This repository has been archived by the owner. It is now read-only.

Meltdown/Spectre fixing #1568

Closed
Symbian9 opened this Issue Jan 4, 2018 · 14 comments

Comments

Projects
None yet
4 participants
@Symbian9

Symbian9 commented Jan 4, 2018

Firefox 57.0.4 just rollout fixies for Meltdown/Spectre

When Pale Moon will be fixed?

@wolfbeast

This comment has been minimized.

Show comment
Hide comment
@wolfbeast

wolfbeast Jan 5, 2018

Member

Pale Moon already has a coarser-clamped performance timer than Firefox did prior to their patch. That was already mitigated in Oct of 2016.
Further in-depth changes will be included in the 27.7 release

Member

wolfbeast commented Jan 5, 2018

Pale Moon already has a coarser-clamped performance timer than Firefox did prior to their patch. That was already mitigated in Oct of 2016.
Further in-depth changes will be included in the 27.7 release

@wolfbeast wolfbeast added the Security label Jan 5, 2018

@wolfbeast wolfbeast self-assigned this Jan 5, 2018

@Symbian9

This comment has been minimized.

Show comment
Hide comment
@Symbian9

Symbian9 Jan 5, 2018

:-/

https://forum.palemoon.org/viewtopic.php?p=131437#p131437

Pale Moon isn't vulnerable

Please, do not make pure PR like this while there could be many other ways for exploits like Meltdown/Spectre (as you said)

Even so, we will be adding some additional defense-in-depth changes to the upcoming version 27.7 to be absolutely sure there is no further room for any of these sorts of hardware-timing based attacks in the future.

Look like in @mozilla also can't get 100% guaranty

https://twitter.com/aprilmpls/status/949314868200472576

ESR doesn't support the primary feature (SharedArrayBuffer) disabled in 57.0.4, although I wouldn't be surprised for there to be further mitigations as time goes along

Symbian9 commented Jan 5, 2018

:-/

https://forum.palemoon.org/viewtopic.php?p=131437#p131437

Pale Moon isn't vulnerable

Please, do not make pure PR like this while there could be many other ways for exploits like Meltdown/Spectre (as you said)

Even so, we will be adding some additional defense-in-depth changes to the upcoming version 27.7 to be absolutely sure there is no further room for any of these sorts of hardware-timing based attacks in the future.

Look like in @mozilla also can't get 100% guaranty

https://twitter.com/aprilmpls/status/949314868200472576

ESR doesn't support the primary feature (SharedArrayBuffer) disabled in 57.0.4, although I wouldn't be surprised for there to be further mitigations as time goes along

@wolfbeast

This comment has been minimized.

Show comment
Hide comment
@wolfbeast

wolfbeast Jan 5, 2018

Member

Please, do not make pure PR like this while there could be many other ways for exploits like Meltdown/Spectre (as you said)

Excuse me but Pale Moon is simply not vulnerable. There is no way for a malicious web script to perform a hardware-timing based attack (required for exploiting of the CPU issue) because it either needs natively-implemented high resolution timers (which aren't available in Pale Moon with fine enough granularity, by design) or a different way to construct such a high-resolution timer, the obvious choice being thread access to shared memory which isn't possible in Pale Moon.

Is it so hard for you to accept that maybe our project can simply be ahead of the curve?

If you know of a way to exploit Spectre in Pale Moon besides these two methods, then I'm all ears. Kindly do use private messaging in that case because we wouldn't want those details released to the public immediately, for everyone's safety.

Member

wolfbeast commented Jan 5, 2018

Please, do not make pure PR like this while there could be many other ways for exploits like Meltdown/Spectre (as you said)

Excuse me but Pale Moon is simply not vulnerable. There is no way for a malicious web script to perform a hardware-timing based attack (required for exploiting of the CPU issue) because it either needs natively-implemented high resolution timers (which aren't available in Pale Moon with fine enough granularity, by design) or a different way to construct such a high-resolution timer, the obvious choice being thread access to shared memory which isn't possible in Pale Moon.

Is it so hard for you to accept that maybe our project can simply be ahead of the curve?

If you know of a way to exploit Spectre in Pale Moon besides these two methods, then I'm all ears. Kindly do use private messaging in that case because we wouldn't want those details released to the public immediately, for everyone's safety.

@Symbian9

This comment has been minimized.

