Impact of Meltdown and Spectre CPU security vulnerabilities on VirtualBox virtualization?

[Petr Vones]

And, as you wrote in another post, who know what lurks under the surface.

There is another issue waiting to get attention. Remember the DRAM 'Rowhammer' vulnerability few years ago? It is believed to be fixed by BIOS updates but there is new version available now https://arxiv.org/abs/1710.00551

[michaln]

Well... apparently the first information about Meltdown/Spectre trickled down to Intel, AMD etc sometime in June 2017. I fully see that analysis of the problems, establishing viable routes to mitigating or resolving these abuses and bugs etc etc takes a lot of time. However. short notice still sounds a bit rich, I'd say, if you look at the way Intel and others have rushed out microcode updates (and these only for some CPUs!) that seem not very well tested, to say the least. Either they have been sleepwalking into this or they are criminally negligent. Probably both.

I'm sure courts will have to decide that.

The real problem for user and for us is that given the nature of the vulnerabilities, the mitigations require a lot of moving parts. I suspect that it took Intel some time to determine that the problem is not fixable in microcode and that OS vendors need to do something too. I don't know how long it takes Intel to design/develop/test/release a microcode update; I'm guessing it takes time. The OS changes are definitely non-trivial and took probably at minimum a month to implement and longer to test/deploy. The security embargo does not make things easier because wider testing was impossible.

The microcode dependency is pure evil from a deployment perspective. A lot of the mitigations only kick in with updated microcode in place (it adds new CPUID bits and new MSRs), but you can't test anything until you actually have the microcode, and a lot of users don't (either because of Intel or their OEM). And because effectively all CPU models are affected, and for many of them the updates simply don't exist, it means the testing will continue as we go.

What makes Spectre/Meltdown special is that it's a hardware problem and that essentially everything is affected. Intel has to release microcode updates for 20+ CPU families -- I'm not sure that's something that ever happened before.

[michaln]

There is another issue waiting to get attention. Remember the DRAM 'Rowhammer' vulnerability few years ago?

Love this part: "Finally, we abuse Intel SGX to hide the attack entirely from the user and the operating system"

[Petr Vones]

FYI Lenovo has changed BIOS update availability status for almost all devices to Target availability TBD from previous already particular date announced and many of them returned to Researching stage. It seems as patching the issue is more complex task than expected.

[Petr Vones]

As expected, the real fix is possible by hardware (CPU) upgrade only: Intel will release "in-silicon" fixes for Meltdown and Spectre this year