Correct me if I'm wrong, but won't Meltdown/Spectre bug allow people to jailbreak pretty much any os/device that has CPU that "supports" these bugs? This could potentially open a lot of currently closed devices to people.
- Meltdown, on affected processors (...basically anything from Intel), gets you the ability to read anywhere in memory, whether you could legally map it or not (e.g. you can read from kernel, user, or w/e memory as an unprivileged user, albeit on the order of bytes per second)
- Spectre affects approximately anything with a cache and speculative execution, but only buys you reading anywhere that you could legally map, e.g. you can read anything the process you're in could legally read, but you can't, say, read kernel memory with it as an unprivileged user.
Either way, you don't get an arbitrary write, but you could maybe use it to make another exploit more reliable with the additional information you get (a big danger of the Spectre family is using it to help you read data outside your sandbox but still in your "process", e.g. stealing password auto-fill data from inside JavaScript, or using it to defeat ASLR on your sandbox, or ...).
Which is to say, the set of attacks allows Kernel memory to be read from userspace:
> If the kernel's BPF JIT is enabled (non-default configuration), it also works on the AMD PRO CPU. On the Intel Haswell Xeon CPU, kernel virtual memory can be read at a rate of around 2000 bytes per second after around 4 seconds of startup time.
True, but sometimes just getting private key from the memory will be enough to gain access to the system as it could give researchers ability to build executable that will look like they came from the manufacturer/developer.
The problem with X360 is it can’t run arbitrary native code, it only can run code digitally signed by MS. The hypervisor refuses to run an unsigned code, and the key never leaves the CPU i.e. very hard to tamper with.
X360 can execute JavaScript in the web browser, and .NET in (now discontinued?) XNA. I’m not sure if it’s possible to exploit the bug if you can only run JavaScript or .NET, both are very high level and have strong security model on top of what’s in the hardware/OS/hypervisor.
You could have exploited this using XNA, potentially, yes. But I don't think the software for running your own builds on the hardware works anymore, so the threat has passed. These attacks certainly reduce the likelihood of a similar service appearing on current-gen consoles.
The paper for Spectre includes a Javascript proof of concept - https://spectreattack.com/spectre.pdf, though I don't know if the version of IE on the 360 supports web workers (though, unpatched, it's exceedingly like there's a way to exploit it from javascript that doesn't involve web workers).
