MDS, Fallout, Zombieland & Linux
Offered By: Linux Foundation via YouTube
Course Description
Overview
Syllabus
Keynote: MDS, Fallout, Zombieland & Linux
MDS == "RIDL", "Fallout", "Zombieload", and others - CPU Hardware bugs • Variants of the same basic problem • Exploits the speculative execution model of Intel CPUs. • Discovered by many different research teams • Kernel and BIOS fixes required to fully solve
One program can read another program's data • Can cross the virtual machine boundary · Exploits "hyper threading" (SMT) issues - SMT are CPUs that usually share TLBs and L1 cache
Guessed more problems would be in this area • Disabled SMT for Intel chips in June 2018 . Repeated the plea to disable this in August 2018 • Prevented almost all MDS issues automatically • Security over performance • Huge respect!
Rogue-Inflight-Data-Load • Exploits CPU Line-fill buffers and Load ports Steal data across applications, virtual machines, secure enclaves . Kernel fix by flushing CPU buffers/ports on context switch
Fallout • Exploits CPU Store Buffers • Read kernel data from userspace Breaks ASLR (random kernel addresses) • "Meltdown" mitigation made this easier to exploit • Kernel fix by flushing CPU buffers on context switch
Exploits CPU Line-Fill buffers . Much like RIDL • Steal data across applications, virtual machines, secure enclaves • Cool logo/name and demo • Kernel fix by flushing CPU buffers on context switch
All of these mitigations slow down the system • No way yet to schedule different security domains on different physical processors (gang scheduling) • Disabling SMT mitigates most problems (not ALL!) • Must disable SMT and enable mitigations to solve completely.
Kernel fixes available on announcement date • Intel notified some kernel developers in advance . Worked together across OS vendors to solve . Much better than Spectre/Meltdown • Process still needs to improve, Debian notified 48 hours before release. • More fixes came after announcement • Update your kernel and BIOS!
If you are not using a supported Linux distribution kernel, or a stable / longterm kernel, you have an insecure system.
Taught by
Linux Foundation
Tags
Related Courses
Computer SecurityStanford University via Coursera Cryptography II
Stanford University via Coursera Malicious Software and its Underground Economy: Two Sides to Every Story
University of London International Programmes via Coursera Building an Information Risk Management Toolkit
University of Washington via Coursera Introduction to Cybersecurity
National Cybersecurity Institute at Excelsior College via Canvas Network