‘Kernel memory leaking’ Intel processor design flaw

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

A fundamental design flaw in Intel’s processor chips related to virtual memory system (Intel x86-64 hardware) allows normal user programs (even JavaScript in web browsers) to discern to some extent the layout or contents of protected kernel memory areas.

It is understood the bug is present in modern Intel processors produced in the past decade. It appears a microcode update can’t address it, so it has to be fixed in software at the OS level. This has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug, which is expected to cause 5 to 30 per cent slow down of your computer on next update!

Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday. Patches for the Linux kernel are available. Apple’s 64-bit macOS, will also need to be updated.

This is bad news for Intel. Last year they had AMT vulnerability remote exploit and now this new blow in Intel security. I don’t think that computer buyers like that their computers become slower! 

Details of the vulnerability within Intel’s silicon are under wraps and are expected to be released later this month – so follow the comments for updates.

421 Comments

  1. Tomi Engdahl says:

    Data-spewing Spectre chip flaws can’t be killed by software alone, Google boffins conclude
    While browsers have got their act together, any other apps interpreting user-supplied code need to be aware of this
    https://www.theregister.co.uk/2019/02/18/spectre_cant_be_killed/

    Google security researchers have analyzed the impact of the data-leaking Spectre vulnerabilities afflicting today’s processor cores, and concluded software alone cannot prevent exploitation.

    The Chocolate Factory brainiacs – Ross Mcilroy, Jaroslav Sevcik, Tobias Tebbi, Ben L. Titzer, Toon Verwaest – show that they can construct what’s dubbed a universal gadget to exploit the spectre gang of speculative-execution flaws present in various CPU families, allowing attacker-supplied code running in a thread to read all memory in the same address space.

    Threat or hype?

    Since there aren’t many other scenarios in which attacker-supplied code is interpreted in the same address space as other user-supplied code – web browsers spring to mind, chiefly – the Googlers’ research is largely academic, and not something to immediately panic over. However, if you’re developing software that interprets external code – such a cloud-based execution environment in which customers’ threads share the same process – this is something to be very much aware of.

    “We now believe that speculative vulnerabilities on today’s hardware defeat all language-enforced confidentiality with no known comprehensive software mitigations, as we have discovered that untrusted code can construct a universal read gadget to read all memory in the same address space through side-channels,” the researchers say in a paper distributed through pre-print service ArXiv.

    Shortly after The Register first reported the Spectre and Meltdown bugs in January 2018, University of Michigan assistant professor of computer science Daniel Genkin, a co-author of the original Spectre research paper who was a postdoctoral student at the time, said as much: “We are currently not aware of effective countermeasures that will eliminate the root cause of Spectre, short of hardware redesign,” he told The Register last year.

    Spectre, as its name suggests, involves the exploitation of speculative execution, a feature of modern processors

    There are several Spectre variants but the basic problem is that chip designers traded security for speed. “Our models, our mental models, are wrong; we have been trading security for performance and complexity all along and didn’t know it,” the researchers observe.

    Variant 4, Speculative Aliasing Confusion, has no software solution that Google’s researchers could find. “Variant 4 defeats everything we could think of,” the researchers say.

    But that appears to be futile. “We argue that mitigating timing channels by manipulating timers is impossible, nonsensical, and in any case ultimately self-defeating,” the researchers say.

    Google’s boffins added defenses against Spectre into the V8 JavaScript virtual machine within the company’s Chrome browser and found the performance penalties frustrating because they slow things down without truly fixing the problem. “None of these mitigations provide comprehensive protection against Spectre, and so the mitigation space is a frustrating performance / protection trade-off,” they say.

    That’s why Google shifted its browser security focus to the aforementioned site isolation. But help has to come from hardware, too, in the form of better process isolation.

    Reply
  2. Tomi Engdahl says:

    I’ve always thought that AMD was the bigger bang for the buck. Intel looks faster but… Well… Now that we’ve got Meltdown and Specter slowing Intel machines down more than AMDs it looks like that point is kinda blown.

    Reply
  3. Tomi Engdahl says:

    Some AMD chips are better than some Intel chips, some intel chips are better than some AMD chips

    Reply
  4. Tomi Engdahl says:

    Chips may be inherently vulnerable to Spectre and Meltdown attacks
    https://www.technologyreview.com/s/612989/chips-may-be-inherently-vulnerable-to-spectre-and-meltdown-attacks/

    Most malware exploits coding errors and poor design. But Google security researchers say a fundamental flaw in the nature of computing could make some threats impossible to defeat.

    The Google team say the threat affects all chipmakers, including Intel, ARM, AMD, MIPS, IBM, and Oracle. “This class of flaws are deeper and more widely distributed than perhaps any security flaw in history, affecting billions of CPUs in production across all device classes,” say McIlroy and co.

    In the past, malware has tended to exploit poorly designed code and the errors it contains. These errors provide malicious actors with ways to disrupt calculations or access confidential information. So an important approach is to fix these errors with software patches before they can be exploited.

    But when the flaw is in the foundations of computer design, software patches offer meager protection. The challenge is that the very nature of computation allows information to leak via mechanisms called side channels.

