Meltdown/Spectre Needs Better Disclosure
The author of rr might be expected to have meaningful commentary on Meltdown and Spectre, and indeed he does. Robert O’Callahan’s blog is worth following generally.
http://robert.ocallahan.org/2018/01/meltdownspectre-needs-better-disclosure.html
Meltdown/Spectre Needs Better Disclosure
Edward Morbius January 05, 2018 17:34
“rr”?
Edward Morbius January 05, 2018 17:42
I’ve been trying to compile a set of information (or find where better such compilations exist), and I’d argue that the naming is a very minor issue.
The inability to find a clear statement of present vulnerability status at various vendor sites is a major pain point.
I don’t know if my specifically contacting Apple and saying “I don’t care if you’ve addressed the bug fully or not, I want to know what the status of the issue is, and so will many, many other people” helped at all, but Apple’s official statement turned up shortly afterward.
Numerous vendors have no clearly visible alert or status page.
The Linux distros, as is typically the case, have done a standout job. Debian at least has a security page, though as of yesterday it hadn’t addressed this specific issue. (Checking: it now does: DSA-4078-1).
And I’ve come to realise that MITRE is almost certainly the canonical information source, though it’s not clear that CVS-2017-5754 addresses all of these multiple issues:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5754
OK, it probably isn’t, there are three CVEs, the other two:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715
In the grand scheme, the “Meltdown” and “Sceptre” names are *for the general public to be able to grab on to this story and be aware of and track it. (It would be very helpful if security alerts would specifically mention them as well.). The CVE IDs of course are issue-specific.
Confusing the role of popular names and CVEs strikes me as a category error.
Michael K Johnson January 05, 2018 17:49
Record replay debugger — it’s because Robert understands IS architecture well from the standpoint of making deterministic reverse execution work that his thoughts about Spectre in particular looked relevant to me.
rr: lightweight recording & deterministic debugging
Edward Morbius January 05, 2018 17:51
+Michael K Johnson Got it.
Technically, almost certainly.
In terms of public outreach: quite probably not so much.
Your coding and editor hats may know the distinction ;-)
Michael K Johnson January 05, 2018 17:55
I don’t think we’re reading what he wrote the same way. My read is that he’s saying that the technical folks are being too handwavy about Spectre and it is impeding technical communication about the problems; I don’t see it as a complaint about public outreach.
My understanding may be based on having read years of his blog.
Edward Morbius January 05, 2018 18:17
+Michael K Johnson Fair enough, though I’ll disagree for now.
Imported from Google+ — content and formatting may not be reliable