Re: OK, I'll bite
I agree.
The patches which have been released thus far are temporary solutions and in reality, the need for them is because the OS developers decided to begin with that it was worth the risk to gain extra performance by not flushing the pipeline. Of course, I haven’t read the specific design documents from Intel describing the task switch mechanism for the effected CPUs, but following reading the reports, it was insanely obvious in hindsight that this would be a problem.
I also see some excellent opportunities to exploit AMD processors using similar techniques in real world applications. AMD claims that their processors are not effected because within a process, the memory is shielded, but this doesn’t consider multiple threads within a multitennant application running within the same process... which would definitely be effected. I can easily see the opportunity to hijack for example Wordpress sites using this exploit on AMD systems.
This is a problem in OS design in general. It is clear mechanisms exist in the CPU to harden against this exploit. And it is clear that operating systems will have to be redesigned, possibly on a somewhat fundamental level to properly operate on predictive out of order architectures. This is called evolution. Sometimes we have to take a step back to make a bigger step forward.
I think Intel is handling this quite well. I believe Linux will see some much needed architectural changes that will make it a little more similar to a microkernel (long overdue) and so will other OSes.
I’ll be digging this week in hopes of exploiting the VMXNET3 driver on Linux to gain root access to the Linux kernel. VMware has done such an impressively bad job designing that driver that I managed to identify over a dozen possible attack vectors within a few hours of research. I believe very strongly that over 90% of that specific driver should be moved to user mode which will have devastating performance impact on all Linux systems running on VMware. The goal is hopefully to demonstrate at a security conference how to hijack a Linux based firewall running in transparent mode so that logging will be impossible. I don’t expect it to be a challenge.
Biting the hand that feeds IT