    Computer scientists have always assumed that these commands can be separated in a way that guarantees confidentiality. The thinking is that some suitably advanced software ought to be able to marshal the commands in a way that keeps them separated.

    But the Google team’s key result is to show that this assumption is wrong. A processor cannot tell the difference between a good command and a malicious one—even in principle. So if a command tells it to send information to an area of the memory that can be easily accessed later, the machine obeys.

    It’s easy to imagine that this can be prevented with software that separates good commands from bad ones. But the Google team show that this just adds another layer of complexity to the challenge, along with a new set of potential side channels.

    To show the ubiquity of threat, the Google team constructed a “universal read gadget.” This is the ultimate eavesdropper—a routine that can read all addressable memory in a processor, unknown to the user.

    McIlroy and co created four variants of this gadget. “We developed proofs of concept in C++, JavaScript, and WebAssembly for all the reported vulnerabilities,” say the team. They found that these read gadgets leaked information at rates of up to 2.5 kilobytes per second.

    Variant 4 of the universal reading gadget is particularly worrying. McIlroy and co say they were unable to find an effective a way to combat it or reduce its threat. “We do not believe that variant 4 can be effectively mitigated in software,” they sa

    During the last year, Intel has redesigned its chips in attempt to mitigate the most serious threats from Spectre and Meltdown attacks. But this has reportedly come at the cost of a performance drop of up to 14%. And the modifications are unlikely to be fail-safe.

    One reason for Google’s concern is the threat to e-commerce. It’s not hard to imagine an attack that reveals the cryptographic keys used to secure transactions, thereby allowing large-scale theft.

    So the company has already shipped versions of Chrome with the first lines of defense. Releases 64 to 67 prevent attacks in the browser via JavaScript.

    But the threat goes much deeper.

    This complexity is itself part of the problem.

    There is a little good news, however. So far there are no known attacks that exploit Spectre or Meltdown. For the moment, the threat is confined to the labs of cybersecurity researchers

    But that provides little comfort to chip makers and security experts. It is not hard to imagine that malicious actors—including state-sponsored teams—might be developing ways to exploit this vulnerability. This is a problem, as McIlroy and co say, that “seems destined to haunt us for a long time.”

    Reply
  5. Tomi Engdahl says:

    Microsoft rolls out Google’s Retpoline Spectre mitigation to Windows 10 users
    https://www.zdnet.com/article/microsoft-rolls-out-googles-retpoline-spectre-mitigation-to-windows-10-users/

    KB4482887, released today, enables Google’s Retpoline mitigation in the Windows 10 kernel (only for v1809 users).

    Reply
  6. Tomi Engdahl says:

    Microsoft Rolls Out Spectre Variant 2 Mitigations for Windows 10
    https://www.securityweek.com/microsoft-rolls-out-spectre-variant-2-mitigations-windows-10

    Over the weekend, Microsoft started rolling out a new software update for Windows 10 devices to enable the Retpoline mitigations against Spectre attacks.

    Reply
  7. Tomi Engdahl says:

    ‘This collaboration is absolutely critical going forward’… One positive thing about Meltdown CPU hole? At least it put aside tech rivalries…
    Execs, experts hope this cooperation continues to hold for the next big bug
    https://www.theregister.co.uk/2019/02/15/vulnerability_experts_blab/

    A panel of eggheads from Intel, the US government, and academia held court this week to figure how they can keep the likes of El Reg from spoiling their next major bug reveal.

    The group met at the Churchill Club in San Francisco to reflect on 2018′s big security story – the Spectre-Meltdown CPU flaws – and ponder how it could be better handled going forward. Although chip designers were alerted to the vulnerabilities around June 2017, and operating system developers soon after, an action plan for disclosure was still being formulated the week before they hoped to public on Tuesday, January 9, 2018. The Reg blew the lid off it on January 2, after hearing no response from vendors, forcing timetables to be torn up.

    Reply
  8. Tomi Engdahl says:

    SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability
    ‘Leakage … is visible in all Intel generations starting from first-gen Core CPUs
    https://www.theregister.co.uk/2019/03/05/spoiler_intel_flaw/

    Reply
  9. Tomi Engdahl says:

    All Intel chips open to new Spoiler non-Spectre attack: Don’t expect a quick fix
    https://www.zdnet.com/article/all-intel-chips-open-to-new-spoiler-non-spectre-attack-dont-expect-a-quick-fix/

    Researchers say Intel won’t be able to use a software mitigation to fully address the problem Spoiler exploits.

    Reply
  10. Tomi Engdahl says:

    SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability
    ‘Leakage … is visible in all Intel generations starting from first-gen Core CPUs’
    https://www.theregister.co.uk/2019/03/05/spoiler_intel_processor_flaw/

    SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks
    https://arxiv.org/pdf/1903.00446.pdf

    Reply
  11. Tomi Engdahl says:

    All Intel chips open to new Spoiler non-Spectre attack: Don’t expect a quick fix
    https://www.zdnet.com/article/all-intel-chips-open-to-new-spoiler-non-spectre-attack-dont-expect-a-quick-fix/

    Researchers say Intel won’t be able to use a software mitigation to fully address the problem Spoiler exploits

    Reply
  12. Tomi Engdahl says:

    All Intel chips open to new Spoiler non-Spectre attack: Don’t expect a quick fix
    https://www.zdnet.com/article/all-intel-chips-open-to-new-spoiler-non-spectre-attack-dont-expect-a-quick-fix/

    Researchers say Intel won’t be able to use a software mitigation to fully address the problem Spoiler exploits.

