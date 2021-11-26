Security and Resilience Leftovers
Blocking straight-line speculation — eventually [LWN.net]
On its face, this code is safe; it will only attempt to index into obj->array if the given offset is within bounds. A CPU running this code, though, may be unable to fetch obj->array_length from cache, meaning that it will have to wait for that value to come from memory. Rather than do nothing, the CPU can make a guess as to how the comparison will turn out and continue execution in a speculative mode; it may guess wrong and index obj->array with an out-of-bounds offset. Again, this shouldn't be a problem; once the array length shows up and it becomes clear that the branch was not correctly predicted, the speculative work will be thrown away.
The problem, of course, is that this speculative execution can leave traces elsewhere in the system (most often the memory caches) that can be used to exfiltrate data that an attacker would otherwise be unable to access. In the worst cases, Spectre vulnerabilities can be used to attack the kernel or to carry out attacks between virtual machines running on the same physical host. They are a real threat, which is why numerous mitigations have been adopted to thwart these attacks despite a high performance cost.
Straight-line speculation, which was initially disclosed in this white paper from Arm, differs in that it does not depend on erroneous branch prediction; indeed, no conditional branches are involved at all. Instead, it takes advantage of some strange behavior around unconditional control-flow changes. There are a lot of instructions that will result in a change to the program counter; on Arm, these include instructions that generate exceptions, but also unconditional direct branches and the RET instruction to return from a function call.
AWS power failure in US-EAST-1 region killed some hardware and instances
A small group of sysadmins have a disaster recovery job on their hands, on top of Log4J fun, thanks to a power outage at Amazon Web Services’ USE1-AZ4 Availability Zone in the US-EAST-1 Region.
The lack of fun kicked off at 04:35AM Pacific Time (PST – aka 12:35PM UTC) on December 22nd, when AWS noticed launch failures and networking issues for some instances in its Elastic Compute Cloud IaaS service.
26 minutes later the cloud colossus ‘fessed up to a power outage and recommended moving workloads to other parts of its cloud that were still receiving electricity.
Power was restored at 05:39AM PST and AWS reported slow recovery of services, however a 6:51AM update admitted that ongoing networking issues were hampering efforts at full restoration.
At the time of writing, AWS has still not fully restored networking.
FLOSS Weekly 661: Open Source for Observability - Computer Security, VIZIO Lawsuit
Is it a coincidence that observability is both an essential feature of open source and also a scourge of our wantonly spied lives online? Can we use the former to solve the latter? That and many other questions are discussed during FLOSS Weekly. Join Doc Searls as he is joined by co-hosts Jonathan Bennett and Simon Phipps for a year-end look at the crazy state of our connected world and discussing other topics such as the VIZIO class-action lawsuit & the Linux Tech Tips Linux challenge.
Audio bugging with the Fisher Price Chatter Bluetooth Telephone | Pen Test Partners
The Fisher Price Chatter Bluetooth Telephone is a reincarnation of a familiar kids toy. It acts as a Bluetooth headset, so the user can connect their smartphone to it and take calls using the kids phone handset. Cute!
Unfortunately, little to no consideration has been given to privacy and security, resulting in it becoming an audio bug in some circumstances.
[...]
Fisher Price released their Bluetooth Chatter Telephone to much fanfare. I’ll be honest – I quite want one too! It brings back memories of my childhood.
The phone is currently only available from Best Buy in the USA and promptly sold out. We had a chat with Zack Whittaker of Tech Crunch, a lovely Brit based in NYC, who ordered one on our behalf. About 6 weeks later the phone arrived with him, so we worked through a test plan together.
In the meantime, we went hunting for the Bluetooth specs and instruction manuals.
The FCC filings are here: https://fccid.io/PIYHGJ69-21A5T though most of the entries were at the time still confidential.
Our work on My Friend Cayla some years ago showed a very similar issue. An attacker within Bluetooth range could simply connect a Bluetooth audio device (e.g. a smartphone) with no further security challenges and listen to the dolls microphone, or speak through its speaker to a child playing with the doll. This led to widespread concern from consumer protection groups such as Forbrukerrådet (the Norwegian Consumer Council) and product bans across multiple countries, led by Germany’s Federal Network Agency (Bundesnetzagentur).
Programming Leftovers
Adding fs-verity support for Fedora 36?
Fs-verity is a kernel feature that is supported by some filesystems; it provides a way to ensure that the contents of a file cannot change on disk. It revolves around a Merkle tree that is created for each file being protected; the tree contains hashes of each data block in the file. When a file is protected by fs-verity, it is marked as read-only and every read operation checks that the block read matches the value stored in the tree; the operation fails if there is no match. In addition, the tree itself can be cryptographically signed to ensure that nothing has been changed underneath the filesystem by, say, accessing the raw block device or image file. Fedora program manager Ben Cotton posted the Fedora change proposal to add fs-verity support on behalf of the feature owners: Davide Cavalca, Boris Burkov, Filipe Brandenburger, Michel Alexandre Salim, and Matthew Almond. There are several elements to the plan. To start with, the Koji build system needs to be able to create and sign the Merkle tree for each file that gets shipped in the RPM package. The tree itself is not added to the RPM package, just the signed top-level hash for each file. On the other end, an optional fs-verity RPM plugin would install the Fedora key and enable fs-verity for each file it installs. The filesystem would then recreate the Merkle tree, check it against the signature in the RPM metadata, and store the tree with the file. After that, each access to the file will be checked against the tree, which means that various kinds of operations (e.g. read(), mmap(), execve(), etc.) will only proceed if the data blocks on disk have not changed. The proposal mainly focuses on the build side of the equation: "Specifically, installing and enabling the fs-verity rpm plugin by default is explicitly considered out of scope here." The overhead of creating the Merkle tree at installation time did not "appear to meaningfully slow down package installs during empirical testing", but there is some (unspecified) cost of creating the tree for every Koji build, of course. The Merkle tree is only stored if the RPM fs-verity plugin is enabled and adds roughly 1/127th (0.8%) to the size of the installed file. All RPMs would get additional metadata, in the form of signatures, if the proposal is adopted, but even that is fairly negligible: "in the vast majority of cases we expect to see minimal to no size increase thanks to RPM header packing".
openSUSE Board Election 2021 happening right now
The election was announced on the project mailing list on the 1st of November 2021. The current Election Committee is composed of Ariez Vachha, Mohammad Edwin Zakaria and myself. This election is required to fill two seats on the openSUSE Board, as the term for Simon Lees and Vinzenz Vietzke are coming to an end.
ESP32, Arduino, ThingsBoard and Raspberry Pi
