L4Re and Meltdown / Spectre attacks

Matthias Lange matthias.lange at kernkonzept.com
Mon Jan 8 11:03:03 CET 2018


after the dust around the Meltdown and Spectre attacks has settled a bit, you
may wonder how Fiasco.OC / L4Re fares with regard to these attacks.

Fiasco.OC / L4Re is vulnerable to Meltdown-like attacks because the kernel is
mapped into each task. However, the kernel does not map all physical memory but
only memory it requires for its own data structures + kernel-user memory
required for e.g. UTCBs and vCPU state save areas. Depending on the amount of
physical memory and the available page sizes, Fiasco.OC may map it little bit
more than that to save TLB entries. That means there can be a slight overlap of
user memory that is visible to the kernel. But it is not possible for a thread
to read _all_ memory.

Because we think that no thread should read information from other threads
(pagetables, capability arrays, UTCBs etc.), we plan to change Fiasco.OC to
execute in its own address space on Intel CPUs.

Against Spectre we do not plan to implement anything right now. We think the
attack surface of the kernel is very little (if any) and may be even further
reduced with Intel's microcode updates and future compiler/tool mitigations.
However, we will observe future discussions and developments and may reassess
this in the future.

Thank you and regards,

Kernkonzept GmbH.  Sitz: Dresden.  Amtsgericht Dresden, HRB 31129.
Geschäftsführer: Dr.-Ing. Michael Hohmuth

More information about the l4-hackers mailing list