Your Concerns: Meltdown and Spectre
KMC Commander has a variety of security features built in, including:
- Sandboxing of all applications to execute in their own part of memory and not cross memory boundaries
- Operating system kernel memory is not writable – the memory the vulnerabilities use – and is also sandboxed as needed by each application
- Applications (i.e., snaps) have strict rules that enforce what other applications and OS functions they can use; the default rule is “no access” and because of that, rogue applications cannot simply “just run” as in other operating systems
- Application rules are manually determined by KMC for our snap, and verified and approved by Canonical before the snap is accepted and ready for distribution
- The only snaps run on KMC Commander are those approved and placed in our store. The operating system ensures that only these approved and digitally signed and verified snaps run on the gateway
- All messaging is initiated by the KMC Commander gateway and not from the outside
- White-listing for IP addresses and ports is used, so outside traffic from only certain, approved services are allowed
Amazon announced on January 23, 2018 that they have completed updating their systems with OS patches. This includes the cloud services used by KMC Commander.
“Of course, the best defense is ‘defense in depth,’” said Bohlmann. “Our partners and their customer organizations should diligently continue using best practices in networking, firewalls and patch updates, among other security measures.”
Every operating system vendor now has patches available to mitigate these vulnerabilities, and distribution is being rolled out for various editions. Without them, your servers, PCs and laptops are still very vulnerable. Bohlmann suggests you install the appropriate patch updates at your earliest convenience. However, be aware some older versions do not yet have patches. Also, possible exploits for Spectre can be accomplished using web browsers. All web browsers have patches available now as well.
In addition, processor manufacturers have microcode fixes in place for Meltdown and some of Spectre’s vulnerabilities, but not all. Even so, the operating systems and web browser patches that have come out provide a very good level of mitigation and protection.
These OS patches do cause systems to perform at a slower pace. Some earlier patches even caused reboots! Recent test results show slow-downs of 2-10 percent depending on the operating system and the version of the processor.We strongly recommend that your organization keep up-to-date with Meltdown and Spectre news.
We suggest these two websites for updated information:
KMC Controls keeps security as a high priority, and we will continue to monitor various government agencies and private entities for on-going cybersecurity news, Spectre/Meltdown or otherwise.