Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sun 27 May 2018, 06:23
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Patching old slow systems against Meltdown and Spectre?!
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 2 [16 Posts]   Goto page: 1, 2 Next
Author Message
wiak

Joined: 11 Dec 2007
Posts: 695
Location: not Bulgaria

PostPosted: Mon 29 Jan 2018, 23:56    Post subject:  Patching old slow systems against Meltdown and Spectre?!
Subject description: Voluntarily slowing down our system's performance for safety...
 

I wonder how many who have older machines (Puppy often being used on such machines) really want to upgrade their OS or kernels (or even webbrowsers) to mitigate against Meltdown and or Spectre? I don't see much discussion about this - perhaps we feel obliged because it has always been advocated that users have a responsibility to patch their systems.

So suddenly some older unpatched machines perform as well or maybe better than some newer patched ones?

Systems that are so old they are only just proving usefully usable pre-patching suddenly become a bit more obsolete - or do some just avoid the patches to keep performance up? Is it fear that makes us universally patch, or do we just patch the machine(s) we use for online banking etc...?

wiak
Back to top
View user's profile Send private message 
musher0


Joined: 04 Jan 2009
Posts: 12202
Location: Gatineau (Qc), Canada

PostPosted: Tue 30 Jan 2018, 02:35    Post subject:  

Hello wiak.

I have read a few articles and some threads here about the problem. My position is:
I stay put; I wait until someone or some company offers a cure "that is not worse than
the sickness."

Please correct me if I am wrong, but as I understand it, of the three bugs,
-- one is "naturally countered" by the Linux kernel (Puppy is a Linux distribution);

-- another is "naturally countered" if your computer has an AMD CPU (it is my case).

So I am 2/3 covered.

-- That leaves one bug (I can't remember which), but I am not too worried. These bugs
are said to have been found through computer lab experiments. It is said also that it
is quite difficult to write a program to exploit these CPU weaknesses in real world
computing activity.

Please forgive my simplistic explanations: I know next to nothing about the technical
aspects of CPUs. A summary of my current hardware is attached for reference.

BFN.
lshw.lst.zip
Description  Summary of my hardware.
zip

 Download 
Filename  lshw.lst.zip 
Filesize  866 Bytes 
Downloaded  26 Time(s) 

_________________
musher0
~~~~~~~~~~
"Logical entities must not be multiplied beyond necessity." | |
« Il ne faut pas multiplier les entités logiques sans nécessité. » (Ockham)

Last edited by musher0 on Tue 30 Jan 2018, 02:45; edited 1 time in total
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 973

PostPosted: Tue 30 Jan 2018, 02:44    Post subject:  

My defense is to run noscript.

I only allow javascript from a few trusted sites like dropbox, facebook, youtube and of course this forum.

I block all scripts on news sites as they tend to be polluted with third party adds.

P.S. I've read that newer versions of firefox reduced the percision of their times to help mitigate against this attack. If one is using firefox they should upgrade to the latest firefox. Of course on most old machines people are running palemoon. I haven't read anything about how well palemoon mitigates against these attacks. Fortunately I can run noscript on palemoon.
Back to top
View user's profile Send private message 
musher0


Joined: 04 Jan 2009
Posts: 12202
Location: Gatineau (Qc), Canada

PostPosted: Tue 30 Jan 2018, 02:52    Post subject:  

s243a wrote:
My defense is to run noscript.

I only allow javascript from a few trusted sites like dropbox, facebook, youtube and of course this forum.

I block all scripts on news sites as they tend to be polluted with third party adds.

P.S. I've read that newer versions of firefox reduced the percision of their times to help mitigate against this attack. If one is using firefox they should upgrade to the latest firefox. Of course on most old machines people are running palemoon. I haven't read anything about how well palemoon mitigates against these attacks. Fortunately I can run noscript on palemoon.

Hello s243a.

It is good to know that JS can be used as a vector to exploit these vulnerabilities -- and
the antidote you mention. Thanks for this info. But what if the "delinquent" uses another
computer language? Such as in this Turkish case:
http://murga-linux.com/puppy/viewtopic.php?p=981456&sort=lastpost#981456

BFN.

_________________
musher0
~~~~~~~~~~
"Logical entities must not be multiplied beyond necessity." | |
« Il ne faut pas multiplier les entités logiques sans nécessité. » (Ockham)
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1548
Location: N.E. USA

PostPosted: Tue 30 Jan 2018, 15:11    Post subject:  

I can't speak to the whole problem, but the browser IS part of the problem. In firefox or clones like seamonkey and palemoon about:config is your friend. In terms of the recent problems of Meltdown and Spectre, these problems are based upon getting information before using it. To that end there are some general things the user can do to the browser.

