Meltdown is almost trivial to take advantage of, as these things go, and it was discovered independently by more than one researcher. That makes it somewhat more likely to have been exploited by a government level attacker.
However, just being able to read all of kernelspace is more of a force-multiplier than being useful on its own. You still need to get your code executing in user-space to do anything, ant it's value even then is at least partly tied up in its ability to easily defeat KASLR.
Trivial, yet nobody has managed to produce a working exploit that doesn't require a running start. The poc exploits wouldn't work in the wild. They are running with interference of a real system.
Also, meltdown requires the data to be snooped to be in L1D cache. So the current demo exploit has to keep pushing the data into cache to be read.
Something simple like steal a password from sudo should be trivia right? I'd not convinced i need to worry.
And making non public facing machines pay the price of the mitigation seems like too much.
Absolutely. I will be really pissed of if I'm forced to run a -30% kernel performance on my dev laptop, or god knows how much of my 1/2 decade old T420's to fix a problem I don't have. Yes, I expect my cloud provider and bank to apply the patch, my ARM based router is fine.
- cookies (e.g., for online banking sessions)
- keys (e.g., for pushing to git repos)
- browser history
- identities (oh, did you post anonymously somewhere?)
- ...
PoC code that runs in-browser exists. It's only a matter of time before it's weaponized.
However, just being able to read all of kernelspace is more of a force-multiplier than being useful on its own. You still need to get your code executing in user-space to do anything, ant it's value even then is at least partly tied up in its ability to easily defeat KASLR.