Scientists discover new vulnerability affecting computers globally
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
- AZgl1800
- Level 20
- Posts: 11173
- Joined: Thu Dec 31, 2015 3:20 am
- Location: Oklahoma where the wind comes Sweeping down the Plains
- Contact:
Scientists discover new vulnerability affecting computers globally
https://techxplore.com/news/2021-04-sci ... bally.html
I just read this while scanning thru the Tech News this evening,
did a search on this forum, and didn't see any mention of it.
I recall it being discussed the first time around a year or two ago.
I'm just wondering how much Linux users need to worry about this stuff?
I just read this while scanning thru the Tech News this evening,
did a search on this forum, and didn't see any mention of it.
I recall it being discussed the first time around a year or two ago.
I'm just wondering how much Linux users need to worry about this stuff?
- Lady Fitzgerald
- Level 15
- Posts: 5808
- Joined: Tue Jan 07, 2020 3:12 pm
- Location: AZ, SSA (Squabbling States of America)
Re: Scientists discover new vulnerability affecting computers globally
I'm thinking we don't need to worry much, if at all, based on these two articles from around three years ago:
https://www.zdnet.com/article/how-linux ... d-spectre/
https://www.zdnet.com/article/major-lin ... y-problem/
Linux teams have been pretty good about keeping up with new vulnerabilities, including testing and releasing patches quickly instead of waiting until a certain time of month or using all of us as guinea pigs (I'm looking at you, M$), so I'm not worried.
https://www.zdnet.com/article/how-linux ... d-spectre/
https://www.zdnet.com/article/major-lin ... y-problem/
Linux teams have been pretty good about keeping up with new vulnerabilities, including testing and releasing patches quickly instead of waiting until a certain time of month or using all of us as guinea pigs (I'm looking at you, M$), so I'm not worried.
Jeannie
To ensure the safety of your data, you have to be proactive, not reactive, so, back it up!
To ensure the safety of your data, you have to be proactive, not reactive, so, back it up!
Re: Scientists discover new vulnerability affecting computers globally
trust in my TFH and remain naive--that is my strategy
Everything in life was difficult before it became easy.
Re: Scientists discover new vulnerability affecting computers globally
Whoever reads the article, to which AZgl1500 has linked, carefully, should understand that the articles from 2018 and the fixes against the old CPU vulnerabilities do not protect against the newly discovered CPU hardware vulnerability.I'm thinking we don't need to worry much, if at all, based on these two articles from around three years ago:
Not being worried in this situation merely means, the reader has not read carefully enough or simply not understood.
The Linux Mint development team has never been involved in developping CPU kernel patches. Mint gets its kernels from a) Ubuntu or b) Debian.Linux teams have been pretty good about keeping up with new vulnerabilities
So trusting the Linux Mint team to deploy security firmware and kernel security fixes to their users quickly, once such fixes have become available, is fine. The point is: currently there is no such security fix around.
What we have not learnt from the article is how easy or how difficult it is to exploit the newly detected vulnerability.
My conclusion:
+ No need to panic. Panic is the worst advisor in all cases anyhow.
+ Watch in which direction things evolve. Ignoring does not help. Ignorance is not strength, but just that, ignorance.
Last edited by karlchen on Sat May 01, 2021 9:12 am, edited 1 time in total.
Reason: Corrected: "Linux Mint development team", not Linux development team - my careless typing, so sorry, so ashamed, oh my god, how embarrassing ... digs a hole in the ground and jumps into it ...
Reason: Corrected: "Linux Mint development team", not Linux development team - my careless typing, so sorry, so ashamed, oh my god, how embarrassing ... digs a hole in the ground and jumps into it ...
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 771 days now.
Lifeline
Re: Scientists discover new vulnerability affecting computers globally
Well.... that or he or she has noticed that an in fact practical rather than mere conceptual attack based on these spectre-like principles is extremely involved and exceedingly unlikely to be relevant in the context of a Linux desktop distribution such as on this here forum. You're going to be running any exploit locally due to incredibly precise timing requirements for one: I'd expect any such local malware-infection to sooner just encrypt my home directory than implement a basically near-practically impossible, highly timing-sensitive exploit.
Now, don't get me wrong, theoretically it's an interesting and darned fundamental family of vulnerabilities, but more than theoretical it is for now not, not even in the context of e.g. servers, most definitely not in the context of Linux desktop users. As in, poo-poo...
This is moreover a little oddly stated:
The Linux Mint development team I expect you aimed to say? Sure, but that's not what LadyF said...
