• Welcome to Peterborough Linux User Group (Canada) Forum.
 

GRC releases INSPECTRE to check vulnerabilty status to Spectre and Meltdown

Started by dougal, January 28, 2018, 11:55:55 AM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

dougal

Steve Gibson has released a utility you can run to check if all the patches,bios updates, etc have actually protected your machine .

https://www.grc.com/inspectre.htm

i'm planning on doing a clean install and update on a windows machine to see what shows but wanted to offer this up now in case i don't get that done today

Jason

Thanks for sharing, Dougal! Since the app can only be downloaded for Windows, I've moved it to this forum. The Security forum is under the Linux & Android section so should be specific to security issues affecting those platform. Spectre and Meltdown are cross-platform but this utility isn't unless it runs on WINE?

As dougal noted below, it does run under WINE on Linux. I hadn't noticed that. So this was the right place to post it and you are vindicated, dougal! That's why I get for posting so early in the morning!
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

dougal

hey Jason..I can appreciate your choice and i haven't verified this but the following is on the site so i'm assuming it will work given the specifity of the statement.


logo
Easily examine and understand any Windows
system's hardware and software capability to
prevent Meltdown and Spectre attacks.
screenshot
(This 126k app is compatible with ALL versions of Windows and WINE.)



Jason

Quote from: dougal on January 29, 2018, 08:21:39 PM
(This 126k app is compatible with ALL versions of Windows and WINE.)

Oops. I didn't see this. You were correct in posting it where you did and I moved it back to the original location. Thanks for catching my mistake! Glad I'm surrounded by such sharp people.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

And for those that don't know, WINE is a separate compatibility layer that allows you to run Windows applications under Linux or MacOS without requiring a virtual machine (like Virtualbox) or an emulator with varying functionality depending on the application. WINE is actually a recursive acronym for 'WINE Is Not an Emulator'.

Look in your package manager for WINE or download it directly from the WINE website for various Linux distributions. This could take up to a 15 minutes on a really slow Internet connection (like 5 Mbps service). At the time of this writing, installing the Ubuntu packages for Linux Mint 18.3 requires 499 MB.

Once you've done that, then you will be able to download and run the InSpectre executable. Let us know if it works for you here or any other related comments.

Thanks, dougal!
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

And here are my results running it in using WINE in Linux Mint 18.3 Cinnamon:

Quote
Spectre & Meltdown Vulnerability and Performance Status

System is Meltdown protected: NO!
System is Spectre protected: NO!
Performance: GOOD
(full details below)

In early 2018 the PC industry was rocked by the revelation that common processor design features, widely used to increase the performance of modern PCs, could be abused to create critical security vulnerabilities. The industry quickly responded, and is responding, to these Meltdown and Spectre threats by updating operating systems, motherboard BIOSes and CPU firmware.

Protection from these two significant vulnerabilities requires updates to every system's hardwareâ€"its BIOS which reloads updated processor firmwareâ€"and its operating systemâ€"to use the new processor features. To further complicate matters, newer processors contain features to minimize the performance impact of these important security improvements. But older processors, lacking these newer features, will be significantly burdened and system performance will suffer under some workloads.

This InSpectre utility was designed to clarify every system's current situation so that appropriate measures can be taken to update the system's hardware and software for maximum security and performance.

This system's present situation:

This 64-bit version of Windows is not aware of either the Spectre or Meltdown problems. Since Intel processors are vulnerable to both of these attacks, this system will be vulnerable to these attacks until its operating system has been updated to handle and prevent these attacks.

This system's hardware has not been updated with new features required to allow its operating system to protect against the Spectre vulnerabilities and/or to minimize their impact upon the system's performance. (Protection from the Meltdown vulnerability does not require BIOS or processor updates.)

This system's Intel processor does not provide high-performance protection from the Meltdown vulnerability. The use of Meltdown protection on this system will incur some corresponding performance penalty.

This system is not currently providing any protection against the Meltdown vulnerability. Either the operating system is unaware of this problem (which can be resolved by any operating system) or the operating system's protection has been deliberately disabled.

Due to the potential performance impact of these vulnerability protections, which may be particularly burdensome on older hardware and operating systems that cannot be updated, either one or both of these protections may be disabled with Windows registry settings. This system's "protection disable" is currently set as follows:

The system's registry is configured to enable both of the Spectre and Meltdown protections. Within the bounds of any limitations described above, Windows will work with the system's processor to prevent the exploitation of these vulnerabilities.

Guidance & Observations

Since this version of Windows is not fully aware of both of these security threats, if possible you should consider updating to a newer version which is fully aware. There are versions of Windows 7, 8.1 and 10 which are fully aware... even at a possible cost in system performance.

When enabled and active, both of these vulnerability protections come at some cost in system performance, and Meltdown attack protection may be quite expensive on older systems or under versions of Windows where Microsoft has not bothered to implement high-speed solutions. If this system's performance is more important than security, either or both of the vulnerability protections can be disabled to obtain greater performance.

When InSpectre is run with elevated administrative privilege, each button below toggles its respective protection on or off. Any changes will take effect after the system is restarted. Each button will be disabled if its protection is not available to be changed.

For more information see GRC's InSpectre web page
Copyright © 2018 by Gibson Research Corporation

Even though they say it can run in WINE (and does) all the references to Windows are very confusing. Not sure what this means. I think that it's saying the processor has the vulnerabilities (not surprised there as many do). But it seems to be suggesting that you have to have a BIOS update to fix this completely although the OS can mitigate with various patches. Although that's somewhat true - a BIOS update can help, my understanding is that even that only mitigates the issue the same as OS patches will. Only a replacement of the processor will remove the vulnerabilities entirely and that's just not realistic nor do I think it is necessary. Also, the options to fix this are greyed out in WINE. Even if they weren't, I'd be afraid to try them since the OS it thinks I'm using isn't the actual OS I am using (see image below). Therefore, I think this tool is of limited value on Linux since it can't possibly analyze whether the OS has been sufficiently patched by running inside WINE. As far as I know, it can't see the Linux OS but I may be wrong.

What do you guys think? Or have you found any other tools for analyzing whether your system is as protected as it can be against Spectre and Meltdown?
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13