I wouldn't think Javascript would have the accurate timing required to leverage this attack, but I don't really know enough about the language.

Regardless, is there someone within FreeBSD that is working on patches for this set of problems, at least for Intel? Linux already has at least some, and I believe NetBSD does too. Of course Windows has already pushed out a Windows10 fix, 7 and 8 are coming.

....................................
Andrew L. Duane - Principal Resident Engineer
AT&T Advanced Services Technical Lead
Juniper Quality Ambassador
m   +1 603.770.7088
o +1 408.933.6944 (2-6944)
skype: andrewlduane
***@juniper.net

-----Original Message-----
From: owner-freebsd-***@freebsd.org [mailto:owner-freebsd-***@freebsd.org] On Behalf Of Eric McCorkle
Sent: Friday, January 5, 2018 7:43 AM
To: Jules Gilbert <***@yahoo.com>; Ronald F. Guilmette <***@tristatelogic.com>; Freebsd Security <freebsd-***@freebsd.org>; Brett Glass <***@lariat.org>; Dag-Erling Smørgrav <***@des.no>; Poul-Henning Kamp <***@phk.freebsd.dk>; freebsd-***@freebsd.org; FreeBSD Hackers <freebsd-***@freebsd.org>; Shawn Webb <***@hardenedbsd.org>; Nathan Whitehorn <***@freebsd.org>
Subject: Re: Intel hardware bug
Attacks have already been demonstrated, pulling secrets out of kernel space with meltdown and http headers/passwords out of a browser with spectre. Javascript PoCs are already in existence, and we can expect them to find their way into adware-based malware within a week or two.

Also, I'd be willing to bet you a year's rent that certain three-letter organizations have known about and used this for some time.
Don't bet on it. There's reports of AMD vulnerabilities, also for ARM.
I doubt any major architecture is going to make it out unscathed. (But if one does, my money's on Power)

Alas, poor Sparc. I knew them, Horatio...

It looks like Red Hat is indeed reporting Power9 to be vulnerable:

https://access.redhat.com/security/vulnerabilities/speculativeexecution

Unfortunate. I hope they get fixed silicon out in time for the Talos II
workstation.

POWER has the same thing. It's actually stronger separation, since user
processes don't share addresses either -- all processes, including the
kernel, have windowed access to an 80-bit address space, so no process
can even describe an address in another process's address space. There
are ways, of course, in which IBM could have messed up the
implementation, so the fact that it *should* be secure does not mean it
*is*.

SPARC avoids the issue because almost all implementations are in-order.
-Nathan

Ah, sorry I'm wrong.  I apologize.  I won't intrude further.  I spoke up because selectively choosing to read sections of kernel memory is one thing, obtaining useful information from an arbitrary block of kernel memory you don't get to choose is quite another.
But their are several people here I respect very much and if they say I'm wrong about an area they focus on,... me bad.
The technique has already been proven by multiple independent parties to
work quite well, allowing an attacker to read kernel memory at speeds of
up to 500 kB/s.  But I guess you know better...

DES

​There's a lot of confusion in the media, press releases, and announcements
due to conflating Spectre and Meltdown.

Meltdown (aka CVE-2017-5754) is the issue that affects virtually all Intel
CPUs and specific ARM Cortex-A CPUs. This allows read-access to kernel
memory from unprivileged processes (ring 3 apps get read access to ring 0
memory).​ IBM POWER, Oracle Sparc, and AMD Zen are not affected by this
issue as they provide proper separation between kernel memory maps and
userland memory maps; or they aren't OoO architectures that use speculative
execution in this manner.

Spectre (aka CVE-2017-5715 and CVE-2017-5753) is the issue that affects all
CPUs (Intel, AMD, ARM, IBM, Oracle, etc) and allows userland processes to
read memory assigned to other userland processes (but does NOT give access
to kernel memory).

​IOW, POWER and Sparc are vulnerable to Spectre, but not vulnerable to
Meltdown.

Link?