karl-ravn
commented
6 years ago Closed karl-ravn closed 6 years ago
karl-ravn
commented
6 years ago 
axelfontaine
commented
6 years ago Our current understanding is that Boxfuse instances should not require this as the software they contain can be considered trusted. There is almost never arbitrary code originating from third parties (as would be the case for desktop or mobile web browsers, or kernels needing to run containers from multiple tenants) being run dynamically in Boxfuse images.
We will however keep a close eye on the situation and we may integrate those patches in the future. However for now, we believe relying on single-purpose HVM VMs as Boxfuse has been designed for, represents the safest option around.
karl-ravn
commented
6 years ago Thanks for the prompt reply!
However - since this is a really serious issue, I need to take extra precaution and ask with more information.
The above answer looks like it is an answer for the Spector exploit where apps can read internal memory within one os. I can understand that we do not need to worry about this since there are a very limited number of apps that is being run.
However, the Meltdown exploit is about reading memory from another VM running on the same host. Are we (you) that this cannot happen? They are supposed to be shielded, but due to the exploit, one virtual instance can read the memory from a different virtual instance, regardless of for instance aws account ids. The only requirement is that they share physical hardware.
herder
commented
6 years ago Hi Karl :) 👋
Here is the AWS bulletin, in case you haven't seen it: https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/
Seems to me that they recommend updating the kernel too, even though the AWS environment is patched by now.
karl-ravn
commented
6 years ago 👋 I put a reference to the same page above too ✌️
axelfontaine
commented
6 years ago You are correct in your understanding of the exploits. This does indeed mean that AWS needs to patch (if they haven't already done so) their Hypervisor installation on the host.
AWS recommends patching as they have to factor in all scenarios including for example hosts used for ECS or where customers may run their own multi-tenant environment like Heroku.
I stand by my earlier statement regarding the effect on Boxfuse images.
herder
commented
6 years ago 👋 I put a reference to the same page above too ✌️
Haha! That's what I get for skimming texts :)
karl-ravn
commented
6 years ago Ok, AWS updated their info yesterday, and there it says that guest os should be patched to avoid spectre exploit. Aws themselves have patched the vm-to-vm Meltdown exploit. So yes, it sounds like boxfuse images are safe.
axelfontaine
commented
6 years ago The latest client released today now builds images using the Linux 4.14.14 kernel. All PTI as well as other security features have been enabled. Our kernel config is now also open-source. You can check it out here: https://github.com/boxfuse/boxfuse-kernel
We decided to go this route to play it safe. Even though the overwhelming majority of Boxfuse users will never be affected by it, some do run headless Chrome to screenshot websites, so we decided it was better to be ultra-secure by default.
If you see negative performance effects from Page Table Isolation in your workloads you can disable it using the kernel argument nopti. See https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html?highlight=nopti
Will boxfuse images need patching against the Meltdown exploit? I know that amazon is doing things on this, but they are also saying that users need to patch on os level as well.