[Plugin] Disable Security Mitigations


Recommended Posts

Disable Security Mitigations

image.png.f69d30ba9e42697c747b2d9bec27ed34.png

 

Thanks to @cybrnook's research (https://forums.unraid.net/topic/80235-disabling-spectremeltdownzombieload-mitigations/), this plugin will disable the OS mitigations for Spectre, Meltdown, and Zombieload (MDS) to possibly give you better CPU performance. 

 

Note that these mitigations are valid security concerns, and depending upon your workload you may want them mitigated.  Myself, I'm not running a bank out of my house, and I don't think that the odds are too great that Plex would ever implement a Meltdown hack on my server to try and figure out my passwords (which doesn't exist anywhere on the server in the first place), so I'd just as soon have my CPU power back.  That, and spectre et al are all proof of concept hacks.

 

But disabling these mitigations is definitely one of the "Use at your own risk" type of thing.  If your lawyer gets hauled before a FISA court, and can't tell you why, and you've wound up being transported off to another country where all sorts of things can be done to you simply because it's not on American soil all without due process, then don't blame me.

 

Find it in the Apps tab by searching for Disable Security Mitigations, and then go to the Settings Tab (User Preferences), Mitigation Settings  (6.7.0+ only)

 

Note that the plugin will only disable the mitigations for your default boot mode.  All other boot modes are left untouched (ie: Safe Mode will have all mitigations enabled).  Also, while the plugin isn't required per se to be installed once the mitigations are disabled, uninstalling the plugin will automatically re-enable all of the mitigations.

 

Edited by Squid
  • Like 8
  • Thanks 3
  • Upvote 2
Link to comment
5 hours ago, itimpi said:

Just for interest what was the rational behind this plugin appearing under 'Tools' rather than under 'Settings' (which was where I initially looked as the most logical place to configure something).

My Settings Tab is getting too full ;)  IE: I don't know.  Just where I initially thought it would go.  Initially I was going to stick it next to Syslinux Configuration under Flash Settings, but since I can never easily remember where exactly syslinux settings is in the first place, I figured that was a pointless place to put it.

  • Upvote 1
Link to comment
4 minutes ago, Squid said:

My Settings Tab is getting too full ;)  IE: I don't know.  Just where I initially thought it would go.  Initially I was going to stick it next to Syslinux Configuration under Flash Settings, but since I can never easily remember where exactly syslinux settings is in the first place, I figured that was a pointless place to put it.

I was thinking something like the User Preferences section of the Settings tab would be a good place.  It does not seem to have too many entries at the moment (at least on my system :) ).

Edited by itimpi
Link to comment
7 hours ago, CHBMB said:

I love this community, half of 'em are screaming like hellfire when a vulnerability goes longer than 30 seconds unpatched, the other half want to switch it off.

 

Me, I'm in the latter camp.

  

:D

 

Yeah, it's getting ridiculous now.

 

So for Spectre / Meltdown.  First you have to have the appropriate malware running locally on your server. (Which BTW, they have never found a single instance of).  Then, it has to perform its attack, which will absolutely let it gather what ever info happens to be in the CPUs cache at the time.  But, what exactly are the odds of the information that is actually of any value being in the cache at the exact same time as it runs?

 

Sure, it can request to look at all of the memory locations in your server, and then determine what all the contents are.  But, is it going to be able to actually discern what is a password or not?  What is simply code?  What is simply part of your movie file cached?  I mean, I don't know about you, but I tend to not have in ram the phrase: "blahblahblah is my password for RoyalBank, and my account number is 1234".

 

Sure, it's all possible that it will get a password (if you happen to have one stored on your server, and it is in RAM at the same time).  But what exactly are the odds?  My feeling is that I'd probably win the lottery two or three times before those attack vectors could discern and analyse anything meaningful from my system.  But, the story is different for something like a bank where personal info would constantly be in a cache.  Let them take the potentially 30% hit in CPU speed.  Myself, I'm going to keep on buying lottery tickets.  I'll bet you I come out ahead.

 

Edited by Squid
  • Upvote 1
Link to comment

Cloud providers I think are the main issue.  If you're supplying VMs to customers, running on the same baremetal machine, then they absolutely do need to be segregated.  An Unraid server on you LAN, under your full control.  Not so much.

Link to comment
18 minutes ago, Squid said:

Yeah, it's getting ridiculous now.

