Wednesday, May 23, 2018

Spectre - SPARC Solaris: The Safe Choice

Spectre - SPARC Solaris: The Safe Choice

Abstract:

As the industry continues to struggle with Meltdown, a second vulnerability family appeared referred to as Spectre. As of this article publication, there are 4 variants of Spectre, the latter two variants referred to as Spectre-NG. All SPARC systems are safe, if the most recent systems are on the most current firmware & OS releases. As of this publishing, the latest application/OS & firmware patches fixes the first two. The later 2 does not affect SPARC, as the rest of the Intel and other CPU communities are struggling with their cloud and local server infrastructures.
 
[Spectre logo, courtesy solaris.wtf]

Spectre 

Spectre comes in 4 variants, the first 2 and next 2 identified as of the publishing of this article.


Spectre v1

Upgrade firefox to 57.0.4 or greater for protection (i.e. bundled in recent Solaris 11.3 updates.

Unpatched super-scalar CPU's (i.e. SPARC T4, T5, M6, M7, S7, M8, M10, M12) could possibly be exploited by CVE-2017-5753.

Spectre  v2

 A quick summary on Stack Exchange on how Spectre works:
the attacker tricks the speculative execution to predictively execute instructions erroneously. In a nutshell, the predictor is coerced to predict a specific branch result (if -> true), that results in asking for an out-of-bound memory access that the victim process would not normally have requested, resulting in incorrect speculative execution. Then by the side-channel, retrieves the value of this memory. In this way, memory belonging to the victim process is leaked to the malicious process.
Unpatched super-scalar CPU's (i.e. SPARC T4, T5, M6, M7, S7, M8, M10, M12) may be exploited by CVE-2017-5715.

Spectre v3a

All 64 bit SPARC is immune to CVE-2018-3640 .

Spectre v4

All 64 bit SPARC is immune to CVE-2018-3639 .


[SPARC Logo, courtesy SPARC International]

SPARC

Modern 64 bit SPARC variants come in 2 classes: Scalar and Super-Scalar
[Sun Microsystems Logo, courtesy Sun Microsystems]

Sun UltraSPARC

Older Sun UltraSPARC 64 bit Servers do not have the CPU feature which could possibly be exploited and were not vulnerable... they did not issue speculative instructions. Oracle had purchased Sun, so their support channel can provide a definitive explanation. Performance was mostly driven on these servers leveraging SMP chassis, Multi-Core sockets, and large memory footprints.
[Oracle Logo, courtesy Oracle Corporation]

Oracle SPARC

Newer Oracle SPARC Solaris servers are possibly vulnerable, if you are running a modern CPU which initiates speculative instructions (i.e. T4 or newer) while older 64 bit CPU's are not vulnerable. It has been reported on Solaris WTF that "Spectre (CVE-2017-5753 and CVE-2017-5715)" has been fixed in firmware (i.e. T4: 8.9.10 or greater; T5, M5, M6: 9.6.22a or greater; M7, S7, M8: 9.8.5c or greater.)

The short story, a firmware patch for CPU's newer than T4 are required and the impact is very minor in performance, according to the previous blog. Stock Firefox as shipped with Solaris 10 is vulnerable to Spectre v1, Solaris 11 fixed Firefox vulnerability early 2018, so users should migrate to Solaris 11.

[Fujitsu Logo, courtesy Fujitsu corporation]

Fujitsu SPARC


Sun and Oracle are not the only 2 vendors, who have produced 64 bit SPARC platforms. Newer Fujitsu SPARC Servers are also super-scalar, possibly vulnerable to Spectre v2 (CVE-2017-5753), and have been been fixed in firmware (i.e. M10: XCP2351; M12: XCP3051.)

Conclusions:

If you are using an older Sun UltraSPARC server, you are OK. If you are running a newer Oracle SPARC (i.e. T4 or newer) server, you should update Firefox on Solaris 10 or get on the latest Solaris 11 release to be protected from Spectre v1. For the same class of hardware, apply firmware patches available today to protect from Spectre v2. SPARC is immune to Spectre v3 & v4. Get with your Oracle support for the first 2 variants (doc id 2349278.1) and second 2 variants.

Friday, May 18, 2018

Meltdown - SPARC Solaris: The Only Safe Choice

Meltdown - SPARC Solaris: The Only Safe Choice

Abstract:

As the rest of the industry has been struggling with security vulnerabilities, SPARC Solaris platforms have been relatively quiet. Meltdown, otherwise known as CVE-2017-5754, has taken the world by storm. Operating Systems have long relied on Memory Management Units to isolate user application programs from the OS kernel. This had come to a screeching halt, leaving lesser secure systems in a world of hurt.

