Discussion:
I am being asked does SELinux provide any protection on Meltdown/Spectre.
Daniel Walsh
2018-01-09 17:32:11 UTC
Permalink
Or SECCOMP for that matter.  From my limited reading, I have not seen
what an application needs to access to trigger this vulnerabiltiy.  Is
this just using standard SYSCALLS, that we could not block without
breaking the applications?

Anyone have thoughts on this?


Dan
Patrick K., ITF
2018-01-09 17:40:18 UTC
Permalink
Daniel,

Here is the sample code to trigger Meltdown

https://bugs.chromium.org/p/project-zero/issues/detail?id=1272

Plus KVM exploit.

Implementation of both using the original papers

https://spectreattack.com/


Best regards,
--
Patrick K.
Post by Daniel Walsh
Or SECCOMP for that matter.  From my limited reading, I have not seen
what an application needs to access to trigger this vulnerabiltiy.  Is
this just using standard SYSCALLS, that we could not block without
breaking the applications?
Anyone have thoughts on this?
Dan
jwcart2
2018-01-09 20:26:44 UTC
Permalink
Or SECCOMP for that matter.  From my limited reading, I have not seen what an
application needs to access to trigger this vulnerabiltiy.  Is this just using
standard SYSCALLS, that we could not block without breaking the applications?
Anyone have thoughts on this?
Neither will provide any protection. Meltdown and Spectre do not require any
software vulnerabilities; they exploit the hardware. SELinux or SECCOMP might be
able to prevent specific implementations from working (By, for example, denying
the ability to run eBPF programs or other interpreters and JIT engines), but
cannot help generally.

Jim
Dan
--
James Carter <***@tycho.nsa.gov>
National Security Agency
Loading...