1.) Turn off ALL autocomplete and ALL autofill
2.) ZERO ALL caches, and FALSE their use
3.) Turn off ALL pre-fetch
4.) Do not use (make false) indexed databases
5.) Do not use so-called workers or seers
6.) Do not use anything like a wallet if provided, and FALSE its use

Keep in mind that though these things above are aimed at FF/SM/PM, that the concept applies to ALL browsers if it's configuration can be changed/modified by the end-user.

Regards
8Geee

_________________
Linux user #498913

Some people need to reimagine their thinking.
Back to top
View user's profile Send private message 
musher0


Joined: 04 Jan 2009
Posts: 12202
Location: Gatineau (Qc), Canada

PostPosted: Tue 30 Jan 2018, 15:42    Post subject:  

8Geee wrote:
I can't speak to the whole problem, but the browser IS part of the problem. In firefox or clones like seamonkey and palemoon about:config is your friend. In terms of the recent problems of Meltdown and Spectre, these problems are based upon getting information before using it. To that end there are some general things the user can do to the browser.

1.) Turn off ALL autocomplete and ALL autofill
2.) ZERO ALL caches, and FALSE their use
3.) Turn off ALL pre-fetch
4.) Do not use (make false) indexed databases
5.) Do not use so-called workers or seers
6.) Do not use anything like a wallet if provided, and FALSE its use

Keep in mind that though these things above are aimed at FF/SM/PM, that the concept applies to ALL browsers if it's configuration can be changed/modified by the end-user.

Regards
8Geee
Hi 8Geee.

I don't believe this.

We might as well use IPoAC. Laughing Sometimes referred to as RFC1149.

Seriously: What happened to "running in sandbox" or "anti-virus scanning"? I motion
that we run the browser in a sandbox and use an anti-virus scanner on its data files.
Who seconds?

BFN.
Homing_pigeon.jpg
 Description   RFC 1149 Internet carrier carrying a message on each if its legs. This type of carrier cannot be affected by Spectre, Meltdown or any digital bug.
 Filesize   171.99 KB
 Viewed   554 Time(s)

Homing_pigeon.jpg


_________________
musher0
~~~~~~~~~~
"Logical entities must not be multiplied beyond necessity." | |
« Il ne faut pas multiplier les entités logiques sans nécessité. » (Ockham)
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 973

PostPosted: Tue 30 Jan 2018, 15:46    Post subject:  

How do we know that a give sandbox protects us though? Besides javascript is over used. I strongly recommend cutting back on the amout of scripting that we allow in our browsers, especially on older systems.

BTW, pidgens certainly wont help you keep your packets clean!!! But if we must use pidgens I recommend that we pack as much info as we can into the packes given the high packet loss rate and limitation on the number of packets at once. Also we must use UDP because TCP will time out before we connect.
Back to top
View user's profile Send private message 
musher0


Joined: 04 Jan 2009
Posts: 12202
Location: Gatineau (Qc), Canada

PostPosted: Tue 30 Jan 2018, 16:04    Post subject:  

s243a wrote:
How do we know that a give sandbox protects us though? Besides javascript is over used. I strongly recommend cutting back on the amout of scripting that we allow in our browsers, especially on older systems.

BTW, pidgens certainly wont help you keep your packets clean!!!

Wink Good point, s243a!!!

On 2nd thought, could cUrl be put to good use here?
Roughly, this is the idea:
Quote:
we use cUrl for retrieving the Internet material
we turn off the connection
we view the material offline.

Thinking out loud:
cUrl (on every Puppy), OR
httrack https://www.httrack.com/, OR even
an adaptation of psyphon
https://psiphon.en.softonic.com/?ex=DSK-347.2#app-softonic-review ?

I'm sure there is a better solution than turning your speedy browser into a turtle...

BFN.

_________________
musher0
~~~~~~~~~~
"Logical entities must not be multiplied beyond necessity." | |
« Il ne faut pas multiplier les entités logiques sans nécessité. » (Ockham)
Back to top
View user's profile Send private message 
Sailor Enceladus

Joined: 22 Feb 2016
Posts: 1488

PostPosted: Tue 30 Jan 2018, 16:04    Post subject:  

musher0 wrote:
Seriously: What happened to "running in sandbox" or "anti-virus scanning"? I motion
that we run the browser in a sandbox and use an anti-virus scanner on its data files.
Who seconds?

