Windows Developer 4.2018 - Neue Gefahren für die CPU

Dipl.-Inform. Carsten Eilers

Angebotsspektrum

Konferenzen

About Security
Online-Artikel
Magazin-Artikel

Entwickler Magazin
    2019
    2018
    2017
    2016
    2015
    2014
    2013
    2012
    2011
    2008-2010
    alle (lang!)
Mobile Technology
    2019
    2016
    2015
    2014
    2012/2013
    alle (lang!)
PHP Magazin / PHP User
    2019
    2018
    2017
    2016
    2015
    2014
    2013
    2012
    2011
    2009-2010
    alle (lang!)
PHP Magazin Workshops
windows.developer
    2019
    2018
    2017
    2016
    2015
    2014
    2013
    2012
    2008-2011
    alle (lang!)
Andere Magazine

PHP Magazin Workshops
Aktuelle Bücher
Ältere Bücher

zum Blog ...

Datenschutzerklärung

Einschränkung der Auswahl

Alle Artikel aus
    2019     2018     2017     2016     2015     2014     2013     2012     2011     2010     2008/2009
oder nur Artikel des
• Entwickler Magazin aus
    2019     2018     2017     2016     2015     2014     2013     2012     2011     2008-2010     alle (lang!)
• Mobile Technology aus
    2019     2016     2015     2014     2012/2013     alle (lang!)
• PHP Magazin / PHP User aus
    2019     2018     2017     2016     2015     2014     2013     2012     2011     2009/2010     alle (lang!)
• windows.developer / dot.Net Magazin aus
    2019     2018     2017     2016     2015     2014     2013     2012     2008-2011     alle (lang!)
• oder der anderen Magazine

Neue Gefahren für die CPU

Meltdown und Spectre eröffnen eine neue Klasse von Angriffen

Im Windows Developer 4.18 ist ein Artikel über Meltdown und Spectre erschienen. Diese Angriffe auf bzw. über die CPU eröffnen eine ganz neue Klasse von Angriffen.

