【HITCON FreeTalk 2018 -暢談 CPU 處理器的歷史包袱】 ➠ Talk: Spectre & Meltdown 漏洞的修補策略與 risk mitigation ➠ Speaker: gasgas ➠共筆：https://hackmd.io/IYTgRsAMaQTAtAZhAEwGbwCxlgdniAMaIaGECmAjISoWAKzCbBA=?view ➠ Video: https://www.facebook.com/HITCON/videos/1732117933486188/

1. HITCON Freetalk 20180119
Spectre & Meltdown 漏洞的
修補策略與 risk mitigation
gasgas

2. 您認為資訊安全是!!!?
資訊系統可以得到100%的安全防護

3. 其實 …. 資訊安全應該是
資訊安全是一種降低資安風險的程序

4. Risk = Vulnerability X Threat X Asset
資安風險

5. Spectre & Meltdown 漏洞因應流程
資產盤點 漏洞檢查 測試機測試
系統備份
DRP演練執行修補持續觀察

6. 檢查篇

7. 漏洞檢查: Unix 系統
• 網路上已有許多好心人士提供檢查程式

8. 漏洞檢查: Unix 系統 網址參考
• [1] https://github.com/speed47/spectre-meltdown-checker
• [2] https://capsule8.com/blog/detecting-meltdown-spectre-
detecting-cache-side-channels/
• [3] https://www.endgame.com/blog/technical-blog/detecting-
spectre-and-meltdown-using-hardware-performance-counters

9. 漏洞檢查： Windows 系統
• 微軟提供查驗是否有效保護的程式
• 2018.01.03的漏洞更新修補先做
• 下載SpeculationControl (powershell)

10. 漏洞檢查: Windows 系統 網址參考
• [1] https://support.microsoft.com/en-gb/help/4073119/protect-
against-speculative-execution-side-channel-vulnerabilities-in
• [2] : https://support.microsoft.com/en-us/help/4073757/protect-
your-windows-devices-against-spectre-meltdown

11. 漏洞檢查: browser

12. 漏洞檢查: browser 網址參考
• [1] http://xlab.tencent.com/special/spectre/spectre_check.html
• [2] Https://github.com/cgvwzq/spectre
• [3] http://xlab.tencent.com/special/spectre/js/check.js

13. 修補篇

14. CPU level 修補: 換掉CPU

15. CPU Level 修補: Firmware Update
• Intel’s microcode update
• AMD will make optional microcode updates

16. CPU Level修補 網址參考
• [1] https://downloadcenter.intel.com/download/27431/Linux-
Processor-Microcode-Data-File
• [2] https://www.amd.com/en/corporate/speculative-execution
• [3] https://www.theverge.com/2018/1/11/16880922/amd-spectre-
firmware-updates-ryzen-epyc
• [4]
https://software.intel.com/sites/default/files/managed/c5/63/33699
6-Speculative-Execution-Side-Channel-Mitigations.pdf

17. BIOS Level 修補
• 主要以notebook等機器為主
• 詳見各家官網

18. BIOS Level修補 網址參考
• Lenovo Desktop https://support.lenovo.com/tw/en/solutions/len-
18282#desktop
• Lenovo Thinkpad https://support.lenovo.com/tw/en/solutions/len-
18282#thinkpad
• Lenovo all products https://support.lenovo.com/tw/en/solutions/len-
18282
• Dell http://www.dell.com/support/article/tw/en/twdhs1/sln308587/
• CERT/CC https://www.kb.cert.org/vuls/id/584653

19. OS Level 修補
• Windows
• Linux
• MacOS
• others

20. Application Level 修補
• 程式重新編譯
• Google 的Retpoline 方式
• 有GCC版本跟LLVM版本
• Microsoft 的MSVC方式
• Visual Studio 2017 version 15.5, /Qspectre選項

21. Application Level修補 網址參考
• [1] https://support.google.com/faqs/answer/7625886
• [2] https://blogs.msdn.microsoft.com/vcblog/2018/01/15/spectre-mitigations-in-
msvc/
• [3] LLVM https://reviews.llvm.org/D41723
• [4] GCC http://git.infradead.org/users/dwmw2/gcc-
retpoline.git/shortlog/refs/heads/gcc-7_2_0-retpoline-20171219

22. 最後 提醒大家一下

23. 所有的修補程式
一定要從官方網站下載

24. 喔…還有一張

25. 新的漏洞正在成形…….