Re: Scientists discover new vulnerability affecting computers globally
Of course Ashish Venkat at al. are in the know as they for years contributed to the pool of ideas which led to the creation of CPU model prone to spectre like vulnerabilities. as you can trace, for example, in the article from 2012, Execution Migration in a Heterogeneous-ISA Chip Multiprocessor by Matthew DeVuyst, Ashish Venkat, Dean M. Tullsen, University of California, San Diego
Code: Select all
Prior research has shown that single-ISA heterogeneous chip mul-
tiprocessors have the potential for greater performance and energy
efficiency than homogeneous CMPs. However, restricting the cores
to a single ISA removes an important opportunity for greater het-
erogeneity. To take full advantage of a heterogeneous-ISA CMP,
however, we must be able to migrate execution among heteroge-
neous cores in order to adapt to program phase changes and chang-
ing external conditions (e.g., system power state).
This paper explores migration on heterogeneous-ISA CMPs.
This is non-trivial because program state is kept in an architecture-
specific form; therefore, state transformation is necessary for mi-
gration. To keep migration cost low, the amount of state that re-
quires transformation must be minimized. This work identifies
large portions of program state whose form is not critical for per-
formance; the compiler is modified to produce programs that keep
most of their state in an architecture-neutral form so that only a
small number of data items must be repositioned and no pointers
need to be changed. The result is low migration cost with minimal
sacrifice of non-migration performance.
Additionally, this work leverages binary translation to enable
instantaneous migration. When migration is requested, the program
is immediately migrated to a different core where binary translation
runs for a short time until a function call is reached, at which point
program state is transformed and execution continues natively on
the new core.
This system can tolerate migrations as often as every 100 ms
and still retain 95% of the performance of a system that does not
do, or support, migration.
-=t42=-
Re: Scientists discover new vulnerability affecting computers globally
Must say that I don't seem to understand why/how you feel that particular paper (at least) to be relevant in this context: it seems to not at all concern itself with speculative execution, the common factor in this family of vulnerabilities.
Re: Scientists discover new vulnerability affecting computers globally
Agree, it's not per se, but I see the vector is clearly in that direction. Still, this research article confirms their competence level.
Edit. "competence level" - no need in that too: they virtually invented the vulnerability
Last edited by t42 on Sat May 01, 2021 9:20 am, edited 1 time in total.
-=t42=-
Re: Scientists discover new vulnerability affecting computers globally
Precisely, corrected my post above accordingly.
Apart from this:
I had written:
Why then are you so eager to convince me that once again the found CPU design flaw were only theoretical?What we have not learnt from the article is how easy or how difficult it is to exploit the newly detected vulnerability.
Maybe precisely this will be the result of further thorough investigation. Maybe not. Maybe it will be exploitable in real computer life as well. I do not know.
Why the heck everybody is so keen to declare immediately that any newly detected vulnerability may affect everyone, except users of Linux distributions?
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 771 days now.
Lifeline
- Portreve
- Level 13
- Posts: 4870
- Joined: Mon Apr 18, 2011 12:03 am
- Location: Within 20,004 km of YOU!
- Contact:
Re: Scientists discover new vulnerability affecting computers globally
As the sign hanging from my home office (i.e. "computer room") door says...
I originally made this sign when I was working at Sony's call center and had it hanging on my overhead for a couple years or more. It seemed to fit quite a number of callers' mentality about their situations. As the years have rolled on, it's amazing how prescient it's become about a great many things going on with society at large.
I originally made this sign when I was working at Sony's call center and had it hanging on my overhead for a couple years or more. It seemed to fit quite a number of callers' mentality about their situations. As the years have rolled on, it's amazing how prescient it's become about a great many things going on with society at large.
Last edited by Portreve on Sat May 01, 2021 10:28 am, edited 1 time in total.
Flying this flag in support of freedom 🇺🇦
Recommended keyboard layout: English (intl., with AltGR dead keys)
Podcasts: Linux Unplugged, Destination Linux
Also check out Thor Hartmannsson's Linux Tips YouTube Channel
Recommended keyboard layout: English (intl., with AltGR dead keys)
Podcasts: Linux Unplugged, Destination Linux
Also check out Thor Hartmannsson's Linux Tips YouTube Channel
Re: Scientists discover new vulnerability affecting computers globally
I am not. What I am saying is that this is family of vulnerabilities is exceedingly hard to exploit in any real-world meaningful manner, in essence regardless of platform, but is explicitly less worrisome for desktop users than for server administrators due to the involved nature of any potential real-world exploit making former not a cost-effective target, certainly not in a world where even latter aren't in fact being targeted due to said involved nature. And then finally desktop Linux comes into it only in the sense of this needing a local exploit, malware, and malware being muchmuchmuchmuchmuch less of a problem in the desktop Linux world then e.g. the desktop Windows one. Even if only, if you were to insist on it, by muchmuchmuchmuchmuch less of it existing.
Note; the idea of this family of exploits does not need "further thorough investigation" for me to make a comment such as I did. The specific methods of leakage are different but what this family of vulnerabilities shares is the principle that while speculatively executed code may not influence macro-state of the CPU it does influence micro-state, together with said micro-state in fact being observable from the macro-level due to timing characteristics caused by the speculative execution having populated a cache.
