IT業界資訊媒體

好嚴重好嚴重好嚴重的CPU漏洞!

其實,呢件真係好大件事!基本上你用緊好多電子產品都存在呢個問題,包括Google , Amazon, Apple , Microsoft。係香港,普遍報導只係淡淡然講個問題係會影響CPU效能30%,根本無人覺得好大件事!

其實發生咩事?
簡單講,依家好多CPU都用緊“估估下“的形式去預先讀取Memory入面的數據嚟加快運算速度。呢個機制底下,用side channel attacks、Meltdown (利用漏動進行out-of-order execution) 加埋return-oriented programming就可以在完全無視軟件同作業系統的保安機制下讀取到Kernel Memory的數據。咁其實好簡單又可以盜取資料。有幾簡單?有研究人員用Google Chrome 行左段 javascript 就咩都出晒嚟。

有幾嚴重?
而家全世界用嘅 VM 同 Cloud platform 都會有問題,你如果同我共用隻VM,你唔Patch嘅話,我可以知道晒你所有資料!但如果你Patch咗,你就可以同CPU資源講 ByeBye。

呢件事仲衍生咗好多「關公」災難,好似AWS唔聲唔聲叫你reboot instance。Patch完之後用多你好多CPU資源;
Intel PR 仲話 “Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.”
鳴呀!咁呢個唔係漏動,係設計的一部份呀?!

有關漏動的詳情:https://goo.gl/SS5rN6 (PDF檔,內有測試用到的程式碼)
當然睇埋咩叫 Meltdown 同 Spectre 啦:https://goo.gl/hmd9Sv

想追住事態發展,睇呢度:https://goo.gl/dCuHGE (有AWS 效能比較、Intel回應、漏動詳情)