Re: Meltdown and spectre

From: Hans Forbrich <fuzzy.graybeard_at_gmail.com>
Date: Mon, 8 Jan 2018 09:51:04 -0700
Message-ID: <0dcfb1ff-9726-ce4a-fc1d-862754934cd9_at_gmail.com>

I suspect the OS manufactureres are in a position to do something about the problem. Most people I know avoid firmware updates like the plague, and I'm not sure that a firmware update is actually going to solve the problem. Besides, who would need to do it: chip manufacturers, bios manufacturers?

Cloud makes it worth exploiting. But once the exploit is available, it'll likely be rolled out to all platforms with glee. No additional expense involved.

/Hans

On 2018-01-08 9:32 AM, Reen, Elizabeth wrote:
>
> True. I had just read the news accounts so I was wondering why O/S
> manufacturers were making the patches. Neither side is clean here, but
> it was not really a problem if you had control of the whole server.
> It’s only really become worth exploiting in the cloud.
>
> Liz
>
> Elizabeth Reen
> CPB Database GroupManager
> 718.248.9930 (Office)
>
> Service Now Group: CPB-ORACLE-DB-SUPPORT
>
> *From:*oracle-l-bounce_at_freelists.org
> [mailto:oracle-l-bounce_at_freelists.org] *On Behalf Of *Hans Forbrich
> *Sent:* Friday, January 05, 2018 6:51 PM
> *To:* oracle-l_at_freelists.org
> *Subject:* Re: Meltdown and spectre
>
> On 2018-01-05 2:33 PM, Reen, Elizabeth (Redacted sender elizabeth.reen
> for DMARC) wrote:
>
> I have a background in system engineering. I don’t get how a chip
> can be exploited. What code can be hacked there?
>
> For speculative execution, a command is executed that MIGHT be
> required. That command might ask to move stuff into some portion of
> memory, or need a specific page moved in. If that command is then
> rolled back, what happens to the memory that it just filled? (Hint:
> it's still filled in, perhaps with a password.) Back in the day
> (early 90s) when this stuff was dreamt up, the idea of flushing that
> memory on command rollback would not have been a concern - hacking was
> for fun, not profit, in those days. It's not actually the code being
> hacked, as much as a side effect that is not properly handled.
>
> It wasn't just the hardware guys, either. We s/w devs were pretty
> sloppy about things like end-of-arrays and random pointers in our
> code, and few people worried about (or even understood) what happened
> at the chip level. (Remember why Java came into being?)
>
> /Hans
>

--
http://www.freelists.org/webpage/oracle-l

Received on Mon Jan 08 2018 - 17:51:04 CET

This message: [ Message body ]
Next message: Reen, Elizabeth : "RE: Meltdown and spectre"
Previous message: Reen, Elizabeth : "RE: Meltdown and spectre"
In reply to Reen, Elizabeth : "RE: Meltdown and spectre"
Next in thread: Reen, Elizabeth : "RE: Meltdown and spectre"
Reply: Reen, Elizabeth : "RE: Meltdown and spectre"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message