Over the last few days I’ve collected a lot of Meltdown and Spectre links at 1984 and (IT) (in)security – Google+.
Most of them provide links to what happened this, year, but a few are also on the path leading to these vulnerabilities. In the links you will also find the affected architectures and patches by various vendors which I have tried to summarise below.
In the link collection, I’ve tried to keep the number of hops to the actual sources as short as possible (as many have re-shared original) links but still attribute to the first one I got the link from.
Since the WordPress “Press-This” functionality is limited, even after all these years, so for now it will be a one-time link dump; filling in more of the archival WayBack and Archive.is links and adding more context will hopefully come later.
I will try to keep links roughly in chronological order (please post a comment where I goofed up) and I hope to find some time to have a “most important” or “summary” list eventually.
A few notes first
- At the start of implementing any of these technologies, it was warned these could impose security risks:
- CISC by using a RISC microarchitecture
- processor and MMU level caching
- speculative execution
- indirect branch prediction
- All architectures involving these features are or will be involved over time.
- More of these vulnerability techniques are going to evolve beyond the architectures that have been found vulnerable now in alphabetical order:
- AMD x64/x86
- ARM AArch64
- IBM Power PC
- IBM Z series
- Intel x64/x86
- Patches will slow down things depending on the kinds of workloads.
- The only real solution is for CPU vendors to re-design their architectures so the problems are solved at the hardware levels.
This could take a few generations of CPU hardware, so until then, patches are needed. - Like many cases of vulnerabilities, public relations by various vendors was handled in a bad way. Please try to read through them.
- Read/view:
- [WayBack] Meltdown and Spectre (official site)
- [My Link] My version of the timeline on #Spectre #Meltdown. This post will be updated!… – Jan Wildeboer – Google+
- [WayBack] Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown – Raspberry Pi (because it has a very good explanation on the underlying problems in many architectures)
- [WayBack] Various less technical folks have been asking a lot about what they should be doing about the new exploits. These are my personal opinions. 1. Most emb… – Alan Cox – Google+
- [WayBack] Project Zero: Reading privileged memory with a side-channel
- [WayBack] Google Online Security Blog: Today’s CPU vulnerability: what you need to know
- [My Link] In the light of #Spectre and #Meltdown, one important piece of advice. Buy a hardware wallet like #Trezor for your #cryptocurrency keys. A #Yubikey… – Jan Wildeboer – Google+
- [WayBack] Joe Fitz on Twitter: But we’re still not there. #meltdown and #spectre attack fundamental architecture features that have been built on for decades. We may need to go back to the drawing board. (old intel product lifecycle slide). Everything so far has been in the yellow ‘development’ phase.
- [WayBack] In the wake of #meltdown and #spectre I just ordered a ##nitrokey Start and the ##HSM version from Nitrokey.com Plan: no private key lives on my com… – Jan Wildeboer – Google+
Remember:
-
There are 2 hard problems in computer science: cache invalidation, naming things, and off-by-1 errors.
via: [WayBack] TwoHardThings There are only two hard things in Computer Science: cache invalidation and naming things — Phil Karlton (bonus variations on the page)
- Caching is the root of all evil.
The Wiert Corner - irregular stream of stuff 