add Spectre variant 2 mitigations

Darren Tucker dtucker at dtucker.net
Tue Feb 6 20:22:53 AEDT 2018


On 6 February 2018 at 20:09, David Newall <openssh at davidnewall.com> wrote:
> Do we need to do anything?  It's not clear to me how SSH is vulnerable to
> Spectre -- that is, how SSH can be used to execute a Spectre attack?

I am more concerned with it being the target of a Spectre style
attack.  There's some long lived private data (host keys in the case
of sshd, session keys in the case of ssh and sshd and user keys in the
case of ssh-agent) and there's some scope to manipulate their
behaviour through external stimuli.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



More information about the openssh-unix-dev mailing list