20180104

Meltdown and Spectre Side-Channel Vulnerabilities

Please refer to the link destination for the latest information
【外部リンク】
https://www.us-cert.gov/ncas/current-activity/2018/01/03/Meltdown-and-Spectre-Side-Channel-Vulnerabilities
Meltdown and Spectre Side-Channel Vulnerabilities

【外部リンク】
https://www.kb.cert.org/vuls/id/584653
Vulnerability Note VU#584653
CPU hardware vulnerable to side-channel attacks
Vendor Information (Learn More)
Multiple CPU architectures are affected. Operating systems and

Vendor Status Date Notified Date Updated
AMD Affected - 03 Jan 2018
Apple Affected - 03 Jan 2018
Arm Affected - 03 Jan 2018
Google Affected - 03 Jan 2018
Intel Affected - 03 Jan 2018
Linux Kernel Affected - 03 Jan 2018
Microsoft Affected - 03 Jan 2018
References
https://meltdownattack.com/
https://spectreattack.com/
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
https://github.com/IAIK/KAISER
https://gruss.cc/files/kaiser.pdf
https://gruss.cc/files/prefetch.pdf
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5aa90a84589282b87666f92b6c3c917c8080a9bf
https://lwn.net/Articles/741878/
https://lwn.net/Articles/737940/
http://pythonsweetness.tumblr.com/post/169166980422/the-mysterious-case-of-the-linux-page-table
https://nakedsecurity.sophos.com/2018/01/03/fckwit-aka-kaiser-aka-kpti-intel-cpu-flaw-needs-low-level-os-patches/
【外部リンク】
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
ADV180002 | Vulnerability in CPU Microcode Could Allow Information Disclosure
Security Advisory
Published: 01/03/2018
【外部リンク】
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
Mitigations landing for new class of timing attack

【外部リンク】
https://spectreattack.com/
https://spectreattack.com/spectre.pdf
Meltdown and Spectre
Bugs in modern computers leak passwords and sensitive data.
Spectre
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre

Who reported Spectre?
Spectre was independently discovered and reported by two people:

Jann Horn (Google Project Zero) and
Paul Kocher in collaboration with, in alphabetical order, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61)

At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.

【関連】
Domain Name: SPECTREATTACK.COM
Registry Domain ID: 2203167838_DOMAIN_COM-VRSN
Updated Date: 2017-12-22T07:53:35Z
Creation Date: 2017-12-22T07:53:35Z

【外部リンク】
https://meltdownattack.com/
https://meltdownattack.com/meltdown.pdf
Meltdown
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
Who reported Meltdown?
Meltdown was independently discovered and reported by three teams:

Jann Horn (Google Project Zero),
Werner Haas, Thomas Prescher (Cyberus Technology),
Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology)

At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.

【関連】
Domain Name: MELTDOWNATTACK.COM
Registry Domain ID: 2203167847_DOMAIN_COM-VRSN
Updated Date: 2017-12-22T07:53:47Z
Creation Date: 2017-12-22T07:53:46Z

--

注目の投稿

cURL error 60: SSL certificate problem: unable to get local issuer certificate

cURL error 60: SSL certificate problem: unable to get local issuer certificate 更新失敗: ダウンロードに失敗しました。 cURL error 60: SSL certificate problem: ...

人気の投稿