Intel’s processor flaw is a virtualization nightmare

2018 is off to a very bad start for Intel after the disclosure of a flaw deep in the design of its processors, dubbed Meltdown. And while the company has publicly said the issue won’t affect consumers, they aren’t the ones who need to be worried.The issue is found in how Intel processors work with page tables for handling virtual memory. It is believed that an exploit would be able to observe the content of privileged memory by exploiting a technique called speculative execution.Speculative execution exploit Speculative execution is a part of a methodology called out-of-order execution (OOE), where basically the CPU makes an educated guess on what will happen next based on the data it has. It’s designed to speed up the CPU rather than burn up CPU cycles working its way through a process. It’s all meant to make the CPU as efficient as possible.To read this article in full, please click here

Intel’s processor flaw is a virtualization nightmare

2018 is off to a very bad start for Intel after the disclosure of a flaw deep in the design of its processors. And while the company has publicly said the issue won’t affect consumers, they aren’t the ones who need to be worried.The issue is found in how Intel processors work with page tables for handling virtual memory. It is believed that an exploit would be able to observe the content of privileged memory by exploiting a technique called speculative execution.Speculative execution exploit Speculative execution is a part of a methodology called out-of-order execution (OOE), where basically the CPU makes an educated guess on what will happen next based on the data it has. It’s designed to speed up the CPU rather than burn up CPU cycles working its way through a process. It’s all meant to make the CPU as efficient as possible.To read this article in full, please click here

Meltdown and Spectre

While many have already seen something on these two, this is the best set of articles I’ve found on these vulnerabilities and the ramifications.

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents. —meltdownattack.com

Windows, Linux, and macOS have all received security patches that significantly alter how the operating systems handle virtual memory in order to protect against a hitherto undisclosed flaw. This is more than a little notable; it’s been clear that Microsoft and the Linux kernel developers have been informed of some non-public security issue and have been rushing to fix it. But nobody knew quite what the problem was, leading to lots of speculation and experimentation based on pre-releases of the patches. —ARS Technica

You don’t have to worry if you patch. If you download the Continue reading

25% off SanDisk 256GB iXpand Base for iPhone charging and backup – Deal Alert

Here's something you probably didn't know existed. With SanDisk's iXpand iPhone base, you'll never have to worry about losing your memories again. Every time you charge your iPhone with the iXpand Base, it automatically backs up your photos, videos and contacts. The iXpand Base offers plenty of room to save your files in their original quality with no worry about recurring monthly fees for Internet-based storage. Designed for everyday use with a soft rubber top, a sturdy base, and a wrap-around groove to keep your Apple Lightning to USB cable tidy. Its typical list price has been discounted $50, for now, to $149.99. See this deal on Amazon.To read this article in full, please click here

IoT: A vulnerable asset but also a recovery tool in disasters

If you think the proliferation of mobile devices changed the concept of the network edge, get ready for the emerging Internet of Things (IoT), where a network-connected sensor could be located on top of a mountain, in a corn field or even in the ocean.So, how does an enterprise incorporate IoT into its disaster recovery plan? In one sense, IoT creates a unique challenge because it is far-flung and vulnerable. But it can also become part of a DR solution, helping to protect the business in the event of a disaster, according to experts.+Also on Network World: REVIEW: 4 top disaster-recovery platforms compared; Review: Microsoft Azure IoT Suite+To read this article in full, please click here

32% off Kidde Carbon Monoxide Alarm with Display and 10 Year Battery – Deal Alert

Carbon Monoxide is odorless, tasteless and invisible, and it accounts for over 72,000 cases of poisoning each year. Kidde calls their C3010D model "worry free" because its sensor and sealed battery provide 10 years of uninterrupted CO detection, and a digital display that updates every 15 seconds. The unit will chirp when its reaching the ends of its life, so you don't have to wonder. The Kidde C3010D alarm is currently discounted 32% to $34.91. See this deal now on Amazon.To read this article in full, please click here

32% off Kidde Carbon Monoxide Alarm with Display and 10 Year Battery – Deal Alert

Carbon Monoxide is odorless, tasteless and invisible, and it accounts for over 72,000 cases of poisoning each year. Kidde calls their C3010D model "worry free" because its sensor and sealed battery provide 10 years of uninterrupted CO detection, and a digital display that updates every 15 seconds. The unit will chirp when its reaching the ends of its life, so you don't have to wonder. The Kidde C3010D alarm is currently discounted 32% to $34.91. See this deal now on Amazon.To read this article in full, please click here

Some notes on Meltdown/Spectre

I thought I'd write up some notes.