Show comment
Hide comment
@Symbian9

Symbian9 Jan 5, 2018

If you know of a way to exploit Spectre in Pale Moon besides these two methods, then I'm all ears.

You still not publish in public at least any tests results of any known PoC's, so its look like no proofs for "Pale Moon is simply not vulnerable".

I understand that many deep details can't be published yet, but need more proofs for tell "Pale Moon isn't vulnerable".

P.S.: I'm user of Pale Moon, anyway.

Symbian9 commented Jan 5, 2018

If you know of a way to exploit Spectre in Pale Moon besides these two methods, then I'm all ears.

You still not publish in public at least any tests results of any known PoC's, so its look like no proofs for "Pale Moon is simply not vulnerable".

I understand that many deep details can't be published yet, but need more proofs for tell "Pale Moon isn't vulnerable".

P.S.: I'm user of Pale Moon, anyway.

@mattatobin

This comment has been minimized.

Show comment
Hide comment
@mattatobin

mattatobin Jan 5, 2018

Member

@Symbian9 Then conduct a security audit yourself. Otherwise, Pale Moon, as repeatedly stated, was ahead of everyone else on this on the timing attack front because it was recognized and addressed OVER A YEAR ago.

Member

mattatobin commented Jan 5, 2018

@Symbian9 Then conduct a security audit yourself. Otherwise, Pale Moon, as repeatedly stated, was ahead of everyone else on this on the timing attack front because it was recognized and addressed OVER A YEAR ago.

@Symbian9

This comment has been minimized.

Show comment
Hide comment
@mattatobin

This comment has been minimized.

Show comment
Hide comment
@mattatobin

mattatobin Jan 5, 2018

Member

Ok.. Do you actually have something more than search engine results? Like something that actually exploits Pale Moon?

Again, don't disclose details in public but a yes or a no would be fine.

Member

mattatobin commented Jan 5, 2018

Ok.. Do you actually have something more than search engine results? Like something that actually exploits Pale Moon?

Again, don't disclose details in public but a yes or a no would be fine.

@wolfbeast

This comment has been minimized.

Show comment
Hide comment
@wolfbeast

wolfbeast Jan 5, 2018

Member

Many of them already on Github

I repeat; If you know of a way to exploit Spectre in Pale Moon -- it doesn't matter that everyone and their aunt is repeating variations on a clear and published issue. What matters is that to my knowledge, Pale Moon is not vulnerable -- for the simple reason that the tools are not present to create an exploit of the CPU issue.
An analogy: There's no point in checking for cavities if someone doesn't have any teeth, no matter how many records of different types of cavities there are in the dentist world.

Member

wolfbeast commented Jan 5, 2018

Many of them already on Github

I repeat; If you know of a way to exploit Spectre in Pale Moon -- it doesn't matter that everyone and their aunt is repeating variations on a clear and published issue. What matters is that to my knowledge, Pale Moon is not vulnerable -- for the simple reason that the tools are not present to create an exploit of the CPU issue.
An analogy: There's no point in checking for cavities if someone doesn't have any teeth, no matter how many records of different types of cavities there are in the dentist world.

@Symbian9

This comment has been minimized.

Show comment
Hide comment
@Symbian9

Symbian9 Jan 5, 2018

Otherwise, Pale Moon, as repeatedly stated, was ahead of everyone else on this on the timing attack front because it was recognized and addressed OVER A YEAR ago.

Very interesting detail.

Symbian9 commented Jan 5, 2018

Otherwise, Pale Moon, as repeatedly stated, was ahead of everyone else on this on the timing attack front because it was recognized and addressed OVER A YEAR ago.

Very interesting detail.

@wolfbeast

This comment has been minimized.

Show comment
Hide comment
@wolfbeast

wolfbeast Jan 5, 2018

Member

Very interesting detail.

One that shouldn't be news to you if you had actually read our announcement that you quoted from, completely.

In the future I would expect you to verify issues with Pale Moon specifically before posting an issue.. Maybe ask on the forums or the IRC channel before creating such a bug report and wasting my time?

Member

wolfbeast commented Jan 5, 2018

Very interesting detail.

One that shouldn't be news to you if you had actually read our announcement that you quoted from, completely.

In the future I would expect you to verify issues with Pale Moon specifically before posting an issue.. Maybe ask on the forums or the IRC channel before creating such a bug report and wasting my time?

@wolfbeast wolfbeast closed this Jan 5, 2018

@marcan

This comment has been minimized.

