Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Spectre & Meltdown & Zombieload oh my!

Here you can discuss every aspect of Debian. Note: not for support requests!
Message
Author
Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Spectre & Meltdown & Zombieload oh my!

#1 Post by Deb-fan »

Ok extremely oddball concept here, while contemplating all this side-channel attack madness going on, Spectre, Meltdown, Zombieload etc. The following popped into my head, can someone run more than one gnu/Linux kernel on an gnu/nix operating system at the same time ? After a tad of thought, I believe the answer is yes. That being VM's/true hypervisors such as Kvm, Xen etc. While of course they still all have access to the systems underlying cpu(s), applications launched in these VM's should still totally be subject to the kernel they're running under in the guest OS. Wth does this matter you may be wondering at this point ? Well I've long taken to compiling my own kernels, also long been a performance junkie and doing whatever is reasonable to boost kernel performance/speed etc is one of the priorities. So in the recent past I've actually been researching ways to get rid of many of the new mitigations coming down the pipe for Spectre/MD/ZL etc.

Compiled out Retpoline, found the config to compile out PTI = Page table isolation and researching all the boot parameters someone can add to ie: /etc/default/grub to disable whichever mitigations they choose. Depending upon the kernel version you're running etc. While I overall like this and am interested in it, one thing about all these side-channel buggers and beasties is that folks are saying it's possible these exploits can be pulled off via javascript (web-browsers.) Which doesn't make me feel all warm and fuzzy inside when coupled with my having stripped away many of the mitigations for the kernel I'm running in the hopes of reclaiming any lost performance on my ole Intel cpu (atm era 2009ish). Although I do use noscript the Firefox addon to stop javascripts from running unless cleared on a website by the user. Still thinking eventually if this javascript vunerability is in fact possible that these exploits will trickle down and sooner or later become more common place. More widespread ...

This is what got me to thinking about having web-browsers run under a separate kernel. One with all mitigations in full effect, running under a hypervisor to keep them isolated. A barebones gnu/Linux guest VM, could be fairly well tiny. Even with all the goodies, Xorg, display manager, windows manager etc etc etc running, much of which may not strictly be necessary on a minimal VM guest OS, my install(s) still weigh in under 100mbs-ram total at idle. A stripped down VM guest strictly meant for running web browsers could be a drop in the resource bucket compared. Though with as hardened a kernel as someone prefers, while leaving the host OS, to do it's thing sans all these potentially performance bogging patches. While I've seen it said for desktop users with most workloads the mitigations don't really matter anyway, shrugs.

Now at this point, am tossing around ways to set this dorkishness up reasonably transparently, meaning when xyz-browser(s) are launched on the host, minimal VM/guest fires up to manage them, with it's hardened kernel hopefully preventing such browser(s) from being able to be messed with by Spectre/MD/ZL on the webz. Got some decent ideas on the matter but mostly just wanted to post this for the heck of it. Get people's feedback and opinions. While of course the affected system would have to be capable of virtualization ( mine isn't anyway.) Still thought this idea is somewhat interesting and worth sharing. Also pointlessly pointing out the obvious, this is seriously bad mojo for Intel, will be looking to AMD in future, have long prefered them anyway. Though depending upon the specs/price not going to pass up a good Intel based system that comes down the pike either. What say you fellows ?
Most powerful FREE tech-support tool on the planet * HERE. *

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: Spectre & Meltdown & Zombieload oh my!

#2 Post by Deb-fan »

Arghhh, this says zombieload can still get at the host os, even via vm! https://www.zdnet.com/google-amp/articl ... ombieload/ Painful though this junk may be, still think it's interesting and has some merit. DAMN YOU INTEL!!! Also honestly believe this crap just didn't happen by coincidence. Think this flawed chip architecture was by design. Only most of us are just now finding out about it!

* Takes off tinfoil hat. :p

Ps, my take on these vulnerabilities from a desktop nixers perspective, is that they're way overblown and odds of someone being able to remotely compromise a web browser via some Javascript attack incredibly unlikely. On a multiuser system, where nobody knows, who all is doing what all, vps etc, yeah more cause for concern but avg desktop nixers, not so much. Just my opinion on it.
Most powerful FREE tech-support tool on the planet * HERE. *

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: Spectre & Meltdown & Zombieload oh my!