 

So for Spectre / Meltdown.  First you have to have the appropriate malware running locally on your server. (Which BTW, they have never found a single instance of).  Then, it has to perform its attack, which will absolutely let it gather what ever info happens to be in the CPUs cache at the time.  But, what exactly are the odds of the information that is actually of any value being in the cache at the exact same time as it runs?

 

Sure, it can request to look at all of the memory locations in your server, and then determine what all the contents are.  But, is it going to be able to actually discern what is a password or not?  What is simply code?  What is simply part of your movie file cached?

 

Sure, it's all possible that it will get a password (if you happen to have one stored on your server, and it is in RAM at the same time).  But what exactly are the odds?  My feeling is that I'd probably win the lottery two or three times before those attack vectors could discern and analyse anything meaningful from my system.  But, the story is different for something like a bank where personal info would constantly be in a cache.  Let them take the potentially 30% hit in CPU speed.  Myself, I'm going to keep on buying lottery tickets.  I'll bet you I come out ahead.

 

Does this mean that if I install this plugin I’ll have a better chance of winning the lottery? 😏

Link to comment
I love this community, half of 'em are screaming like hellfire when a vulnerability goes longer than 30 seconds unpatched, the other half want to switch it off.  

Me, I'm in the latter camp.

 

 

 

 

I was chuckling about exactly this the other day!

 

But hey it’s a scary place out there...

47ad483adfd6e032995bc5ec28536783.jpg

Link to comment
12 hours ago, Squid said:

Thanks. So depending on the workload, it can be a small or a big difference, but it's always a positive difference nevertheless. Well, thanks for the plugin, I just enabled it, will reboot tomorrow. Don't need the security fixes at all personally, I don't have anything that important.

Link to comment
6 minutes ago, dnLL said:

Don't need the security fixes at all personally, I don't have anything that important.

This is not the reason you should be disabling them.  You have to assess whether you might be a target for what is turning out to be a very difficult to implement attack.  Plus, after it has been installed on your computer, the data recovered will have to analyzed to find something  of value from a massive amount of data. In fact, it may have to uploaded to an outside recipient client to do this analysis.  

 

Another thing you have to consider is how the software is going to be even installed on your server.  Many of us are running pure servers and access to the outside world is updating Unraid, its plugins and Docker apps.  The folks running VM's have a bit more exposure from two standpoints.  First, a VM may be exposed to a much broader range of Internet content and some of that content will have a higher risk factor for getting a potential malware 'dose'!   Second, the things being done on that VM may well have a higher financial worth than the mundane day-to-day data transfers of a server.  Plus, I suspect that majority of these data transfers would not even be accessible via these attacks.  

 

Plus, from what I have surmised, these attacks will most likely come from three-letter government agencies (both foreign and domestic) due the cost of developing the software and analysing the recovered data.  You have to ask yourself, am I (or my company/organization) likely to be a target of such an agency? 

Link to comment
27 minutes ago, Frank1940 said:

This is not the reason you should be disabling them.  You have to assess whether you might be a target for what is turning out to be a very difficult to implement attack. 

Honestly, it was kinda implicit by "I don't have anything important" that my data (which is basically just my Plex library) is definitely not a big target for this attack. Not to consider that I need to connect to my VPN to even reach my Plex. If the NSA or the equivalent in Canada (the CSIS, we like them with 4 letters in Canada) want to know which movies I'm watching, I couldn't care less (except for the part where my money is paying them to watch me but that's another debate).

Link to comment
5 hours ago, testdasi said:

I think the summary of this plugin is, unless you are a spy, use it. :D

 

(based on Unraid functionalities, I doubt there's any financial institution or cloud / VM provider using it)

Except if you a company or any public body or a registered non profit or anyone with liability cover or any organization that has to comply is ISO accreditation or worldwide equivs or has independent audits or anyone covered by EU GDPR or or....

 

context is import and whilst most people here are home users plenty unRAID users are not :)

 

Nice addon. I really mean that. It absolutely has its place but the default advice should always be "be secure unless you really really understand the risks of not being".

Link to comment
9 hours ago, remati said:

I did a BIOS firmware update on my motherboard a few months ago that included "Updated Intel CPU microcode" in the changelog. I'm assuming it was for the spectre/meltdown vulnerabilities. Will this plugin override this from the BIOS level?

I'm also interested in this question since most motherboard manufacturers have provided updated version of their BIOS following Spectre. If it's at the motherboard level then how can the OS interact with this? There is definitely a detail we're missing here.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.