You don't have to worry if you patch. If you download the latest update from Microsoft, Apple, or Linux, then the problem is fixed for you and you don't have to worry. If you aren't up to date, then there's a lot of other nasties out there you should probably also be worrying about. I mention this because while this bug is big in the news, it's probably not news the average consumer needs to concern themselves with.

This will force a redesign of CPUs and operating systems. While not a big news item for consumers, it's huge in the geek world. We'll need to redesign operating systems and how CPUs are made.

Don't worry about the performance hit. Some, especially avid gamers, are concerned about the claims of "30%" performance reduction when applying the patch. That's only in some rare cases, so you shouldn't worry too much about it. As far as I can tell, 3D games aren't likely to see less than 1% performance degradation. If you imagine your game is suddenly slower after the patch, then something else broke it.

This wasn't foreseeable. A common cliche is that such bugs Continue reading

Why Meltdown exists

So I thought I'd answer this question. I'm not a "chipmaker", but I've been optimizing low-level assembly x86 assembly language for a couple of decades.





The tl;dr version is this: the CPUs have no bug. The results are correct, it's just that the timing is different. CPU designers will never fix the general problem of undetermined timing.

CPUs are deterministic in the results they produce. If you add 5+6, you always get 11 -- always. On the other hand, the amount of time they take is non-deterministic. Run a benchmark on your computer. Now run it again. The amount of time it took varies, for a lot of reasons.

That CPUs take an unknown amount of time is an inherent problem in CPU design. Even if you do everything right, "interrupts" from clock timers and network cards will still cause undefined timing problems. Therefore, CPU designers have thrown the concept of "deterministic time" out Continue reading

Let’s see if I’ve got Metldown right

I thought I'd write down the proof-of-concept to see if I got it right.

So the Meltdown paper lists the following steps:

 ; flush cache
 ; rcx = kernel address
 ; rbx = probe array
 retry:
 mov al, byte [rcx]
 shl rax, 0xc
 jz retry
 mov rbx, qword [rbx + rax]
 ; measure which of 256 cachelines were accessed

So the first step is to flush the cache, so that none of the 256 possible cache lines in our "probe array" are in the cache. There are many ways this can be done.

Now pick a byte of secret kernel memory to read. Presumably, we'll just read all of memory, one byte at a time. The address of this byte is in rcx.

Now execute the instruction:
    mov al, byte [rcx]
This line of code will crash (raise an exception). That's because [rcx] points to secret kernel memory which we don't have permission to read. The value of the real al (the low-order byte of rax) will never actually change.

But fear not! Intel is massively out-of-order. That means before the exception happens, it will provisionally and partially execute the following instructions. While Intel has only 16 Continue reading

Fortinet FortiGate-VMX and NSX use cases

Fortinet FortiGate-VMX NSX is an extensible platform; other vendors security solutions can be added to it by means of the Northbound REST API, and two private APIs: NETX for network introspection, and EPSEC for guest introspection. Fortinet’s FortiGate-VMX solution uses the NSX NETX API to provide advanced layer 4-7 services via service insertion, also called service chaining.  This enables... Read more →

Fortinet FortiGate-VMX and NSX use cases

NSX is an extensible platform; other vendors security solutions can be added to it by means of the Northbound REST API, and two private APIs: NETX for network introspection, and EPSEC for guest introspection.

Fortinet’s FortiGate-VMX solution uses the NSX NETX API to provide advanced layer 4-7 services via service insertion, also called service chaining.  This enables the additional inspection of VM traffic prior to that traffic reaching the vSwitch.  This enhances micro-segmentation where there is need for greater application recognition, anti-malware, and other Next Generation Firewall features.  The scale-out nature of NSX is maintained as NSX handles the instantiation of FortiGate service VMs on the hosts within the deployed cluster retaining its operational advantages, if the cluster grows additional FortiGate-VMX service machines will be created as needed.

 

 

One of the primary advantages to FortiGate-VMX is the availability of VDOMs for multi-tenancy in a service provider or enterprise environment – this enables segmenting traffic by organization, business group, or other construct in addition to application.  The segregation includes the administration, VDOMs are managed independently of one another, this can also be used to split the different security functions such as anti-virus, IPS, and application control into isolated units or only Continue reading

VMware AppDefense & CB Defense Demo

As you may have heard, VMware and Carbon Black have come together to deliver best-in-class security architected for today’s data centers.

In this demo, you’ll see an example of how CB Defense and VMware AppDefense combine to enforce known good application behavior and detect threats using industry leading detection and response technology.

For this demo, we’ll show how an advanced security breach can come in under the guise of an innocuous application (Powershell) and often go undetected.  We’ll walk through the steps that security teams can now take to respond and address the attack all in one application.

 

The post VMware AppDefense & CB Defense Demo appeared first on Network Virtualization.

1 1,773 1,774 1,775 1,776 1,777 3,841