Christmas gifts, part three: did we behave well

Part One: Meltdown
Part Two: Specter

One of the most interesting questions that arose in discussions about the Meltdown and Specter hardware vulnerabilities (see links above) was whether Santa Claus made this gift to us due to the fact that we behaved badly in 2017 - or vice versa , OK.

I will try to substantiate the thesis that we behaved well, otherwise Santa Claus would have given us this gift in three or four years.

So what do we have? Meltdown hardware vulnerability that allows any unprivileged process to read the kernel memory of the OS, as well as any processes running on this OS, including certificates, passwords, bitcoin wallets, and everything that comes to your mind to process on the computer.

Application of vulnerability leaves no trace, and the code implementing it is generally not detected by antivirus.

The only way to protect is an urgent revision of the OS kernel in order to separate the virtual address spaces of the process and the OS. In Linux, the corresponding patch is called KPTI, it leaves in the virtual address space of the process only a small piece of the kernel - springboard functions, which, when accessed, refer to the corresponding kernel functions that now live in a different address space. Because of this, the patch was also called Forcefully Unmap Complete Kernel With Interrupt Trampolines, or FUCKWIT.

Meltdown significantly affected:

Of particular interest in our relationship with Santa Claus is the last item - Cortex-A75.

Apart from the creativity of Apple, exclusively in Apple-controlled devices, other processors on ARM cores may be exposed to Specter’s hard-to-exploit vulnerability, in fact presenting a danger only for browsers running JS, or similar to Meltdown, but a very strongly limited vulnerability known from ARM documents called "Variant 3a" and not allowing reading the contents of RAM.

On the Cortex-A75, only two processors are currently represented, on which exactly zero devices are represented:

About the 845th manufacturer explicitly declares the use of the Cortex-A75, about the 9810 there is no reliable information, but this processor has a number of exclusive features for the A75, and will also be directly opposed to the Snapdragon 845 in the Galaxy S9.

Probably in the near future we can expect similar models of development by Mediatek and HiSilicon.

Devices on both processors will be shown at the end of February on the MWC-2018 and around it - this, of course, Galaxy S9, as well as the flagship models from other manufacturers.

What does this mean? A very simple thing: during 2018, tens of millions of Android smartphones and tablets exposed to the Meltdown attack will appear in the wild. During 2019, this number can easily exceed one hundred million.

Although the middle and lower segment devices will remain invulnerable - it is more profitable to assemble their processors from cheap Cortex-A5x cores without adding large and expensive Cortex-A7x to them - the market for expensive and vulnerable smartphones will be of great interest to hackers.

But it would seem that a simple update of the Linux kernel? ..

We, with our desktops and servers, are a bit spoiled by the ability to update the kernel. Even for the super-conservative CentOS, there are three already-made lines of cores - basic, longterm and mainline, to say nothing about desktop distributions. Wanted - rolled. First, a glass of brandy, then the core, well, or vice versa, this is someone who has so much courage.

And now let's look at the realities of the world of smartphones:
Galaxy S63.10.61
Galaxy S73.18.14
Galaxy S84.4.13
Galaxy Note 84.4.13
Galaxy A5 20173.18.14
Sony XZ Premium4.4.78
Xiaomi Mi A13.18.66
Xiaomi Mi 64.4.21
Xiaomi Mi 53.18.31
Redmi Note 4 (Snapdragon)3.18.31
Redmi Note 4 (MTK)3.18.22
Meizu MX63.18.22
HTC U11 +4.4.78
Huawei Honor 94.1.18
Huawei P104.1.18
Huawei Mate 10 Pro4.4.23
Nexus 6P3.10.73

Good zoo, right?

Each smartphone lives with the core, which was ready for it at the time of its release to the market. During the whole life of the smartphone, updates coming to it do not change the kernel version, although additional patches may be superimposed on the kernel itself - if you look at the software parameters, the kernel build date on your smartphone is likely to correspond to one of the latest updates.

The kernel version is due both to its support from the chipset manufacturer (note that Meizu has MTK Helio X20 and Xiaomi Redmi Note 4 on it has one core, while Redmi Note 4 on Snapdragon 625 has another) and the manufacturer’s own developments smartphone

This means that the presence of, for example, a KPTI patch in the 4.4.110 kernel does not mean that manufacturers can quickly release an Android update for their smartphones, which will bring to all their 4.4.110 users with KPTI enabled. No, they will need to be entertained by back-porting the corresponding patch to the core that is actually used in their models, with subsequent testing of efficiency and stability.

Smartphones in this are similar to server distributions of Linux like CentOS - only for them there is no third-party repository with kernel-lt and kernel-ml.

At the moment, however, we have only two Meltdown-prone ARM processors, not counting Apple’s products, which will be used in a limited number of smartphone models for the next six months, and the firmware of these smartphones will be based on one of the more recent 4.4 series cores, where the KPTI patch is at least theoretically.

Now imagine what would have happened if Meltdown had been discovered not now, but after two or three years. Hundreds of millions of devices (and no longer just smartphones and tablets) using dozens of kernel options from the 4.4 and 4.9 series, each with its own set of patches, the main development of Linux goes somewhere around the 4.20 kernels ...


Thank you, Grandfather Frost, for giving us Meltdown before they managed to infect the entire mobile industry.

We promise to behave well in 2018 too.

PS All this does not mean at all that smartphone manufacturers will indeed release the first models on the Cortex-A75 with KPTI turned on.


All Articles