I generally don't want exactly the things 8Geee mentioned too, and would rather they be off. On my puppy full install I left cache on in Palemoon because my wifi and laptop is pretty slow so maybe it will help speed a bit on sites I visit often though. I used to use run-as-spot but haven't for a while now, having to save in /root/spot then dragging things somewhere else wasn't too difficult but is an added step, never really found any use for antivirus in Puppy... even in Windows I might try an AV like once a year then remove it, but did find having a browser sandbox in Windows XP kinda interesting (maybe not useful... but interesting, and didn't make performance worse).
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 973

PostPosted: Tue 30 Jan 2018, 16:10    Post subject:  

Quote:

I'm sure there is a better solution than turning your speedy browser into a turtle...

BFN.


I haven't actually tried turning off the cache but blocking javascript may make up for some of the speed loss. How about a compromize. One could have two browsers. The first allows cach but will only allow javascript on trusted sites. The second doesn't allow cache but can allows javascript on more sites and runs in a sandbox.
Back to top
View user's profile Send private message 
Marv


Joined: 04 May 2005
Posts: 1042
Location: SW Wisconsin

PostPosted: Wed 31 Jan 2018, 12:27    Post subject: Re: Patching old slow systems against Meltdown and Spectre?!
Subject description: Voluntarily slowing down our system's performance for safety...
 

wiak wrote:
I wonder how many who have older machines (Puppy often being used on such machines) really want to upgrade their OS or kernels (or even webbrowsers) to mitigate against Meltdown and or Spectre? I don't see much discussion about this - perhaps we feel obliged because it has always been advocated that users have a responsibility to patch their systems.

So suddenly some older unpatched machines perform as well or maybe better than some newer patched ones?

Systems that are so old they are only just proving usefully usable pre-patching suddenly become a bit more obsolete - or do some just avoid the patches to keep performance up? Is it fear that makes us universally patch, or do we just patch the machine(s) we use for online banking etc...?

wiak
I've retired my fleet of Pentium M laptops so I don't have any machines I would call older/challenged at this point. I do have three core 2 duo laptops in addition to my i5 based machines and am using one of the core 2 duos as an 'offline' tax and accounting machine so I did a quick performance test on a non-patched kernel versus a meltdown & spectre 2 patched kernel (full retpoline enabled). I used the same pup (Lx-ArtfulPup), governor etc. and as nearly comparable kernels as I could get. I did 3 runs on each of the benchmarks. On the i5 laptop running LxPupSc I had seen the following hits going to the retpoline kernel from a kpti only patched kernel:
glxgears FPS: -7%
CPU Cryptohash: -19%
FPU Raytracing: -18%

To my surprise, on the core 2 duo laptop glxgears FPS was actually 5% better on the 4.15.0 retpoline kernel and CPU Cryptohash and FPU RayTracing were both 1% slower. Seems that the bottlenecks are elsewhere on the core 2 duo.

So, again to my surprise, I haven't much reason not to patch the middle aged core 2 duos and from this quick look It seems that different hardware reacts quite differently to the retpoline patch. As for intels flawed ucode attempts, to the dustbin!

_________________
Pups currently in kennel Very Happy LxPupSc and X-slacko-4.4 for my users; LxPupSc, LxPupSc64, and LxPupBB for me. All good pups indeed, and all running savefiles for look'n'feel only. Browsers, etc. solely from SFS. Now tazpup for puzzles Smile
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 973

PostPosted: Tue 06 Feb 2018, 01:04    Post subject:  

Sailor Enceladus wrote:
musher0 wrote:
Seriously: What happened to "running in sandbox" or "anti-virus scanning"? I motion
that we run the browser in a sandbox and use an anti-virus scanner on its data files.
Who seconds?

I generally don't want exactly the things 8Geee mentioned too, and would rather they be off. On my puppy full install I left cache on in Palemoon because my wifi and laptop is pretty slow so maybe it will help speed a bit on sites I visit often though.


Here is some info about how browsers mitigated the spectra attack by reducing the precision of their timers:

"Both Spectre and Meltdown use cache in a timing based attack. Since cached memory is much faster to access, an attacker can measure access time to determine if memory is coming from RAM or the cache. That timing information can then be used to actually read out the data in the memory. This why a Javascript patch was pushed to browsers two weeks ago. That patch makes the built-in Javascript timing features a tiny bit less accurate, just enough to make them worthless in measuring memory access time which safeguards against browser-based exploits for these vulnerabilities."

https://hackaday.com/2018/01/15/spectre-and-meltdown-how-cache-works/

I will give no opinion if this is sufficient protection enough or not to protect against java-script type spectra attacks.
Back to top
View user's profile Send private message 
tommy

Joined: 04 Oct 2005
Posts: 110
Location: Italy

PostPosted: Wed 14 Feb 2018, 13:40    Post subject:  

Maybe I miss the point, so correct me if I'm wrong...


