Tests to run for Spectre & Meltdown to c if ur affected

For discussions about security.
Post Reply
Message
Author
belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

Tests to run for Spectre & Meltdown to c if ur affected

#1 Post by belham2 »

Title says it all.

Yesterday Prehistoric posted this:

http://murga-linux.com/puppy/viewtopic. ... 901#979901.

In that msg it has this site, for testing your machines for vulnerabilities to Spectre & Meltdown:

https://www.howtogeek.com/338801/how-to ... d-spectre/

Problem bugger all looks-wise, is those tests seem to be run on Microsoft OSes only. Or can they (since they're scripts) be run on our Linux OSes we run plus maybe our Puppies (Fatdog released a new, patched ISO, which I'm on now, along with FF57.04 (mentioned below), all on 10 yr old Athlon X2 chips, running everything in Firejail, so I am trying my best here :roll: )??

Past 72 hours I've seen across many of my Linux OSes updates flying in, "intel-mircocode-this-and-that" and kernel stuff. Browsers too: Firefox 57.04 has applied browser patch with 57.04 and onwards. Google can't/won't be able to get theirs out to 23 Jan (those lame a## lazy hillbillies, start moving your nuts). :lol:


So, overall, listen, I can't be the only one: all I wanna know----is there some kind of tests we can run? Anyone actually know? Instead of reading and looking at graphs and/or articles & guessing/surmising that our system(s) are vulnerable & cooked, and possibly never patchable, etc, etc, there's gotta be something like what prehistoric linked above, right? I mean, we are PUPPY! All the geniuses in the Linux world reside here, and us minions benefit from all of your collective mental prowess & acumen :wink: Jump a step ahead and save the whole Linux world, you all can do it! Give us test scripts or whatever to run across all our Linux babies, pups and non-pups alike.



P.S. Please, for the love of crap, don't post useless drivel in this thread: What is useless drivel? I.E. like about how there's a good chance there are no spectre & meltdown stuff already out there, so settle down and drink some hot cocoa. Or, even worse, just to take care of yourself and be safe surfing (oh sweetie, just turn javascript off in any browser---well, BITE ME---no javascript makes the web non-functional for all sites---even murga, cannot post right without it) and lay off the NoScript/etc mentioning, which is and has always been a bandaid major PITA and not worth the bits space it takes up. Lightweight adblockers, especially ublock-origin, as an example, yes, useful and most of us run some form of that. It's stuff like this. Nix it in this thread. Just keep this conversation/thread specifically to tests we can definitively and/or possibly run regarding Spectre & Meltdown. Thank you.

Sailor Enceladus
Posts: 1543
Joined: Mon 22 Feb 2016, 19:43

#2 Post by Sailor Enceladus »

Yes, the Windows article posted by prehistoric was silly, this is a Linux forum.

This is my easy way to test Meltdown for now and I'm sticking to it :lol:
http://www.murga-linux.com/puppy/viewto ... 144#979144
http://www.murga-linux.com/puppy/viewto ... 906#979906
http://www.murga-linux.com/puppy/viewto ... 684#979684

Spectre is just a distraction to get people to hate Intel less right now... imo. :)

edit: Of course, the problem is also the computers you're connecting to, which could get compromised.

User avatar
Marv
Posts: 1264
Joined: Wed 04 May 2005, 13:47
Location: SW Wisconsin

#3 Post by Marv »

I use the attached script for a quick check (It's from here: https://www.ghacks.net/2018/01/11/check ... erability/) As always, have a look at it before you run.
Attachments
spectre-meltdown-checker.sh.gz
false gz, remove to examine or run.
(26.18 KiB) Downloaded 271 times
Pups currently in kennel :D Older LxPupSc and X-slacko-4.4 for my users; LxPupSc, LxPupSc64 and upupEF for me. All good pups indeed, and all running savefiles for look'n'feel only. Browsers, etc. solely from SFS.

Sailor Enceladus
Posts: 1543
Joined: Mon 22 Feb 2016, 19:43

#4 Post by Sailor Enceladus »

Just for clarification, that script only tries to check if the kernel/OS has mitigation in place against the 3 exploits (from what I can tell looking at the output), it doesn't know how to tell if your machine or CPU is actually vulnerable to them:
The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer explicitly stated otherwise in a verifiable public announcement.

User avatar
fabrice_035
Posts: 765
Joined: Mon 28 Apr 2014, 17:54
Location: Bretagne / France

#5 Post by fabrice_035 »

Hi,
I try to fend for myself to recompil kernel for my Tahrpup 6.0.6 (32bits)
And the good news, after recompil linux-3.14.79 ( follow that puppylinux.org/wikka/CompilingKernel ) i found my puppy's is now more fast! :P 8)

But... vulnerable :twisted:

Next time patching. Others try ?

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#6 Post by musher0 »

Thanks for the script, Marv, but I'm still not sure if this old box is vulnerable,
because of the "unknown" mention in the first part.
[/mnt/ram1/Downloads]>./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.24

Checking for vulnerabilities against live running kernel Linux 4.1.2-EmSee-32-pae #1 SMP Wed Jul 15 12:39:34 BST 2015 i686

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: UNKNOWN (couldn't find your kernel image in /boot, if you used netboot, this is normal)
> STATUS: UNKNOWN (impossible to check )

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer
A couple of grumblings:
-- the guy who wrote this has an infinite width console...
At 72-75 characters, there is supposed to be a line feed!!!

-- the light bulb over this guy's head is off: not all distros have their kernels in /boot

-- That "disclaimer" is not re-assuring... It's nowhere in sight, too.

BFN.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

User avatar
Marv
Posts: 1264
Joined: Wed 04 May 2005, 13:47
Location: SW Wisconsin

#7 Post by Marv »

Hi musher0,

Yea, pretty it ain't but so far I haven't found anything simpler. You can check the first part by running the checker 'offline' ie. with --kernel <path to your vmlinuz> . It needs the readelf and dependencies in the full binutils package, not eu-binutils as in some pups. The retpoline patch for the spectre 2 & 3 is supposed to show up in the 4.15 64-bit kernel and be backported to 4.14.14 and 4.9.77 IIRC. We'll see.

All in all, it's ALL a pretty big mess!

Edit/update on Jan 28 2018: The newer kernels, certainly any that have kpti support, report their mitigation status in the sysFS. A very simple script I use to quickly read that info out is attached. Not the only way to do it but it works for me.
Attachments
VulnChecker.gz
False gz. Remove gz and make it executable to run.
(246 Bytes) Downloaded 146 times
Pups currently in kennel :D Older LxPupSc and X-slacko-4.4 for my users; LxPupSc, LxPupSc64 and upupEF for me. All good pups indeed, and all running savefiles for look'n'feel only. Browsers, etc. solely from SFS.

Post Reply