#3 Post by CwF »

I prefer to build supermicro/intel, ya know the ones with the extra back-door eth chip, and there is no amd equivalent that has ever remotely exited me.
So far I have no indication this current scare is of any concern whatsoever outside of a giga blade data center compromised by physical access. On the home system there are many avenues for protection, #1 is 24/7/365 customer access is not required, so the ability to reach in and grab data can be nil. #2 is you data is outside of direct control once it enters the network. It can and has been scarfed while within providers networks.
Good to use VM's for browsers. Good to watch traffic. Lock down VM's for focused use, as in certain vms's only go to particular sites, no cross talk. Every week I see a site that suck cpu and memory beyond normal, soft lock the vm, allow me time to digest while I balloon memory into a recovered state. Sometimes I go after sites like that, capture their crap, see what happens, then wipe the runtime layer of the vm and start over clean in the next few minutes...
#3 If you are a target, good luck. If you are not, stop clicking on crap and you'll be fine.

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: Spectre & Meltdown & Zombieload oh my!

#4 Post by Deb-fan »

That's it, I'm going back to carrier pidgeons and calculators !!! You won't get me Zombieload !!! :D

Mostly agree that this sounds like a perfect thing for someone with physical access to a system/network or at very least creds to log into it remotely. Which in that case, all bets are off anyway and someone with decent tech skills could likely trash a target system one of many ways that'd be easier than side channel attacks, that even many people at NASA don't seem to understand. Same time remotely exploiting = a good penn tester, which would require the targeted system already have holes in it for them to get a foot hold ie: vulnerable software, services running (badly misconfigured etc etc.) Again imo, while having something like Zombileload, fallout ... whichever is the latest side channel scare may aid them to some extent, still would have to be involved, with no shortage of other exploits available to take it from there and the avg user isn't likely to be targeted by a professional penn tester regardless. More like script kiddie/automated junk and would still require they do something really foolish to remotely leave a way into their system/network anyway.

If someone installs some web nasty (software-packages)from untrusted sources and gives it priv's on their system(s) are plenty of ways someone can compromise them anyway, without resorting to all this Spectre/meltdown, super boogeyman on crack nonsense. Also noticed that many of the people feeding the flames of fear as pertains to these cpu exploits often have "we help our client$" or "if you need to contact u$" in the scary sounding info they're putting on their websites. Meaning they are obviously out for some ca$h. Plus many of them don't seem to really understand it themselves. This is really starting to remind me of Y2K, which I called BS on while it was oncoming-ongoing too. Though a bazillion dollars was spent mitigating Y2K too, shrugs. Don't doubt these side channel shenanighans are valid exploits just think they're mostly just more exploits in addition to the tons of already existing ones. In an enterprise-commercial (multiuser environment, yep, they don't have much choice but to take some action against this junk.)

End of the day, not going to lose sleep over this. More than likely will just keep stripping out any mitigations that I don't like until it becomes counter productive and as mentioned will focus more on AMD system(s)here forward just cause all this crap has me seriously annoyed at friggin Intel. Personally been saying for years, people don't have a clue what's in the lowest levels of software that's running on their systems anyway ie: bios/uefi ... proprietary drivers etc etc. All of which is lovingly loaded onto our pc's in far east countries, long before we even get our hands on the hardware. Chit ... just had a brainfart concept and hurried to post about the idea. Very unlikely will bother messing with VM's to run a dang web browser. Actually can't, this old laptop doesn't support virtualization anyway. Still think it's quasi interesting and could have some use. Noting of course that I'm a long way from an expert on the topic or on VM's either. Have read enough about this junk to know I don't want to read anymore !!!

Still folks, feedback and comments welcome ... Sorry for the rant.
Most powerful FREE tech-support tool on the planet * HERE. *

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: Spectre & Meltdown & Zombieload oh my!

#5 Post by CwF »

Deb-fan wrote: I'm going back to carrier pidgeons and calculators
I think you mean slide rules. Calculators led to the metric conversion issue that led us crashing into Mars!

I don't think the worry for a commoner is local infestation. The threat is the multiple devices they allow to contribute to distributed code bots. The local computer doesn't notice and the aggregate of thousands allows action not observable by any one surveillance method. Only the top level aggregators are identifiable, and also disposable pawns.