[Meltdown Logo, courtesy solaris.wtf]

Meltdown Vulnerability:

Some OS's will keep the Kernel Pages mapped into the same context as User Application Pages. This is often done for speed (i.e. linux) but places extra dependencies upon the MMU for isolation. Nearly all OS's had ceded this security concern to the CPU vendor, instead of applying the most secure practice in the OS architecture.

Meltdown:

As one vendor noted, SPARC Solaris is immune from Meltdown and about the only platform not subject to this critical vulnerability in the data center. This was accomplished by OS designers placing Kernel and User pages into different contexts, a design which added additional security, but at a performance cost that other OS designers in the industry were not willing to cede.

Conclusion:

Some Solaris systems, decades ago, may be affected, but nothing modern. Secure by Design is a typical decision for Solaris architects, a decision that has served them well for the decades they served a 64 bit OS to the user community, as other OS vendors played "catch up" in performance or features or functionality.

Tuesday, May 8, 2018

The Future - SPARC M8+ & Solaris

[SPARC Logo, Courtesy SPARC International]

The  Future - SPARC M8+ & Solaris

Abstract:

Solaris has been the heart of Sun Microsystems since 1982, with 32 bit SPARC RISC CPU since 1987. Fujitsu joined the SPARC/Solaris community in 1992, with others to follow. In 1995, SPARC went 64 bit, and has been ever since. In 2009, Oracle Corporation purchased Sun and all of it's SPARC & Solaris assets. Oracle & Fujitsu had been releasing processors & Solaris releases in rapid succession, ever since.

[SPARC Roadmap, courtesy Fujitsu]

Fujitsu SPARC Roadmap

In 2017, Fujitsu released one of the fastest processors on the market, which happened to be a SPARC. Since they, they had been very clear about it's roadmap for SPARC & Solaris, reaching out to a new SPARC release in 2020. Their roadmap has not changed in close to a year, so they appear to be on-track.


[SPARC & Solaris Roadmap, courtesy Oracle]

Oracle SPARC Roadmap

Shortly after Fujitsu's SPARC release, Oracle also released their SPARC M8 processor, which became the fastest socket in the world, once again. Also in September, Oracle release a roadmap where there was no future SPARC socket. This has been remedied in Spring 2018, where a snapshot of the official Oracle SPARC roadmap mirrors Fujitsu.

The spread between M6, M7, M8, and M8+ all seem to be spaced about 2.5 years apart, indicating not much of a change in the silicon release schedule from Oracle. Both Fujitsu & Oracle are now both using the same TSC fab for their SPARC silicon, which hints at a degree of consolidation outside of their roadmaps.

As with the way Embedded 10 Gig Ethernet was consolidated on the old T2+ socket, Network Management is wondering if Oracle will finally release the embedded Infiniband on the M8+ sockets. Embedded Infiniband was conspicuously missing from the "Sonoma" S7 release. (This would be a huge bonus to the Engineered Systems, to add a high degree of consolation & increase reliability & increased performance - TODAY.)

More interesting, there is a new hardware category called "Next Generation Storage", linked with the M8+ servers. Oracle had never been a true hardware company before purchasing Sun - they mostly re-sold hardware from third party vendors in their engineered systems, where Oracle felt they could add services value. Seeing SPARC in the roadmap, for engineered systems, is interesting, but will Solaris SPARC assume the role (with Solaris 11.4's new Storage features) or Intel Linux (with new Block volumes in Linux Storage Appliance)?


[Solaris Logo, Courtesy Sun Microsystems]

Oracle Solaris Roadmap

Oracle announced in early 2017 that SPARC & Solaris will move to an Agile Continuous Improvement cycle. Solaris 12 was erased from the roadmap, which was expected with Continuous Delivery, but created an odd amount of uncertainty in the media. Human resources alignments occurred in 2 batches, creating a large amount of uncertainty, but a new M8 processor was released. Assurances that Premier Support would continue to at least 2038!

January 2018, Solaris 10 went on Extended Support, meaning an uplift for patches are required, and 3 more years before patches cease. The final Premier Support patches were released, called 2018-01. The push to Solaris 11 is on!

Solaris 11.3 continued to get monthly SRU's (i.e. Solaris 11.3 SRU 30, Solaris 11.3 SRU 31, etc.) Open Beta of Solaris 11.4 was released, followed by a refresh, and finally an announcement that there will be a major point release of Solaris ever summer moving forward. The latest Solaris 11.4 refresh is nearly all 64 bit with buffer overflow protections, which is quit an accomplishment! The roadmap shows the next release, Solaris Next, which will likely be Solaris 11.5

Conclusions:

As the market uncertainty over SPARC & Solaris continues, new silicon and new operating system releases continue to occur. Long term industry players continue to release hardware. Solaris continues is march forward with aggressive new features, even pushing all components in the operating system to 64 bit. The only promise still outstanding is rebootless patching, possibly with KSplice. Wim, where is Solaris KSplice? You're in charge now, right?