Reply to post:

Meltdown/Spectre week three: World still knee-deep in something nasty

Warm Braw Silver badge

conventional malware

Unfortunately, given that you can potentially exploit these bugs from JavaScript on a web page, you're at risk from a far greater range of potential malware than one might at first imagine. And if you provide a public cloud service, you have to be robust against even unconventional malware.

That said, the meltdown issue wouldn't be a problem (necessarily) if the kernel memory were encrypted - though you'd have to be reasonably convinced that the encryption key wasn't exposed and that, having downloaded the contents of encrypted memory, an attacker then having the time and resources couldn't brute-force the key by some means (and it is quite likely that there will be known data patterns at various kernel addresses).

Spectre is more of a problem, but it could potentially be dealt with by having "sandboxed" code (such as JavaScript...) run in an address space separate from that of the host process and the latter also having its memory encrypted - the same caveats applying.

It might be OK to ignore the problem on your own particular desktop computer, but if the cloud providers want to stay in business these issues have to be fixed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2019