I do browse in a vm, eight possible on a single read only base (1.4GB), each with a unique read only mid layer (~150MB), and a disposable top layer. I have no browsers installed on bare metal. I rock a flip phone, leave a message.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Spectre & Meltdown & Zombieload oh my!

#6 Post by Head_on_a_Stick »

Deb-fan wrote:my ole Intel cpu (atm era 2009ish)
That doesn't offer hyperthreading and so is immune to Meltdown :)

Check with

Code: Select all

grep -R . /sys/devices/system/cpu/vulnerabilities
+1 for AMD.

Disable all mitigations by applying this kernel parameter:

Code: Select all

mitigations=off
Not advised though. I can measure no difference with the mitigations enforced when running (eg) Blender or CS:GO so it seems wise to keep them enabled. And disable SMT for all Intel processors 'cos those fuckers just don't know what they're doing.
deadbang

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: Spectre & Meltdown & Zombieload oh my!

#7 Post by Deb-fan »

^Woah! :) Cwf

Am also going to have to fallback to horses and buggies, lots electronics and software in modern forms of transport. Surely zombiemelt will kill us all! Did think of something to add to this jazz, Intel_microcode, need to track down some archived versions of it. After spending a bunch of time trying to roll back mitigations in the kernel, don't want to install microcode from Intel and have whatever hurried mitigations they've rolled out in some microcode for my cpu, potentially crapping up my efforts to whatever extent.

Was a thread by Head_on which reminded me of this aspect. You (CwF) mentioned in that thread that you disable hyper-threading on some Intel chips, mind if I ask what kind of performance impact that has? Also just for the record am not advising anyone to do anything in this madcap thread. Employ every side channel mitigation you can get hands on, if it makes you feel better. I'm just doing what works for me as regards this.

Plus would be somewhat more worried if we're dual booting with anything m$, particularly on bare metal. Though who we kidding those people are sitting ducks anyway, Meltzombie or no Zombiemelt. :D

Ps, ninja'd by HOAS, yeah partner I know but as ever you know your stuff. This old thing no HT and have the mitigations=off, in a newer os, don't believe this kernel version supports that parameter. Dang it one more edit, mention I custom compile so anything Debian backports etc doesn't matter to me.
Most powerful FREE tech-support tool on the planet * HERE. *

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Spectre & Meltdown & Zombieload oh my!

#8 Post by Head_on_a_Stick »

Deb-fan wrote:disable hyper-threading on some Intel chips, mind if I ask what kind of performance impact that has?
I have two custom scripts for enabling & disabling SMT on my AMD system — turning it off allows greater heat dissipation in the physical cores and adds ~10fps to CS:GO :)
deadbang

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: Spectre & Meltdown & Zombieload oh my!

#9 Post by Deb-fan »

Cool hey thanks HOAS. Good to get 1st hand feedback from someone I respect fellow nixer. Is some performance hit disabling HT though? For some things, you'd just leave it permanently disabled if not right?
Most powerful FREE tech-support tool on the planet * HERE. *

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: Spectre & Meltdown & Zombieload oh my!

#10 Post by Deb-fan »

Also have to ask HOAS. When you say you notice no performance impact with all mitigations left stock you are talking about an Intel chip, not Ryzen/AMD? In which case that'd be reasonable mitigations having a minimal effect, AMD isnt suppose to be effected by this side channel madness. So if it's an AMD chip, it'd be grossly unfair if fixes for them had a negative effect on their (and customers) stuff.

Have seen plenty of benchmark which report a significant impact on Intel chips, then of course others claiming otherwise. Common sense tells me that yes there's gotta be an impact for effected chips. Too tired/lazy right now to bother with this anymore. Just going to keep doing as I was, see how things turn out.

Ps, and expecting people to disable hyperthreading isn't a solution and a long way from reasonable but I guess Intel idea of a solution is everybody should just buy one of their 8-9th Gen chips. Which they apparently say aren't effected now. :p
Most powerful FREE tech-support tool on the planet * HERE. *

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Spectre & Meltdown & Zombieload oh my!

#11 Post by Head_on_a_Stick »

Deb-fan wrote:When you say you notice no performance impact with all mitigations left stock you are talking about an Intel chip, not Ryzen/AMD? In which case that'd be reasonable mitigations having a minimal effect, AMD isnt suppose to be effected by this side channel madness. So if it's an AMD chip, it'd be grossly unfair if fixes for them had a negative effect on their (and customers) stuff.
Yes, that's true. I have an AMD system.

