Security: JS-based test shows my Librems not vulnerable to Meltdown & Spectre

Just to have it mentioned as the other day two new possible Intel microcode gaps have been reported (https://twitter.com/markel__/status/1373059797155778562), the page https://leaky.page allows a browser (javascript) based check wether the underlying machine is vulnerable to Meltdown and Spectre.

Being a curious, interested grey-haired kid, i directly engaged with the page and can report, that the Windows 10 based computer i checked first was vulnerable to all 3 tests run while my Librem 13 made me happy not being prone to one of them.

If you’re curious, too, give it a shot (i didn’t encounter anything bad despite the fact THAT they run (freely available via github) code, that uses the gaps themselves :wink:

4 Likes

Yes if you are running recent versions of our coreboot or PureBoot firmware, you should be all patched up for Meltdown and Spectre.

4 Likes

There are two completely unrelated issues being discussed. The only commonality is: yet more annoying Intel CPU security worries.

The topic title is a bit misleading.

1. Meltdown and Spectre - so old that it would be surprising if your computer were still vulnerable. The specific page that you link to in your second link is presumably testing for Spectre, not Meltdown, not any of the other speculative execution security problems that have been discovered in the intervening years (after Meltdown and Spectre and before the issue being discussed in your first link), and not the issue being discussed in your first link.

2. Two previously unknown, and officially undocumented, Intel x86 instructions that, under the right circumstances, are very dangerous. This is as discussed in your first link.

Maybe a better discussion than your original link is here: https://linustechtips.com/topic/1316944-two-undocumented-x86-instructions-allegedly-found-that-can-modify-microcode/

I suspect that this research is a continuation of that linked here: Intel sec-issue (which is your topic too, so probably you already read that but maybe others have not).

If my understanding is correct, the second security problem should not be an issue for most users, unless it is blended with another exploit (or the hacker has physical access to your computer). So this problem certainly doesn’t help the overall state of computer security in the world but in isolation it may not make much difference.

Whether I am correct or not, I doubt that mitigation is available already, given that it was only announced 4 or 5 days ago. In fact, I wonder whether mitigation is even possible. @Kyle_Rankin

And I should care about Windows because? :slight_smile:

Seriously, I would worry that you are using an old, out-of-date, unpatched browser? That in itself is a problem for you, never mind about annoying Intel CPU security problems. Please confirm what browser and version. However I won’t be able to comment as to whether you are using an appropriate browser and version on Windows.

@kieran The Windows-based computer is run by a big company filled to the roofs with administrators that are absolutely convinced about their abilities. Having mentioned that, you can imagine my astonishment to see, that those test run via a webpage still push all the triggers.

On the other hand it’s good to know, that our Librems are obviously secured against it.

Just imagine that every bloody webpage with a bit of cleverly constructed javascript - perhaps dragged in via a thirdparty ad-provider - can, beside sandboxes and co, obtain informations from much, much deeper. Add to that the more advanced gaps that have been found in recent years + the high abilities to be expected by some individuals. That gives a picture, which can be an eye-opener.

The first link was the reason i took a look (it can’t be wrong to spread the info anyway). The second and the whole post beside it point towards the topic mentioned. It gives people the possibility to easily check their computers for mentioned vulnerabilities (no matter wether they should be a thing of the past - obviously they aren’t).

1 Like

search on snooptube or invidious instance the latest result for “trusting trust” …

Still, the choice of browser may or may not be yours.

Tested on my Librem13v2, i5-6200U, Coreboot 4.12
leaky.page works like a charm, extracting roughly 400 bytes/s in the first test.

Still, what browser and version (on Linux)? I would worry that you are using an old, out-of-date, unpatched browser.

I just ran it on Firefox, kept up to date as per the distro that I am using, and I received the error could not infer memory layout 10 times and nothing was extracted.

One important thing to remember is that the script is a proof-of-concept. The authors designed the script to work on an Intel Skylake CPU (i7-6500U) running Chrome 88. They expect the script will need minor modifications to run on other browsers and other CPUs.

So, if you’re running the script unmodified on Firefox, you’re not testing the script.

Another important thing to remember is that this attack is expected to work on any modern CPU and any browser that allows Javascript. For example, the authors have already used the same attack successfully on an M1 Mac.

Since this is a side-channel attack, the operating system is irrelevant – the script doesn’t interact in any meaningful way with the OS.

All of this is emphasized in the first paragraph of the leaky.page website [1], and elaborated on in the linked blogpost [2]:

we found that effective mitigation of some variants of Spectre, particularly variant 4, to be simply infeasible in software.

  Their test system        My test system
  i7-6500U                 i5-6200U
  Chrome 88 (leaks ~1kB/s) Chromium 89.0.4389.90 (leaks ~400B/s)
                           Chrome 89.0.4389.90-1 (leaks ~400B/s)
                           Chrome 87.0.4280.66-1 (leaks ~400B/s)
  (unknown firmware)       Coreboot 4.12
  Linux (unknown version)  Linux 5.4

(In my hands, updating all software to the latest, as of 2021 March 26, followed by a reboot, did nothing to stop or even slow the leaks. I couldn’t even get leaky.page started on browsers other than Chromium and Chrome; Presumably, the V8 Javascript engine is required for this particular version of the script to load/render properly.)
[1] https://leaky.page/
[2] https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html

2 Likes

Right. I overlooked that detail.

If you use Chrome though you are leaking much more than whatever you leak via Spectre. :smile:

They really need to develop a proof-of-concept for Firefox.

1 Like

If you use Chrome though you are leaking much more than whatever you leak via Spectre. :smile:

No kidding – you’re absolutely right! There’s a thousand far easier ways to break into someone’s computer than by Spectre-by-Javascript. And Chrome subverts the users’ rights and freedoms in various insidious ways.

I use Firefox about 99.6% of the time, and Safari 0.2%, Chromium 0.1%, and Chrome 0.1% of the time. On those occasions that I do run Chrome, I run it isolated from my main system and as much of my private data as possible. Chrome is hard to avoid entirely, because it now has a monopoly much like Microsoft’s Internet Exploder did ~2000-2010. I need to run Chrome for testing purposes when I submit snippets of code to a complex website project at my workplace, since Chrome is what at least half of the customers are using. Also, the websites of a few too-big-to-fail companies only work on Chrome… go figure (probably a combination of a “my way or the highway” attitude, and developers being given tight deadlines).

In my opinion, Firefox is far less abusive than Chrome or Safari, but that doesn’t mean Firefox is perfect. It still leaks a lot of private data without the user’s permission, and there are other flaws that are probably best discussed in different discussion threads.

It might be fun to try Lynx [1], which doesn’t run Javascript at all. I haven’t tried it out yet myself.
[1] https://en.wikipedia.org/wiki/Lynx_(web_browser)

1 Like

An update:
I updated the firmware on my Librem to Coreboot 4.13 a couple of days ago, and tested leaky.page again (on the latest version of Chromium). It still leaks ~400 B/s.

That isn’t surprising, since nearly all modern CPUs are vulnerable to Spectre, and the currently available mitigations provide only partial protection.