Welcome to WebmasterWorld Guest from 3.227.249.234

Forum Moderators: open

Google Engineers Say, Spectre Vulnerability is Here to Stay

     
5:07 pm on Feb 25, 2019 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:26368
votes: 1034


According to a paper published by google engineers, it says Spectre is here to stay, and the 26-page document concludes
Computer systems have become massively complex in pursuit of the seemingly number-one goal ofperformance. We’ve been extraordinarily successful at making them faster and more powerful, but alsomore complicated, facilitated by our many ways of creating abstractions. The tower of abstractions has allowed us to gain confidence in our designs through separate reasoning and verification, separatinghardware from software, and introducing security boundaries. But we see again that our abstractionsleak, side-channels existoutsideof our models, and now, down deep in the hardware where we were notsupposed to see, there are vulnerabilities in the very chips we deployed the world over. Our models, ourmentalmodels, are wrong; we have been trading security for performance and complexity all along anddidn’t know it. It is now a painful irony that today, defense requireseven more complexity with softwaremitigations, most of which we know to be incomplete. And complexity makes these three open problemsall that much harder. Spectre is perhaps, too appropriately named, as it seems destined to haunt us fora long time.


Here's the full paper (PDF) [arxiv.org...]

Earlier stories
Intel Says, Stop Deploying Current Spectre Patch [webmasterworld.com]
Linus Torvalds Criticises Intel's "Patches" for Meltdown and Spectre [webmasterworld.com]
CPU Vulnerabilities Named Meltdown and Spectre [webmasterworld.com]
6:11 pm on Feb 25, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10457
votes: 1091


When engineers are allowed to do what they like without consulting security experts these kind of things happen ... and become memorialized and difficult to undo.

To be fair, this is a human failing, not any "plan" on g's part. Look at the early years of flight when the speed factor was transitioning from sub-sonic to super-sonic ... and a reliance on "hardware" to get the job done, but it wasn't until control systems were created that it became reliable.

Spectre is that "demon on the bleeding edge of tech" that will eventually have to be conquered ... and it won't be cheap, or soon.
1:35 am on Mar 1, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 26, 2003
posts: 1372
votes: 37


When engineers are allowed to do what they like without consulting security experts these kind of things happen ... and become memorialized and difficult to undo.


This notion that a security expert that can prevent this is completely false. You do realize that the CPU design that is exploited by spectre has been around unnoticed for 20 years and requires access to the host in order to be exploited. Which means for businesses where security is of utmost concern your security team didn't notice this bug for 20 years and failed to protect its perimeter if it was exploited.

Luckily we live in an era where OS, firmware, microcode, and bios updates can offer protection and isolation of risk and Intel/AMD & ARM aren't sitting around saying they won't solve this.

But it's foolish to think we'll ever be perfect and even more foolish to think everything can be prevented by experts.
8:42 pm on Mar 3, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:July 29, 2007
posts:2014
votes: 215


How many so called exploits involve someone finding a backdoor purposefully there for the manufacturers updating and monitoring purposes?
10:07 pm on Mar 3, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 26, 2003
posts: 1372
votes: 37


How many so called exploits involve someone finding a backdoor purposefully there for the manufacturers updating and monitoring purposes?


not many...

CVE's are public data