Scientists discover new vulnerability affecting computers globally

[AZgl1800]

https://techxplore.com/news/2021-04-sci ... bally.html

I just read this while scanning thru the Tech News this evening,
did a search on this forum, and didn't see any mention of it.

I recall it being discussed the first time around a year or two ago.

I'm just wondering how much Linux users need to worry about this stuff?

[Lady Fitzgerald]

I'm thinking we don't need to worry much, if at all, based on these two articles from around three years ago:

https://www.zdnet.com/article/how-linux ... d-spectre/

https://www.zdnet.com/article/major-lin ... y-problem/

Linux teams have been pretty good about keeping up with new vulnerabilities, including testing and releasing patches quickly instead of waiting until a certain time of month or using all of us as guinea pigs (I'm looking at you, M$), so I'm not worried.

[all41]

trust in my TFH and remain naive--that is my strategy

[karlchen]

I'm thinking we don't need to worry much, if at all, based on these two articles from around three years ago:

Whoever reads the article, to which AZgl1500 has linked, carefully, should understand that the articles from 2018 and the fixes against the old CPU vulnerabilities do not protect against the newly discovered CPU hardware vulnerability.
Not being worried in this situation merely means, the reader has not read carefully enough or simply not understood.

Linux teams have been pretty good about keeping up with new vulnerabilities

The Linux Mint development team has never been involved in developping CPU kernel patches. Mint gets its kernels from a) Ubuntu or b) Debian.
So trusting the Linux Mint team to deploy security firmware and kernel security fixes to their users quickly, once such fixes have become available, is fine. The point is: currently there is no such security fix around.

What we have not learnt from the article is how easy or how difficult it is to exploit the newly detected vulnerability.

My conclusion:
+ No need to panic. Panic is the worst advisor in all cases anyhow.
+ Watch in which direction things evolve. Ignoring does not help. Ignorance is not strength, but just that, ignorance.

[rene]

Not being worried in this situation merely means, the reader has not read carefully enough or simply not understood.

Well.... that or he or she has noticed that an in fact practical rather than mere conceptual attack based on these spectre-like principles is extremely involved and exceedingly unlikely to be relevant in the context of a Linux desktop distribution such as on this here forum. You're going to be running any exploit locally due to incredibly precise timing requirements for one: I'd expect any such local malware-infection to sooner just encrypt my home directory than implement a basically near-practically impossible, highly timing-sensitive exploit.

Now, don't get me wrong, theoretically it's an interesting and darned fundamental family of vulnerabilities, but more than theoretical it is for now not, not even in the context of e.g. servers, most definitely not in the context of Linux desktop users. As in, poo-poo...

This is moreover a little oddly stated:

The Linux development team has never been involved in developping CPU kernel patches.

The Linux Mint development team I expect you aimed to say? Sure, but that's not what LadyF said...

[t42]

Of course Ashish Venkat at al. are in the know as they for years contributed to the pool of ideas which led to the creation of CPU model prone to spectre like vulnerabilities. as you can trace, for example, in the article from 2012, Execution Migration in a Heterogeneous-ISA Chip Multiprocessor by Matthew DeVuyst, Ashish Venkat, Dean M. Tullsen, University of California, San Diego

Code: Select all

Prior research has shown that single-ISA heterogeneous chip mul-
tiprocessors have the potential for greater performance and energy
efficiency than homogeneous CMPs. However, restricting the cores
to a single ISA removes an important opportunity for greater het-
erogeneity. To take full advantage of a heterogeneous-ISA CMP,
however, we must be able to migrate execution among heteroge-
neous cores in order to adapt to program phase changes and chang-
ing external conditions (e.g., system power state).
This paper explores migration on heterogeneous-ISA CMPs.
This is non-trivial because program state is kept in an architecture-
specific form; therefore, state transformation is necessary for mi-
gration. To keep migration cost low, the amount of state that re-
quires transformation must be minimized. This work identifies
large portions of program state whose form is not critical for per-
formance; the compiler is modified to produce programs that keep
most of their state in an architecture-neutral form so that only a
small number of data items must be repositioned and no pointers
need to be changed. The result is low migration cost with minimal
sacrifice of non-migration performance.
Additionally, this work leverages binary translation to enable
instantaneous migration. When migration is requested, the program
is immediately migrated to a different core where binary translation
runs for a short time until a function call is reached, at which point
program state is transformed and execution continues natively on
the new core.
This system can tolerate migrations as often as every 100 ms
and still retain 95% of the performance of a system that does not
do, or support, migration.

[rene]

Of course Ashish Venkat at al. are in the know as they for years contributed to the pool of ideas which led to the creation of CPU model prone to spectre like vulnerabilities.

Must say that I don't seem to understand why/how you feel that particular paper (at least) to be relevant in this context: it seems to not at all concern itself with speculative execution, the common factor in this family of vulnerabilities.

