undefined | Better HN

0 pointssnowwrestler8y ago0 comments

The irony here is that a good ol' dedicated hardware web server is far less susceptible to Meltdown or Spectre than Google Cloud, because only your code is running on the CPUs.

I predict tonight's disclosures will lead to an uptick in interest in running websites on dedicated hardware, like we did back at the turn of the century.

0 comments

tanilama8y ago

> Spectre

Spectre doesn't really care if it is cloud or bare metal. They are equally vulnerable unless disconnected from internet.

snowwrestlerOP8y ago

To get you with Spectre, the attacker must be able to run code on your CPU.

This affects browsers with Javascript enabled because your Javascript engine runs foreign code on the CPU. The bad guy puts nasty code in a page, you visit the page, the code executes on your machine--boom.

And it affects public cloud web servers because multiple cloud servers (virtual machines) run on one CPU. So some attacker might be able to jump out of their VM and read your VM's memory.

BUT, on a dedicated hardware web server, there shouldn't be any foreign code running--no foreign VMs, and no browser.

user59944618y ago

There are many dedicated servers that are shared across users or clients and were expected to be isolated.

Any user who has access to a system (developers or support or sysadmin) has the ability to read arbitrary memory. The vulnerability can probably be leveraged to privilege escalation or bypass the isolation.

tanilama8y ago

Spectre doesn't let u do cross VM memory reading, Meltdown does, AFAIK. If you want to read other VMs memory, u need to RUN in those VMs yourself and within the right process.

So cloud instance and bare metal ones are equally vulnerable under Spectre: as long as they can transfer their malicious code to your VMs and runs it. Can't really see how bare metal servers mitigate this problem.

Godel_unicode8y ago

Pretty hard to have a neighbor vm execute Spectre on your same physical server if you have dedicated hardware.

Add in that Spectre specifically is a js bug so in order to be vulnerable your server would need to execute untrusted JavaScript and I think we can assume the threat surface of this specific bug is smaller outside the cloud...

spotman8y ago

Pretty sure that its not limited to js:

https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9...

Its a technique, not a flaw in js, from my understanding

1 more reply

cthalupa8y ago

I don't think you understand the bug here.

1) https://spectreattack.com/: "Spectre tricks other applications into accessing arbitrary locations in their memory. " Spectre does not let you execute code in another guest

2) Spectre is not javascript specific. I am not sure why you think it is, beyond the fact a PoC was written in js

1 more reply

j / k navigate · click thread line to collapse

0 comments

tanilama8y ago

> Spectre

Spectre doesn't really care if it is cloud or bare metal. They are equally vulnerable unless disconnected from internet.

snowwrestlerOP8y ago

To get you with Spectre, the attacker must be able to run code on your CPU.

And it affects public cloud web servers because multiple cloud servers (virtual machines) run on one CPU. So some attacker might be able to jump out of their VM and read your VM's memory.

BUT, on a dedicated hardware web server, there shouldn't be any foreign code running--no foreign VMs, and no browser.

user59944618y ago

There are many dedicated servers that are shared across users or clients and were expected to be isolated.

tanilama8y ago

Spectre doesn't let u do cross VM memory reading, Meltdown does, AFAIK. If you want to read other VMs memory, u need to RUN in those VMs yourself and within the right process.

Godel_unicode8y ago

Pretty hard to have a neighbor vm execute Spectre on your same physical server if you have dedicated hardware.

spotman8y ago

Pretty sure that its not limited to js:

https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9...

Its a technique, not a flaw in js, from my understanding

1 more reply

cthalupa8y ago

I don't think you understand the bug here.

1) https://spectreattack.com/: "Spectre tricks other applications into accessing arbitrary locations in their memory. " Spectre does not let you execute code in another guest

2) Spectre is not javascript specific. I am not sure why you think it is, beyond the fact a PoC was written in js

1 more reply

j / k navigate · click thread line to collapse