Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Linux

Linux Kernel Gets Another Option To Disable Spectre Mitigations (zdnet.com) 50

Despite being more than one year old, the Meltdown or Spectre vulnerabilities have remained a theoretical threat, and no malware strain or threat actor has ever used any in a real-world attack. Over the course of the last year, system and network administrators have called on the Linux project for options to disable these protections. A report adds: Many argued that the threat is theoretical and could easily be mitigated with proper perimeter defenses, in some scenarios. Even Linus Torvalds has called for a slowdown in the deployment of some performance-hitting Spectre mitigations. The Linux kernel team has reacted positively towards these requests and has been slowly adding controls to disable some of the more problematic mitigations.

[...] The latest effort to have mitigations turned off -- and stay down -- is the addition of the PR_SPEC_DISABLE_NOEXEC control bit to the Linux kernel. This bit will prevent child processes from starting in a state where the protections for Spectre v4 are still activated, despite being deactivated in the parent process.

This discussion has been archived. No new comments can be posted.

Linux Kernel Gets Another Option To Disable Spectre Mitigations

Comments Filter:
  • Never exploited? (Score:2, Interesting)

    by Anonymous Coward

    That comment is a total red flag. Seems a little bit presumptuous.

    Never exploited on a honeypot maybe, or never with with a exe.

    The option should be at least available, but the claim it's never been used may be bs

    • but the claim it's never been used may be bs

      It may be BS, but it suits Occams Razor quite well. It's a complicated attack requiring knowledge of the target so intimate that many countless easier attacks are available which could achieve a similar goal.

  • Spectre etc are dreadful if you're running a server with secrets on. Things that turn remote exploits into local ones are bad.

    I don't want the slowdowns on compute machines though. It's not like there's remote access from anything untrusted anyway so the security holes aren't an issue.

    • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Sunday February 03, 2019 @11:37AM (#58064176) Homepage Journal

      I don't want the slowdowns on compute machines though. It's not like there's remote access from anything untrusted anyway so the security holes aren't an issue.

      This is what's so great about Linux, or for that matter *BSD. Sane defaults, but you control your computer. That's worth a whole lot of hassle.

      • by arth1 ( 260657 ) on Sunday February 03, 2019 @12:28PM (#58064334) Homepage Journal

        This is what's so great about Linux, or for that matter *BSD. Sane defaults, but you control your computer. That's worth a whole lot of hassle.

        For better and for worse, the reality these days is that most companies are migrating to cloud and devops, where you don't control your own computer, and don't have admins that understand the underlying architectures and the nitty gritty bits of how to configure a kernel or why.
        Magic black boxes is the new standard, and control has become a negative word.

  • Let's just forego getting vaccinations for any kid because kid's don't get sick from measles or other things any more.

    • Re: (Score:2, Troll)

      by arth1 ( 260657 )

      (Forego still means precede, even though so many incorrectly use it when meaning forgo.)

      I gladly advocate forgoing vaccinations for endemic and childhood diseases, because the vaccines are so effective. They reduce culling, and long term cause harm to humanity by saving individual children.
      New harmful or detrimental mutations in the human genome that in themselves are not enough to kill someone, but in combination with diseases like measles have a statistically significant higher morbidity are allowed to s

    • False equivalency. There are other mitigation available that avoid Spectre and Meltdown, such as not letting people run code on your computer.

  • Do people seriously expect malware authors to tout: "Hey look, we just used Spectre successfully and extracted a thousand private keys from software that ran on the same physical cloud servers than our malware!"...?

    The thing with Spectre and Meltdown is that there is no need to alter the software on the (virtual) CPU cores the victim uses.
    • Do people seriously expect malware authors to tout: "Hey look, we just used Spectre successfully and extracted a thousand private keys from software that ran on the same physical cloud servers than our malware!"...?

      No, people rely on the large security industry which analyses malware in detail to determine how it works and have identified that no known strains of Malware use this attack.

      No surprise really either, it's not like this can be packaged in a general purpose attack. To pull this off in any meaningful way requires knowledge of the target detailed enough that there are easier attack vectors available.

      You may be laughing, but no one else is.

  • by guruevi ( 827432 ) on Sunday February 03, 2019 @07:09PM (#58065656)

    It is only of interest if you are allowing any user to execute random code. Eg. desktops (JavaScript and the like) and cloud/virtual servers MAY be affected by it. But for the vast majority of servers and environments, if these bugs are exploited, you typically have bigger issues to fix.

    • I disagree. Due to the actual attack vector executing random code won't get you much joy at all. Issuing *targeted* code for a specific machine which you know a lot about may net you something useful. As a result, the random desktop machine isn't really at risk at all. Virtual servers however are as by their nature you've given a customer a wide scope to execute code within their OS.

news: gotcha

Working...