I don’t like how Meltdown and Spectre – releated bugs were handled

I don’t like how Meltdown and Spectre – releated bugs were handled

I wasn’t going to write anything on the recently found x64 architecture – related bugs. I’m not a kernel developer nor even a programmer and I can’t say that I have a solid understanding of what Meltdown and Spectre attacks are. Also there already is a ton of articles and posts written by people who have no grasp of the subject.

I’m however a malcontent and I find this a good way to express my feelings:

Intel: as a *BSD user, I am fucking pissed!

 

UPDATE: Intel released microcode updates that are already available for NetBSD (sysutils/intel-microcode-netbsd) and FreeBSD (sysutils/devcpu-data)

Brief history

Bugs related to the x86-64 architecture were found by 4 different people or teams, who were willing to disclose this information to Intel (and maybe AMD and ARM Holdings). There is supposedly no way of knowing for how long these – introduced around 2006 – bugs were in use*.
Knowledge that something stinks around Intel has been made public – of all places – on Tumblr, 4chan and than reddit. Earlier there was the cyber.wtf post on possible issues with Speculative execution and Brian Krzanich – Intel’s CEO – selling as much Intel stock as possible (he is forced to still own some as per his agreement).
 
As I have an opportunity to do so publicly – I would like to thank every person involved in discovering and disclosing these bugs to Intel. Your work is huge!

 

How I see the timeline

2017-03-13

2017-06-01

  • Google Project Zero informs Intel, AMD and ARM Holdings about tragic flaws in their CPUs
  • At some point other researchers inform Intel about the flaws.


  • At some point someone notifies Linux kernel developers
  • At some point someone notifies Apple
  • At some point someone notifies Microsoft
  • At some point someone notifies Amazon (that might have been later)

2017-07-28

  • “Negative Result: Reading Kernel Memory From User Mode” cyber.wtf post

2017-11-29

2017-12-06

  • Apple quietly updates their software

2017-12-29

2018-01-01

  • “The mysterious case of the Linux Page Table Isolation patches” post on Tumblr

2018-01-02

2018-01-03

2018-01-04

  • In response to Intel’s PR, spectreattack.com and meltdownattack.com sites are published with information on already patched operating systems: Linux, Windows and macOS
    Meltdown and Spectre - who got patched (informed)

2018-01-06

2018-01-08

2018-01-09

  • End of embargo.

 

Meltdown, Spectre and BSD – the “pissed” part

Part of my work is UNIX-like systems administration – including BSDs and Linuces. As much as I am happy with Linux changes already made, I am beyond pissed about how the BSDs were handled by Intel – because they were not. FreeBSD Security Team received some heads-up just before Xmas, while OpenBSD, NetBSD and DragonflyBSD teams received no prior warnings.
 
Meltdown and Spectre attacks are hard to perform. It is a hard work to mitigate them in the software, as the bugs lay in the CPUs and are not fixable by microcode updates. Developers are trying to mitigate these bugs in a way that will deliver smallest performance losses. A lot of time consuming work is needed to fix CPU vendors’ mistakes. Linux developers had this time. BSD developers did not.

BSD user base too small?

BSD user base is small in comparison to Linux. Seems that it’s too small for Intel. PlayStation4 consoles are FreeBSD-based (and use AMD CPUs) but I think it’s safe to say that gaming devices are not the most important systems to be fixed. Netflix serves their content off FreeBSD but the bugs are not remotely exploitable (possibly not including JavaScript, but it’s running someone’s code locally) so there’s probably not much harm to be done here either.
However gamers and Netflix aren’t the only ones who use *BSD systems. I’d say that there is more than a few FreeBSD, NetBSD, OpenBSD and DragonFlyBSD servers on the internet.
 
In March 2017, Intel promised “more timely support to FreeBSD”. They knew about flaws in their CPUs in June and decided that a timely manner is the end of December – short before the embargo was to be lifted.
FreeBSDFoundation.org screenshot: Intel promises more timely support
 
Secretive comments and publishing new Linux kernel code did not help. My wording may be strong, but I’m looking at Linux developers here as the people who leaked the information on the bugs. As it was embargo’ed – I see no real reason to publicly post the code that included speculative comments (pun intended) and macros for the whole world to see. Such work should be performed more secretively and not on public svn/git/web/whatever repos.
Just to be clear: I’m administering Linux and *BSD systems in my work. I am not trying to start any form of flame war.
grsecurity on twitter "definitely no embargo"
Anyway, the embargo was to be lifted today (January 9; probably because it is the second Tuesday of the month and Windows patches were to be pushed today) and there are no fixes available yet for OpenBSD, NetBSD and FreeBSD. Matthew Dillon of the DragonFlyBSD project reports some work already done.
Linux kernel sources leaked during the embargo didn’t changed much.
 
Intel and Google (probably Intel more): it was your job to pick the correct people to whom the bugs can be disclosed. In my humble opinion you chose poorly by disclosing these issues with ONLY Apple, Microsoft, and the Linux Foundation, of OS vendors. You did much harm to the BSD community.
 
Intel: It’s your bugs. And you offered “more support” to the FreeBSD Foundation less than 3 months prior to being informed (my guess is that you knew much earlier) on the flaws in YOUR products. I don’t want to write more here as the wording would be too strong.
 

Meltdown, Spectre and Apple

Apple uses Intel’s procesors since 2006, when they switched from Freescale’s PowerPC architecture. This is exactly the time when bugs were introduced in the name of performance.
Apple made some updates in the early December. They were quiet about it (IIRC, it was just another “Thunderbolt firmware update” on macOS) but these updates were the kind of microsofty ones with information popping up several times.
 
At some point information on Sierra and El Capitan updates disappeared from Apple’s site. I’m really hoping that this is not their way of forcing people towards High Sierra, as this macOS version had a few very serious security flaws itself and many folks feel safer on an older OS X or macOS, and iOS versions.
As Apple is not only an operating system vendor – they deliver both software and hardware and they literally sold insecure products – it is expected that they will patch at least a few latest operating systems versions.

 

Links

Meltdown: CVE-2017-5754
Spectre: CVE-2017-5753, CVE-2017-5715
The meltdownattack.com / spectreattack.com site contains FAQs, PoC videos and updated links to various official security advisories.

 
* – I am however hoping that some knowledgeable people will take a look at popular older JavaScript scripts from various places, as it is supposedly possible to perform these attacks that way. Also, I feel less paranoid now, for using different browsers (or VMs) for different online services.

2 thoughts on “I don’t like how Meltdown and Spectre – releated bugs were handled

  1. If BSDs being ignored for security issues is going to be the norm (I really hope not) then maybe the BSD projects should band together with a pledge to notify one another if ANY of them find security issues like these.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.