Meltdown & Spectre

By Sam

Vendor Responses

• ARM

• nvidia

• AMD

• Intel

• Genode

OS Responses

• Microsoft

  • Windows security updates released January 3 2018 and antivirus software

  • Microsoft Intel CPU Vulnerabilities Live Broadcast Meeting

• freebsd

• QubesOS

• redhat

Browser Responses

• Edge & Internet Explorer

• Firefox

• Chromium

• Webkit

Infrastructure Responses

• online.net

• Elastic

• Wickr

Explainers

• https://blog.cloudflare.com/meltdown-spectre-non-technical/

• https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/

• https://twitter.com/gsuberland/status/948907452786933762

• https://www.crowdstrike.com/blog/chip-flaws-spectre-and-meltdown-are-actually-three-vulnerabilities-and-proving-hard-to-mitigate/

• https://blog.rapid7.com/2018/01/04/meltdown-and-spectre-what-you-need-to-know-cve-2017-5715-cve-2017-5753-cve-2017-5754/

Performance Impact

• PCID is now a critical performance/security feature on x86

• Microsoft - Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems

• Measuring OS X Meltdown Patches Performance

Detection

• Endgame

• capsule8

Proof of Concept

• https://github.com/mniip/spectre-meltdown-poc

• https://gist.github.com/rootkea/ba370a3c81122030510cfe92cdc5c4a2

• https://github.com/IAIK/meltdown

Press Coverage

• NYT - Researchers Discover Two Major Flaws in the World’s Computers

• threatpost - Vendors Share Patch Updates on Spectre and Meltdown Mitigation Efforts

• Wired - Triple Meltdown: How so many researchers found a 20-year-old chip flaw at the same time

• Bloomberg - ‘It Can’t Be True.’ Inside the Semiconductor Industry’s Meltdown

• techcrunch - How Tier 2 cloud vendors banded together to cope with Spectre and Meltdown

• Arstechnica - Here’s how, and why, the Spectre and Meltdown patches will hurt performance

• El Reg - IBM melts down fixing Meltdown as processes and patches stutter

Other (Uncategorised)

• https://lwn.net/Articles/742702/

• https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html

• https://github.com/hannob/meltdownspectre-patches

• https://www.ncsc.gov.uk/guidance/meltdown-and-spectre-guidance

• https://medium.com/@pwnallthethings/time-travelling-exploits-with-meltdown-1189548f1e1d

• https://www.renditioninfosec.com/2018/01/meltdown-and-spectre-vulnerability-slides/

• https://github.com/marcan/speculation-bugs/blob/master/README.md

• https://www.peerlyst.com/posts/a-collection-of-links-to-pdfs-of-papers-on-micro-architectural-side-channel-attacks-sorted-by-date-paul-harvey

• https://lwn.net/Articles/742999/

• https://www.renditioninfosec.com/2018/01/meltdown-and-sceptre-enterprise-action-plan/

• https://plus.google.com/+KristianK%C3%B6hntopp/posts/Ep26AoAZxxd

• https://github.com/lattera/articles/blob/master/infosec/Vulnerabilities/2018-01-05_Meltdown_Spectre/article.md

• https://gist.github.com/woachk/2f86755260f2fee1baf71c90cd6533e9

• https://isc.sans.edu/diary/23197

• http://kroah.com/log/blog/2018/01/06/meltdown-status/

• https://medium.com/@sekuryti/meltdown-more-like-letdown-433926f8d743

• https://randomascii.wordpress.com/2018/01/07/finding-a-cpu-design-bug-in-the-xbox-360/

• https://github.com/lgeek/spec_poc_arm

• https://doublepulsar.com/important-information-about-microsoft-meltdown-cpu-security-fixes-antivirus-vendors-and-you-a852ba0292ec

• http://xlab.tencent.com/special/spectre/spectre_check.html

• https://bugs.chromium.org/p/project-zero/issues/detail?id=1272

• https://github.com/m8urnett/Windows-Spectre-Meltdown-Mitigations

• https://www.enisa.europa.eu/publications/info-notes/meltdown-and-spectre-critical-processor-vulnerabilities

• https://xorl.wordpress.com/2018/01/10/thoughts-on-meltdown-spectre/

• https://www.reddit.com/r/networking/comments/7o4y40/meltdownspectre_vulnerability_tracker/

• https://www.gdatasoftware.com/blog/2018/01/30333-inside-meltdown-spectre