Links

[1] Meltdown
[2] Spectre
[3] Matt Linton, Pat Parseghia; Google Security Blog: "Today's CPU vulnerability: what you need to know"
[4] Jann Horn; Project Zero Blog: "Reading privileged memory with a side-channel"
[5] CVE-2017-5753
[6] CVE-2017-5715
[7] CVE-2017-5754
[8] Carsten Eilers: "2014 - Das Jahr, in dem die Schwachstellen Namen bekamen"
[9] Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom: "Spectre Attacks: Exploiting Speculative Execution" (PDF)
[10] Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg: "Meltdown" (PDF)
[11] Jacek Galowicz; Cyberus Technology: "Meltdown"
[12] Mozilla Foundation Security Advisory 2018-01 - Speculative execution side-channel attack ("Spectre")
[13] Anders Fogh, Cyber.WTF: "Negative Result: Reading Kernel Memory From User Mode"
[14] Fefe: "Endlich verbreitet auch mal ein Einsender Hoffnung bezüglich Meltdown"
[15] Pavel Boldin, YouTube: "Meltdown Reading Other process's memory "
[16] Michael Schwarz, YouTube: "Reconstructing a photo with Meltdown"
[17] GitHub: IAIK/meltdown
[18] Intel Newsroom: "Intel Responds to Security Research Findings"
[19] Ashraf Eassa; The Motley Fool: "Intel's CEO Just Sold a Lot of Stock"
[20] Intel: "Side-Channel Analysis Facts and Intel® Products"
[21] Intel: "Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method"
[22] Intel: "Intel Analysis of Speculative Execution Side Channels" (PDF)
[23] Brian Krzanich: "Intel's Security-First Pledge"
[24] Navin Shenoy, Intel: "Firmware Updates and Initial Performance Data for Data Center Systems"
[25] ARM Processor Security Update: "Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism"
[26] Richard Grisenthwaite; ARM Whitepaper: "Cache Speculation Side-channels"
[27] AMD Processor Security: "AMD Processors: Google Project Zero, Spectre and Meltdown - An Update on AMD Processor Security"
[28] IBM PSIRT Blog: "Potential Impact on Processors in the POWER family"
[29] IBM PSIRT Blog: "Potential CPU Security Issue"
[30] Fujitsu: "Side-Channel Analysis Method Security Review – List of affected FUJITSU Products" (PDF)
[31] Jordan Novet, CNBC: "Qualcomm is working to fix chip security holes similar to those that hurt Intel"
[32] Microsoft: "ADV180002 ¦ Guidance to mitigate speculative execution side-channel vulnerabilities"
[33] Microsoft: "Important: Windows security updates released January 3, 2018, and antivirus software"
[34] Microsoft: "Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities"
[35] Microsoft: "Windows Server guidance to protect against speculative execution side-channel vulnerabilities"
[36] Microsoft Edge Team: "Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer"
[37] Andrew Pardoe [MSFT]; Visual C++ Team Blog: "Spectre mitigations in MSVC"
[38] Chromium Security: "Site Isolation"
[39] Chromium Security: "Actions required to mitigate Speculative Side-Channel Attack techniques"
[40] Luke Wagner; Mozilla Security Blog: "Mitigations landing for new class of timing attack"
[41] Android Security Bulletin January 2018
[42] Apple: "About speculative execution vulnerabilities in ARM-based and Intel CPUs"
[43] GitHub: IAIK/KAISER: "Kernel Address Isolation to have Side-channels Efficiently Removed"
[44] KAISER: hiding the kernel from user space
[45] Jonathan Corbet; LWN.net: "Addressing Meltdown and Spectre in the kernel"
[46] Greg Kroah-Hartman; Linux Kernel Monkey Log: "Meltdown and Spectre Linux Kernel Status"
[47] Microsoft Azure Blog: "Securing Azure customers from CPU vulnerability"
[48] Microsoft: "Guidance for mitigating speculative execution side-channel vulnerabilities in Azure"
[49] Amazon: "Processor Speculative Execution Research Disclosure"
[50] Amazon: "Processor Speculative Execution – Operating System Updates"
[51] Ben Treynor Sloss; Google: "Protecting our Google Cloud customers from new vulnerabilities without impacting performance"
[52] Paul Turner; Google: "Retpoline: a software construct for preventing branch-target-injection"
[53] Ben Treynor Sloss; Google: "What Google Cloud, G Suite and Chrome customers need to know about the industry-wide CPU vulnerability"
[54] Matt Linton, Pat Parseghian; Google Security Blog: "More details about mitigations for the CPU Speculative Execution issue"
[55] Xen Advisory XSA-254: "Information leak via side effects of speculative execution"
[56] Xen Project Spectre/Meltdown FAQ
[57] VMSA-2018-0002: "VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution"
[58] VMSA-2018-0004: "VMware vSphere, Workstation and Fusion updates add Hypervisor-Assisted Guest Remediation for speculative execution issue"
[59] VMware: "VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown) (52245)"
[60] VMware Security & Compliance Blog: "VMSA-2018-0002 and VMSA-2018-0004"
[61] Paolo Bonzini, Eduardo Habkost; QEMU: "QEMU and the Spectre and Meltdown attacks"
[62] Navin Shenoy; Intel: "Intel Security Issue Update: Initial Performance Data Results for Client Systems"
[63] Terry Myerson; Microsoft Secure Blog: "Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems"
[64] Red Hat Knwoledgebase: "Speculative Execution Exploit Performance Impacts - Describing the performance impacts to security patches for CVE-2017-5754 CVE-2017-5753 and CVE-2017-5715"
[65] Mike Heffner; SolarWinds AppOptics: "Visualizing Meltdown on AWS"
[66] Ian Chan, @chanian auf Twitter: "The #Meltdown patch (presumably) being applied to the underlying AWS EC2 hypervisor on some of our production Kafka brokers ..."
[67] Epic: "Epic Services & Stability Update"
[68] Meltdown und Spectre Website, Abschnitt "Can I see Meltdown in action?"
[69] Ralf Benzmüller, Anders Fogh; G Data Security Blog: "Interview mit Anders Fogh: Auf Tuchfühlung mit "Spectre" und "Meltdown""
[70] Anders Fogh; cyber.wtf: "Behind the scenes of a bug collision"