Tuesday, January 30, 2018

Speculative Speculation

   Patch.

   NO WAIT!... DON’T Patch!

   It may cause unexpected reboots (as opposed to the expected kind???? J).

   It may cause system slowdowns.

   It may conflict with your other system controls.

   It sounds kind of like the “fine print” in one of those pharmaceutical adds… patching side effects may include arrhythmia, faintness, moderate to severe amnesia, flushing of the face, dry mouth, blurry vision, visual distortions or white spots, nausea and vomiting, constipation, muscle twitches, confusion, euphoria, sedation, itchiness, and increased anxiety, respiratory or cardiac arrest, coma, hypoventilation (inadequate ventilation), and possibly death.

   This whole Spectre/Meltdown thing has gotten so much attention lately. But the reports are loaded with misinformation, speculation (!), and even some facts.  I’ve have seen some uber-geeky explanations of what is going on.  If you haven’t seen the major rant by the father of linux Linus Torvalds, check this out.

   One thing that has been lacking is more simple, straightforward explanations of this complex topic.  I think Steve Gibson did a great job talking about this recently in his SecurityNow! podcast.  He actually explained the underlying mechanism of speculative execution years ago when he was talking about how modern processors work.

   Speculative Execution is really pretty cool.  It can be complex, but a good example is when there are two choices in how some code may execute, i.e. GO here or GO here, the processor does both!  And it executes steps ahead from where you are in the code now.  The overall effect is that the code executes faster.  It’s kind of like paying it forward with extra computing cycles.  Here's a great explanation.

   Here’s the point about this vulnerability… we’ve had plenty of named vulnerabilities.  They are all the rage these past few years – a name and a logo.  But most of these vulnerabilities are code or protocol problems.  Yes, some of those were very wide ranging.  However, this newly discovered problem is a vulnerability in the underlying architecture of nearly every modern computer chip created since 1995.  Everywhere.

   And while this has not been exploited in practice, that will happen.  The Fix is not yet in.  For now, the advice is to not panic, patch selectively and we’ll all watch and wait!
Posted by at
Labels: , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)