[t42]

it seems to not at all concern itself with speculative execution, the common factor to this family of vulnerabilities.

Agree, it's not per se, but I see the vector is clearly in that direction. Still, this research article confirms their competence level.

Edit. "competence level" - no need in that too: they virtually invented the vulnerability

[karlchen]

The Linux Mint development team I expect you aimed to say?

Precisely, corrected my post above accordingly.

Apart from this:
I had written:

What we have not learnt from the article is how easy or how difficult it is to exploit the newly detected vulnerability.

Why then are you so eager to convince me that once again the found CPU design flaw were only theoretical?
Maybe precisely this will be the result of further thorough investigation. Maybe not. Maybe it will be exploitable in real computer life as well. I do not know.
Why the heck everybody is so keen to declare immediately that any newly detected vulnerability may affect everyone, except users of Linux distributions?

[Portreve]

As the sign hanging from my home office (i.e. "computer room") door says...

---

I originally made this sign when I was working at Sony's call center and had it hanging on my overhead for a couple years or more. It seemed to fit quite a number of callers' mentality about their situations. As the years have rolled on, it's amazing how prescient it's become about a great many things going on with society at large.

[rene]

Why the heck everybody is so keen to declare immediately that any newly detected vulnerability may affect everyone, except users of Linux distributions?

I am not. What I am saying is that this is family of vulnerabilities is exceedingly hard to exploit in any real-world meaningful manner, in essence regardless of platform, but is explicitly less worrisome for desktop users than for server administrators due to the involved nature of any potential real-world exploit making former not a cost-effective target, certainly not in a world where even latter aren't in fact being targeted due to said involved nature. And then finally desktop Linux comes into it only in the sense of this needing a local exploit, malware, and malware being muchmuchmuchmuchmuch less of a problem in the desktop Linux world then e.g. the desktop Windows one. Even if only, if you were to insist on it, by muchmuchmuchmuchmuch less of it existing.

Note; the idea of this family of exploits does not need "further thorough investigation" for me to make a comment such as I did. The specific methods of leakage are different but what this family of vulnerabilities shares is the principle that while speculatively executed code may not influence macro-state of the CPU it does influence micro-state, together with said micro-state in fact being observable from the macro-level due to timing characteristics caused by the speculative execution having populated a cache.

And this is all we need to know as to difficulty of deploying an actual, real-world exploit. And, yes, sure, I do not expect you to immediately take me on my word, and not being all that devious-minded myself certainly I've been known to overlook avenues of attack --- but really the general principle here still fully warrants my above comment(s) and then, as the reason for me commenting at all, not your unduly "shocked" tone when you said

Not being worried in this situation merely means, the reader has not read carefully enough or simply not understood.

Really. Trust me (or not, but...) there's again very, very little to see here in another than conceptual sense. Yes, technically this is great stuff and the fact that these vulnerabilities exist at a deep hardware level makes them very fundamental. But fundamental is something quite different from real-world applicable, a couple of thousand times over from real-world applicable to desktop Linux Mint users.

:notshock:

[Portreve]

I'm going along with rene on this one for at least the reason that it's smart to always maintain situational awareness.

It may be that this exploit will never come to anything; however, not only can we not know that going forward, we also cannot know the full benefit of knowing about this sort of thing. What life experience has taught me is that while one should definitely not allow themselves to be ruled by fear or panic, as you already stated, karlchen, failure to be aware of what's going on around you (or being attempted) can prove to be detrimental "down the road".

Sooner or later, one or more of these various forms of exploitation may well successfully be used to harm individuals or the broader general public.

As you also said, karlchen, ignorance is not strength. Unless, of course, one dwells amongst that portion of the population which supports the tenets of Big Brother (even though they think they are actually against BB...):

• War is Peace
• Freedom is Slavery
• Ignorance is Strength

[karlchen]

Hi, rene.

Thank you for explaining in such detail twice, why very likely in actual computer life, the newly detected CPU vulnerability will be no good starting point for efficient attacks.

Cheers,
Karl

[rene]

Hey. Now you're just trying to confuse me. An internet discussion with a shared conclusion? Not falling for that...

[Portreve]

Hey. Now you're just trying to confuse me. An internet discussion with a shared conclusion? Not falling for that...

Don't worry: the dizzying sensations will soon pass. In the meantime, why not have a cup of tea and relax?

[rene]

Ah great. Yet one more doomsday security thread resurrected from the dead. Can after all never have enough of those.

[MurphCID]

How about we keep all our Doomsday scenario threads into this one, and pin it?

[rene]

How about we keep all our Doomsday scenario threads into this one, and pin it?

Yeah, good luck trying to make that one happen, LOL...

[Lady Fitzgerald]

What is it with newbies necroposting?

[MurphCID]

What is it with newbies necroposting?

I'm guilty of it as well, so I cannot speak on that issue.