But perhaps try some actual benchmarks before discarding the protections.
deadbang

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: Spectre & Meltdown & Zombieload oh my!

#12 Post by CwF »

Deb-fan wrote:mind if I ask what kind of performance impact that has?
I approach performance differently. It's not a question of getting all you can out of your hardware. You get what you need and build accordingly. I like all the horsepower you need with the headroom required to relax. Yes, it castrates performance, so what, double up. The available current to hold clock and the resulting thermal headroom results in a per core improvement. My extreme example would be my newest XP machine that I cut from dual 4 core 8 thread to dual dual core. Thats 4 real cores in 2 135w sockets. It will hold 3.9+GHz endlessly and do so nearly silent. It also sports an amd Pitcairn XT 4GB also built stout that yes, runs on 32bit XP. A phenomenal machine. It's all-around perfomance simply can't be matched by a similar family quad core or HT dual core. Booted into debian it gets all 8, don't need the threads. I have more examples. Waste? Sure, but when I ride to the grocery I can loft the front wheel. That's not a waste. Moral; when it's good, get 2. Or more...

I run most vm's with 2 cores, one with av stuff gets 6 and more doesn't help much without clock to drive it. It's not hard or really that expensive for a modern desktop to have 12+ real cores. Note my expense expectations were set years ago, so I think desktop computers are dirt cheap.

User avatar
stevepusser
Posts: 12930
Joined: 2009-10-06 05:53
Has thanked: 41 times
Been thanked: 71 times

Re: Spectre & Meltdown & Zombieload oh my!

#13 Post by stevepusser »

For recent Intel CPUs (third generation or better), if thermal throttling is a performance bottleneck when they are under maximum load, undervolting the processor will let it run at a higher speed. Other benefits apart from that, even if there's no speed up, is lowering the system temperature under load and extending mobile devices' battery life. That can end up being more important than any kernel tweaks.
MX Linux packager and developer

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: Spectre & Meltdown & Zombieload oh my!

#14 Post by Deb-fan »

Sheesh CwF sounds like you really know your way around configing hardware partner.

Dang it I majorly pulled my own thread way off topic. :) Was a brainfart about an approach for browsers mitigation against all these nasty sounding side channel monsters. Which hey is reasonable, sandboxing browsers or sheesh just getting rid of javascript, both etc. Not that I' even know if it's effective against the damn things at this point ! Turned it into an all around all things side channel scary, with myself actually obviously leaning towards it's mostly being a joke and smoke and mirrors for majority of gnu/Linux desktop users. Think most of the hubbub surrounding this junk, is meant towards enterprise gnu/Linux, vps's, cloud computing etc etc. Believe me I've been up, down and sideways on this crap, because I'm uber anal. So have read and reviewed aplenty. Am not saying jettisoning all mitigations is right for everybody, in every use case either. That's up to whichever admin right ?

On the other hand, one big regret I do have about all this ... Zombieload hasn't eaten this damn Android phone yet, I HATE THE THING !!! :D
Most powerful FREE tech-support tool on the planet * HERE. *

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: Spectre & Meltdown & Zombieload oh my!

#15 Post by CwF »

stevepusser wrote:undervolting the processor
Yep, another avenue taking advantage of the same headroom. Amperage is the ultimate clamp, set by thermals. Lower voltage can start off in a better condition.

Deb-fan
Posts: 1047
Joined: 2012-08-14 12:27
Been thanked: 4 times

Re: Spectre & Meltdown & Zombieload oh my!

#16 Post by Deb-fan »

Well the original idea in this is obviously trash/ed. Yep according to plenty of credible sources the host OS is accessible by this zombieload junk through kvm(or another real hypervisor.) Still think this is mostly a concern in a multiuser environment(many of them being who knows who users. With plenty of access time on their hands.) Still not at all worried about this regardless. The only aspect that concerns me is the researchers saying stuff like with a couple lines of javascript ZL can leak xyz but everything I've been able to find on this is so damn vague it's friggin infuriating. Personally been using noscript forever, will continue doing so, as well as never bothering with flashplayer, esp adobe's nightmare and long gotten rid of java in the browser as well. Firefox supposedly patched for this though again not really able to find much good info on what that means.

