from the joke's-on-you-I-only-have-one-processor dept.
New exploits related to Meltdown and Spectre have been found, using two CPU cores against each other in cache-based side-channel attacks. The attacks are likely stopped by existing software patches for Meltdown and Spectre, but not necessarily the hardware changes that Intel and others are working on:
When details of the Meltdown and Spectre CPU security vulnerabilities emerged last month, the researchers involved hinted that further exploits may be developed beyond the early proof-of-concept examples. It didn't take long. In a research paper – "MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols" – out this month, bit boffins from Princeton University and chip designer Nvidia describe variants of Meltdown and Spectre exploit code that can be used to conduct side-channel timing attacks.
In short, the team have discovered new ways for malware to extract sensitive information, such as passwords and other secrets, from a vulnerable computer's memory by exploiting the Meltdown and Spectre design blunders in modern processors. The software mitigations being developed and rolled out to thwart Meltdown and Spectre attacks, which may bring with them performance hits, will likely stop these new exploits.
Crucially, however, changes to the underlying hardware probably will not: that is to say, whatever Intel and its rivals are working on right now to rid their CPU blueprints of these vulnerabilities may not be enough. These fresh exploits attack flaws deeply embedded within modern chip architecture that will be difficult to engineer out. Before you panic: don't. No exploit code has been released.
Intel is now offering $250,000 for side-channel attacks.
(Score: -1, Troll) by Anonymous Coward on Friday February 16 2018, @09:20AM
Disgusting. Nauseating. Vomit-inducing. These words describe the grin I see on the face of the man in the mirror. He's targeting it. He's targeting... your rancid, feces-filled asshole! Ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh! Let's get this feces extravaganza started, shall we!? Something fetid is about to drill into your mushy, parasite-infested feces, and nothing can be done to stop it. One bowel smooch after another and some mixing is all it will take to craft the legendary... Feces Soup!
Let's begin.
(Score: 2) by All Your Lawn Are Belong To Us on Friday February 16 2018, @02:34PM (5 children)
... Not the description, I understand that on at least a lay level.
But this is saying, "Yeah, here's an attack.... that may already have been patched." Until "may" becomes "isn't," does this really convey any information? Here's a theoretical attack but we don't know if it can actually work or not, is the equivalent understanding I have.
At least, I always understood the phrase "proof of concept" to mean here's something perfectly legitimate that definitely is an exploit, just not one that code has been developed to take advantage of AFAWK. This doesn't read like this from the description, and I'm not unblocking archiv on NoScript to RTFA today.
This sig for rent.
(Score: 2) by tibman on Friday February 16 2018, @02:51PM (2 children)
Not sure if you can have a proof of concept without code. Until there is code i think it's just a theory of concept (or something).
SN won't survive on lurkers alone. Write comments.
(Score: 0) by Anonymous Coward on Friday February 16 2018, @03:46PM (1 child)
I think I am just as confused.
There might be an attack that may mitigated by an OS that might be patched?
Call me back when someone finds out
(Score: 2) by takyon on Friday February 16 2018, @06:09PM
Hi, this is Tom from your ISP. Your machines have been hacked.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Informative) by HiThere on Friday February 16 2018, @06:33PM (1 child)
What he's claiming is that there are these two new attacks the the performance impacting software patches will handle, but which the hardware patches being worked on probably won't.
I have no idea how valid his claim is, or on what basis he's making it, especially since it really doubtful that he knows what all the different hardware companies are working on to patch the current problems. But that's what he seems to be claiming.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by All Your Lawn Are Belong To Us on Friday February 16 2018, @07:21PM
That makes it a lot more clear why it's news! You made it more clear why it still has impact now. Thanks!
This sig for rent.
(Score: 1, Interesting) by Anonymous Coward on Friday February 16 2018, @08:26PM
On a Prescott 2M P4 (SL7Z7 630),
I ran this meltdown code in a loop:
https://github.com/paboldin/meltdown-exploit [github.com]
with varying CPU load and varying physical memory use.
Although the exploit would be partially successful maybe 1 in 200 to 1 in 2000 times,
the exploit was never 100% successful.
The same executable code run on a core i5 was successful 100% of the time on multiple runs.
So for a single core processor, I'd say more research is needed.
For internet access I just use a P4 system booted off a live USB key and it works for me.