2

First off yes the correct answer is patch your OS/system. That aside:

Does the memory managed features of a language like C# prevent it from being used to exploit the Meltdown security bug?

What about if you use the unsafe keyword?

Bonus question: Could Meltdown/Spectre be exploited on the Midori operating system?

DeltaTango
  • 23
  • 6
  • No, managed runtimes (if implemented reasonable efficient with a JIT) do not protect against all variants. Because array bound checks in those languages might expose speculatively other data. The Spectre paper contains a sample JavaScript snippet and it’s V8 compiled code to discuss this. It is most likely CLR and JVM have the same property. – eckes Jan 09 '18 at 06:42

1 Answers1

7

Could Meltdown be exploited from C#/.Net (or other managed languages)?

It can even be done from JavaScript.

Hector
  • 10,893
  • 3
  • 41
  • 44
  • it will only be a problem in JS for a few more weeks, but it could take years for "binary" apps to get fixed. – dandavis Jan 08 '18 at 09:04
  • 1
    @dandavis - C# binaries are still interpreted and require a run-time to be present. The run-time environment can be patched independently from the applications - as can the underlying OS. Microsoft can fix .NET via an automated update just as easily as Google can fix chrome (although I imagine more Windows users have disabled automatic updates - and i'd also expect Microsoft to just fix the OS and leave .NET alone). Also unlike with JS it is rare to run entirely untrusted C# code on a machine outside of VM hosts. – Hector Jan 08 '18 at 09:07
  • Is that specifically Meltdown? People are conflating the two somewhat. I would have thought that you'd need some insight into kernel address layout and the ability to manage the cache. – David A Jan 08 '18 at 21:32
  • @DavidA - you're right in that my link is Spectre related - i'll try to update it in the morning when I have more than a mobile to hand. But both can be exploited easily via JS / most interpreted environments. – Hector Jan 08 '18 at 21:37
  • @dandavis All (mostly true). It is possible to use Ahead Of Time (AOT) compilation, i.e., JIT compilation (what I think you mean by interpreted) and a runtime is not needed. But if you are using that you really should sort out your deployment/update pipeline first. – DeltaTango Jan 08 '18 at 22:44
  • AOT actually makes it easier to exploit has the form of the optimized code is known at the beginning and requires no warmup. – eckes Jan 09 '18 at 06:44