimeter. Instead, the laptop network will be 'taken' and that's just fine.
When they need to move data that they can't crunch on the laptops or that they need to push to the public, USB sticks. Yeah, that's an in/exfiltration opportunity. No, it's nothing compared to being hooked into the net. A nation state actor will compromise you, even if they have to walk up to your building and do it in person. But your competitors might not, and general wannabe crackers sure won't.
$150/head is a lot cheaper than ... just about any other option! Plus a few K to set up a linux image and ongoing support as they need reflashing, but IT gonna IT.