From: Leah Rowe <info@gluglug.org.uk>
To: Andy Wingo <wingo@igalia.com>
Cc: guix-devel@gnu.org
Subject: Re: What do Meltdown and Spectre mean for libreboot x200 user?
Date: Fri, 19 Jan 2018 14:29:36 +0000 [thread overview]
Message-ID: <d064ba32-37be-1392-d699-d6174c21773c@gluglug.org.uk> (raw)
In-Reply-To: <0be07fb0-eebc-89b5-fe3b-5b7162fecea8@gluglug.org.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 19/01/18 14:26, Leah Rowe wrote:
> Hi Andy,
>
> On 15/01/18 13:25, Andy Wingo wrote:
>> Greets,
>
>> On Mon 15 Jan 2018 12:32, Leah Rowe <info@gluglug.org.uk>
>> writes:
>
>>> The implications [of Meltdown/Spectre] at firmware level are
>>> non-existent (for instance, these attacks can't, to my
>>> knowledge, be used to actually run/modify malicious code, just
>>> read memory, so it's not as if some evil site could install
>>> malicious boot firmware in your system).
>
>> I agree that it's unlikely that a site could install boot
>> firmware, but AFAIU it's not out of the realm of possibility.
>> The vector I see would be using Meltdown/Spectre to read
>> authentication/capability tokens which could be used to gain
>> access, either via some other RCE vuln or possibly via remote
>> access. Maybe evil code could find an SSH private key in a
>> mapped page, for example, which the evil server could use to SSH
>> directly to your machine. But I admit that it's a bit farfetched
>> :)
>
> If the attack is used in order to gain access to GPG keys, it could
> be used to impersonate you. If it is used in order to read private
> SSH keys, then it could be used to log onto your servers for
> instance, and install malicious firmware.
>
> Of course, this can be mitigated by write-protecting. Libreboot
> systems support this, for the most part, though write protection
> of boot flash is not enabled by default, for ease-of-use reasons.
>
> It is not far fetched at all. I highly recommend that you take care
> as to what code runs on your system, especially with things like
> web browsers. If you give someone SSH into a system (e.g. shared
> server) but they don't need code execution (e.g. the SSH daemon is
> there for them to have SCP access), make sure noexec is set on
> their directory's mountpoint. Things like that.
Do you use Google?
Do you use Twitter?
What about your bank?
Government website?
anything that serves you javascript is a potential threat. Even if an
organisation is benevolent, who is to say that they don't get
compromised at one point and start being used as a vessel for attack
at some point.
- --
Leah Rowe
Libreboot developer and project founder.
Use free software. Free as in freedom.
https://www.gnu.org/philosophy/free-sw.html
Use a free BIOS - https://libreboot.org/
Use a free operating system, GNU+Linux.
Support computer user freedom
https://fsf.org/ - https://gnu.org/
Minifree Ltd, trading as Ministry of Freedom | Registered in England,
No. 9361826 | VAT No. GB202190462
Registered Office: 19 Hilton Road, Canvey Island, Essex SS8 9QA, UK |
Web: https://minifree.org/
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE+JRrnG26iGmvPhSA/0W3TPnRz5QFAlpiANAACgkQ/0W3TPnR
z5TI4gf/bpwmVhu+xCqp+y9+YEm9WVj8b8vGNIwE140uQMIbXY5Ck1lWiBwePJCb
HOa3Mi3zk+wd+JCiuilgmqz8wFyuOBMt+GeJ/w6Gh7WYTMxtHeYOTegMfpEclTLw
8w23UUG+j2zAoUMYoQSZJ7IG163wlSHrKSLMtdHEnktFGhX5qlYJVYeQfr3k2kc3
j/mJuvOEIjLZLPSJxiQvQAKBsdYPw1UFjrcsEcwe6AuPAXnHnmPuft7D1gc47F8g
STy+shxlvkggJAQY6/rdMMRPflC4c2/JU7NtsdexgRICHBs8Akj4h/gN763fsTR5
HSsNRusXUSkLrMYolY6hv9JbnEGBPA==
=PQ/l
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2018-01-19 14:30 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-10 8:56 What do Meltdown and Spectre mean for libreboot x200 user? Leah Rowe
2018-01-14 15:17 ` Alex Vong
2018-01-15 11:32 ` Leah Rowe
2018-01-15 13:25 ` Andy Wingo
2018-01-19 14:26 ` Leah Rowe
2018-01-19 14:29 ` Leah Rowe [this message]
-- strict thread matches above, loose matches on Subject: below --
2018-01-06 13:20 Alex Vong
2018-01-06 17:23 ` Mark H Weaver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d064ba32-37be-1392-d699-d6174c21773c@gluglug.org.uk \
--to=info@gluglug.org.uk \
--cc=guix-devel@gnu.org \
--cc=wingo@igalia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).