And this is all we need to know as to difficulty of deploying an actual, real-world exploit. And, yes, sure, I do not expect you to immediately take me on my word, and not being all that devious-minded myself certainly I've been known to overlook avenues of attack --- but really the general principle here still fully warrants my above comment(s) and then, as the reason for me commenting at all, not your unduly "shocked" tone when you said
Really. Trust me (or not, but...) there's again very, very little to see here in another than conceptual sense. Yes, technically this is great stuff and the fact that these vulnerabilities exist at a deep hardware level makes them very fundamental. But fundamental is something quite different from real-world applicable, a couple of thousand times over from real-world applicable to desktop Linux Mint users.
:notshock:
- Portreve
- Level 13
- Posts: 4870
- Joined: Mon Apr 18, 2011 12:03 am
- Location: Within 20,004 km of YOU!
- Contact:
Re: Scientists discover new vulnerability affecting computers globally
I'm going along with rene on this one for at least the reason that it's smart to always maintain situational awareness.
It may be that this exploit will never come to anything; however, not only can we not know that going forward, we also cannot know the full benefit of knowing about this sort of thing. What life experience has taught me is that while one should definitely not allow themselves to be ruled by fear or panic, as you already stated, karlchen, failure to be aware of what's going on around you (or being attempted) can prove to be detrimental "down the road".
Sooner or later, one or more of these various forms of exploitation may well successfully be used to harm individuals or the broader general public.
As you also said, karlchen, ignorance is not strength. Unless, of course, one dwells amongst that portion of the population which supports the tenets of Big Brother (even though they think they are actually against BB...):
It may be that this exploit will never come to anything; however, not only can we not know that going forward, we also cannot know the full benefit of knowing about this sort of thing. What life experience has taught me is that while one should definitely not allow themselves to be ruled by fear or panic, as you already stated, karlchen, failure to be aware of what's going on around you (or being attempted) can prove to be detrimental "down the road".
Sooner or later, one or more of these various forms of exploitation may well successfully be used to harm individuals or the broader general public.
As you also said, karlchen, ignorance is not strength. Unless, of course, one dwells amongst that portion of the population which supports the tenets of Big Brother (even though they think they are actually against BB...):
- War is Peace
- Freedom is Slavery
- Ignorance is Strength
Flying this flag in support of freedom 🇺🇦
Recommended keyboard layout: English (intl., with AltGR dead keys)
Podcasts: Linux Unplugged, Destination Linux
Also check out Thor Hartmannsson's Linux Tips YouTube Channel
Recommended keyboard layout: English (intl., with AltGR dead keys)
Podcasts: Linux Unplugged, Destination Linux
Also check out Thor Hartmannsson's Linux Tips YouTube Channel
Re: Scientists discover new vulnerability affecting computers globally
Hi, rene.
Thank you for explaining in such detail twice, why very likely in actual computer life, the newly detected CPU vulnerability will be no good starting point for efficient attacks.
Cheers,
Karl
Thank you for explaining in such detail twice, why very likely in actual computer life, the newly detected CPU vulnerability will be no good starting point for efficient attacks.
Cheers,
Karl
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 771 days now.
Lifeline
Re: Scientists discover new vulnerability affecting computers globally
Hey. Now you're just trying to confuse me. An internet discussion with a shared conclusion? Not falling for that...
- Portreve
- Level 13
- Posts: 4870
- Joined: Mon Apr 18, 2011 12:03 am
- Location: Within 20,004 km of YOU!
- Contact:
Re: Scientists discover new vulnerability affecting computers globally
Don't worry: the dizzying sensations will soon pass. In the meantime, why not have a cup of tea and relax?
Flying this flag in support of freedom 🇺🇦
Recommended keyboard layout: English (intl., with AltGR dead keys)
Podcasts: Linux Unplugged, Destination Linux
Also check out Thor Hartmannsson's Linux Tips YouTube Channel
Recommended keyboard layout: English (intl., with AltGR dead keys)
Podcasts: Linux Unplugged, Destination Linux
Also check out Thor Hartmannsson's Linux Tips YouTube Channel
Re: Scientists discover new vulnerability affecting computers globally
Ah great. Yet one more doomsday security thread resurrected from the dead. Can after all never have enough of those.
Re: Scientists discover new vulnerability affecting computers globally
How about we keep all our Doomsday scenario threads into this one, and pin it?
- Lady Fitzgerald
- Level 15
- Posts: 5808
- Joined: Tue Jan 07, 2020 3:12 pm
- Location: AZ, SSA (Squabbling States of America)
Re: Scientists discover new vulnerability affecting computers globally
What is it with newbies necroposting?
Jeannie
To ensure the safety of your data, you have to be proactive, not reactive, so, back it up!
To ensure the safety of your data, you have to be proactive, not reactive, so, back it up!
Re: Scientists discover new vulnerability affecting computers globally
I'm guilty of it as well, so I cannot speak on that issue.