Saw one source saying they managed to use ZL to extract the /etc/shadow file from a gnu/nix OS via it's web browser, it reportedly took them 24hrs to do so and presumably javascript was used for this. Who spends 24 straight hours dorking around on a website normally anyway and with js enabled too ? Which of course any passwords they get are hashed anyway, while yeah depending on password strength may be cracked. Still leaves much they'd need to do to find and connect to that system again(would seem highly unlikely truthfully), even if they've successfully gotten ahold of creds for it. Arghhhh. Again ... really think this just amounts to yet more online hazards, nothing more or less. At least for vast majority of desktop nixers. Outside of a multiuser setting can still see where this could make malicious hackers lives easier if they can get a foothold onto a users system. Though that still requires that targeted user doing or having done something stoopid for that to be possible. As usual believe it's more of a concern for M$ users in that context, as they're dependent upon M$ to great extent and clearly never an ideal position to be in. Still even for M$'s users, just one more of a TON of other exploits and easy button solution for this threat = AMD. :)
Most powerful FREE tech-support tool on the planet * HERE. *

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: Spectre & Meltdown & Zombieload oh my!

#17 Post by CwF »

Ya, 24 hrs on my systems is impossible due to pause capabilities, dhcp timeouts, etc. I still understand this risk as requiring physical access at first. I do believe there are too many ways to have things operating for any standardized approach. Don't forget, to exploit 'adjacent data' it needs to be adjacent. Single home use risk is still zero in my opinion, and at least at the bottom of the risk list.

Since this thread is borked, I'll add another twist. While I do think info leakage to private entities is a bad thing, I've been swayed by a simple argument I heard a decade ago. A government data professional then said, "we are often ask to find the needle in the haystack. This requires ONE thing, the haystack." In so many ways big data is very helpful. In medical research, it's pure gold. I do see both sides and try to explain to people that while detailed info on YOU might be out there, YOU are not necessarily the interest. Big G had some discussion awhile back talking about the disappointment in the info they collect, estimating maybe a third of it is 'actionable'. Most ad revenue is bogus, bad assumptions, already closed the deal, overall exceptionally low hit rate, etc. I've morphed somewhat and am not really concerned with the collection, or the haystack, and don't think it is beneficial or practical to create laws to restrict it. I'd rather see very serious laws against personalized use and abuse. Identity theft might as well be one step more serious than 1st degree murder. Any personal attack on me, I suggest the criminal call the police. I don't like guns, the criminal will wish I did.

With all that, I still segregate browser vm's for a simple reason, crosstalk. Some vm's never see an ad, some very few, some are wide open. I have found aggregation beyond our machines, at least I make them work for it. Note also, per some other threads, I do have browser vm's that live within a gig of memory, most 2GB, this one is sloppy with a 'full' 4GB. It takes but a single click for things to go crazy, but they're already in a padded cell.

User avatar
golinux
Posts: 1579
Joined: 2010-12-09 00:56
Location: not a 'buntard!
Been thanked: 1 time

Re: Spectre & Meltdown & Zombieload oh my!

#18 Post by golinux »

@CwF . . . if you have not already watched this, now would be the time. Eben Moglen nails it:

http://forums.debian.net/viewtopic.php?f=3&t=142911

And back on topic . . . I ran

Code: Select all

grep -R . /sys/devices/system/cpu/vulnerabilities
and it returned nothing.
May the FORK be with you!

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: Spectre & Meltdown & Zombieload oh my!

#19 Post by CwF »

@golinux
I have, should watch it again sometime. It's like no one watches sci-fi stuff, and thinks about it. The things that are happening, like they are new ideas? It's all been addressed, multiple times, some references 40-50 years old.

I do have vulnerabilities. But then I operate as a honey pot, with horsepower and depth.

User avatar
golinux
Posts: 1579
Joined: 2010-12-09 00:56
Location: not a 'buntard!
Been thanked: 1 time

Re: Spectre & Meltdown & Zombieload oh my!

#20 Post by golinux »

@CwF . . . Indeed. Like this Mike Wallace interview 60 years ago in 1958 with Aldous Huxley:

https://www.youtube.com/watch?v=alasBxZsb40
May the FORK be with you!

Post Reply