Show comment
Hide comment
@marcan

marcan Jan 22, 2018

If you think high-resolution timers are required to conduct attacks requiring high timing resolution, you do not understand statistics. All you need to do is use coarser timers together with a noise source and oversampling, and voila, you've created a high-resolution timer (that just requires many samples to obtain said resolution).

Removing high-resolution targets is just a mitigation. It does not stop the attack. It just makes it harder and take more time.

You can say "Pale Moon does not have high-resolution timers and thus exploitation is significantly more difficult" and talk about equivalence with certain mitigations present in other browsers. You can not say "Pale Moon isn't vulnerable". Nobody can say they aren't vulnerable to Variant 1, because it's a pervasive problem that is not fixable with any one fix.

What you can say is that you're not vulnerable to Variant 1 as applied to out-of-bounds Javascript array accesses (which is the most obvious attack for a web browser) if you've hardened such accesses with a fence instruction. Coarse timers don't cut it to claim it's fixed.

There's a reason Mozilla calls the timer/SharedArrayBuffer solution "a partial, short-term, mitigation" and not a "fix".

marcan commented Jan 22, 2018

If you think high-resolution timers are required to conduct attacks requiring high timing resolution, you do not understand statistics. All you need to do is use coarser timers together with a noise source and oversampling, and voila, you've created a high-resolution timer (that just requires many samples to obtain said resolution).

Removing high-resolution targets is just a mitigation. It does not stop the attack. It just makes it harder and take more time.

You can say "Pale Moon does not have high-resolution timers and thus exploitation is significantly more difficult" and talk about equivalence with certain mitigations present in other browsers. You can not say "Pale Moon isn't vulnerable". Nobody can say they aren't vulnerable to Variant 1, because it's a pervasive problem that is not fixable with any one fix.

What you can say is that you're not vulnerable to Variant 1 as applied to out-of-bounds Javascript array accesses (which is the most obvious attack for a web browser) if you've hardened such accesses with a fence instruction. Coarse timers don't cut it to claim it's fixed.

There's a reason Mozilla calls the timer/SharedArrayBuffer solution "a partial, short-term, mitigation" and not a "fix".

@wolfbeast

This comment has been minimized.

Show comment
Hide comment
@wolfbeast

wolfbeast Jan 22, 2018

Member

If it's that simple, then by all means, create a PoC showing how Pale Moon is vulnerable, and show it to me.

If you want to provide a PoC, please use a secure channel. (forum PM, pgp encrypted mail, etc.)

Member

wolfbeast commented Jan 22, 2018

If it's that simple, then by all means, create a PoC showing how Pale Moon is vulnerable, and show it to me.

If you want to provide a PoC, please use a secure channel. (forum PM, pgp encrypted mail, etc.)

@wolfbeast

This comment has been minimized.

Show comment
Hide comment
@wolfbeast

wolfbeast Jan 22, 2018

Member

Restricting comments on this issue - if you want to discuss it, please use the forum.

Member

wolfbeast commented Jan 22, 2018

Restricting comments on this issue - if you want to discuss it, please use the forum.

@MoonchildProductions MoonchildProductions locked and limited conversation to collaborators Jan 22, 2018

@wolfbeast

This comment has been minimized.

Show comment
Hide comment
@wolfbeast

wolfbeast Jan 25, 2018

Member

This needs some more adjustment after getting some essential information from the MozSec team (thanks to Dan), and to be on the safe side we should follow Safari's lead to make the granularity 1 ms which is definitely enough even for the most scrutinous webdev.

If mainstream ever considers removing/disabling the performance timer API (which has been a hazard from the start) then we can follow suit -- unfortunately this API has been in regular use in web frameworks for a while and will break some sites if simply disabled, so tuning it is the best solution for the time being.

Member

wolfbeast commented Jan 25, 2018

This needs some more adjustment after getting some essential information from the MozSec team (thanks to Dan), and to be on the safe side we should follow Safari's lead to make the granularity 1 ms which is definitely enough even for the most scrutinous webdev.

If mainstream ever considers removing/disabling the performance timer API (which has been a hazard from the start) then we can follow suit -- unfortunately this API has been in regular use in web frameworks for a while and will break some sites if simply disabled, so tuning it is the best solution for the time being.

@wolfbeast wolfbeast reopened this Jan 25, 2018

@wolfbeast wolfbeast closed this Feb 14, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.