I read here that :
Quote:
But, since it's merely a memory read issue, attackers don't get a straight shot at privilege escalation with this, and there's going to be some luck involved to have useful-to-attackers data in active memory when these techniques are used.


I can think of these three situations:

Safe scenario 1:

I cold boot my PC, with NO savefile (puppy boot option pfix=ram), I just do my web banking payments, I buy on online sites paying with credit card etc, then I reboot my PC (or I shutdown and cold boot it).
After rebooting with NO savefile, I surf the web and I go to a malicious site, I run a malicious javascript and I have no Spectre/Meltdown patches. Now the evil attacker can read my RAM. So what??? What can he read? I rebooted my Puppy and I know that RAM is volatile, so no previous data (passwords, credit card number etc) is in RAM, because on reboots RAM is flushed and is therefore empty (well, not really empty, but filled with puppy initrd , .zdrv and .sfs files).
On this case I wouldn't slow down my old system with patches.

Safe scenario 2:

I boot my pc to do offline tasks such as:
watch a movie/ listen music/ play games / work with office;
or to do online tasks such as:
dowload files with Transmission/aMule / connect to a rdesktop - vnc - ssh - ftp - VPN server etc. (i.e: I don't open a browser at all). In this case I wouldn't boot a patched OS and I'd run at full speed.

Risky scenario:
I boot puppy WITH a savefile, I do online banking, I use my credit card on online shops etc., then I clear personal data (on firefox: ctrl-shift-del) and I reboot. Puppy will save this session in the savefile. At reboot with savefile, I surf the web, I run a malicious javascript, and have no Spectre/Meltdown patches.
If I remember correctly, at bootup puppy stores in RAM the personal savefile as a layered filesystem (something similar to ramdisk), where it records the changes, the new files, the deleted ones etc, and at shutdown it saves those new/modified files in the 'pupsave.2fs' savefile. Puppy doesn't save the data in the volatile RAM anywhere, as long as it is not a file (maybe a swap partition is a risk and should be zeroed out on shutdown?).
For example, firefox can eat 500MB to 1GB of RAM when open, but after closing it that amount of RAM isn't saved in savefiles at shutdown (puppy just saves Firefox personal profile folder, it actually weighs 23 MB on my system.). If I don't have my passwords stored in browsers, nor sensitive /credit card data on browser auto-fill fields, what can the evil attacker read on cold reboots and the puppy savefile loaded?
Maybe on this scenario I can consider running a patched OS and suffer speed loss, just to be 100% sure.

Am I underestimating the Spectre/Meltdown security issues?
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1548
Location: N.E. USA

PostPosted: Thu 15 Feb 2018, 02:15    Post subject:  

Qualys, the people that bring us a server and client test for things like SSL/TLS, and vunerabilities against Poodle, Logjam, Freak, etc has published this article to explain what is behind Meltdown/Spectre. The article does call for the rebuild of chips, and is therefore rather extreme. Nonetheless, it states that basically any app can access the Out-of-order-execution (OOOE) cache inherent in a great majority of CPU's. Thus the patchwork is complex, due to numerous apps, and all-consuming.

MHO... in regards to JS concerns, even base-coding as in C, C+, C#, Py, etc needs to be at least patched in any app, as such code may indeed call for the OOOE cache. While thats a back-burner issue, I am aware that kernel-level patching is underway for Linux kernels. The caveat is that only the supported kernels are being patched. Therefore 3.2.x, 3.16.x, 3.18.x, 4.1.x, 4.4.x, 4.9.x, 4.14.x, and 4.15.x kernels are being updated. /MHO

regards
8Geee

_________________
Linux user #498913

Some people need to reimagine their thinking.
Back to top
View user's profile Send private message 
musher0


Joined: 04 Jan 2009
Posts: 12202
Location: Gatineau (Qc), Canada

PostPosted: Thu 15 Feb 2018, 06:42    Post subject:  

Good info.

Thanks, 8Geee.

_________________
musher0
~~~~~~~~~~
"Logical entities must not be multiplied beyond necessity." | |
« Il ne faut pas multiplier les entités logiques sans nécessité. » (Ockham)
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 2 [16 Posts]   Goto page: 1, 2 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0846s ][ Queries: 15 (0.0202s) ][ GZIP on ]