    Researchers have discovered a new flaw affecting all Intel chips due to the way they carry out speculative execution for CPU performance gains.

    Like the Spectre and Meltdown attacks revealed in January 2018, Spoiler also abuses speculative execution in Intel chips to leak secrets.

    However, it targets a different area of the processor called the Memory Order Buffer, which is used to manage memory operations and is tightly coupled with the cache.

    https://www.theregister.co.uk/2019/03/05/spoiler_intel_processor_flaw/

    Reply
  13. Tomi Engdahl says:

    Spectre, Meltdown and More: What You Need to Know About Hardware Vulnerabilities
    https://securityintelligence.com/spectre-meltdown-and-more-what-you-need-to-know-about-hardware-vulnerabilities/

    The “2019 IBM X-Force Threat Intelligence Index” highlighted a paradigm shift sparked by a new era of hardware security challenges. The exposure of critical hardware vulnerabilities that affected almost every endpoint built in the past 20 years forced enterprises and the security community to rethink the way they approach hardware security and its impact on the business.

    Since the release of the Spectre/Meltdown vulnerabilities in January 2018, researchers have been uncovering new potential impacts while threat actors search for ways to exploit these significant hardware vulnerabilities and launch attacks on affected systems. The benefits of determining valid attack vectors are significant, since many organizations have struggled to effectively address Spectre and Meltdown.

    The Paradigm Shift Catalyst: Spectre and Meltdown

    Spectre and Meltdown leverage “speculative execution” to gain access to sensitive data

    Reply
  14. Tomi Engdahl says:

    SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability
    ‘Leakage … is visible in all Intel generations starting from first-gen Core CPUs’
    https://www.theregister.co.uk/2019/03/05/spoiler_intel_processor_flaw/

    Reply
  15. Tomi Engdahl says:

    SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks
    https://arxiv.org/pdf/1903.00446.pdf

    Reply
  16. Tomi Engdahl says:

    Ignore the noise about a scary hidden backdoor in Intel processors: It’s a fascinating debug port
    VISA: It’s everywhere (on the system bus) you want to be
    https://www.theregister.co.uk/2019/03/29/intel_visa_hack/

    Researchers at the Black Hat Asia conference this week disclosed a previously unknown way to tap into the inner workings of Intel’s chip hardware.

    The duo of Mark Ermolov and Maxim Goryachy from Positive Technologies explained how a secret Chipzilla system known as Visualization of Internal Signals Architecture (VISA) allows folks to peek inside the hidden workings and mechanisms of their CPU chipsets – capturing the traffic of individual signals and snapshots of the chip’s internal architecture in real time – without any special equipment.

    To be clear, this hidden debug access is not really a security vulnerability. To utilize the channel, you must exploit a 2017 elevation-of-privilege vulnerability, or one similar to it

    Reply
  17. Tomi Engdahl says:

    Ignore the noise about a scary hidden backdoor in Intel processors: It’s a fascinating debug port
    VISA: It’s everywhere (on the system bus) you want to be
    https://www.theregister.co.uk/2019/03/29/intel_visa_hack/
    - this hidden debug access is not really a security vulnerability. To utilize the channel, you must exploit a 2017 elevation-of-privilege vulnerability, or one similar to it

    Reply
  18. Tomi Engdahl says:

    Intel and AMD may never make a CPU we can fully trust, but others might
    https://www.digitaltrends.com/computing/sidestepping-solution-spectre-and-meltdown/

    Computing
    Intel and AMD may never make a CPU we can fully trust, but others might
    By Jon Martindale — Posted on April 6, 2019 1:00AM PST
    Spectre Meltdown

    Remember the Spectre and Meltdown security exploits from last year? Intel and AMD really hopes you don’t. Despite what they want you to believe, these speculative execution exploits aren’t going away, at least not with the solutions proposed so far.

    Instead of trying to fix each variant that comes along, a permanent fix will require a fundamental change to how CPUs are designed. The proposition? A “secure core” that make ensure your data stays safe from attackers, no matter what bugs they might try to exploit.

    It might not be the route these large processor companies want to take, but it might be the only one that actually works.

    “It’s hard in security if you’re always being reactive, having to wait for security vulnerabilities and then fixing them”

    “We’ve defined something called a PSA (platform security architecture) root of trust with some essential security functions built in like cryptography, secure boot, secure storage; Every IOT device will need these,” Coobs explained to Digital Trends.

    Reply
  19. Tomi Engdahl says:

    Intel finally issues Spoiler attack alert: Now non-Spectre exploit gets CVE but no patch
    https://www.zdnet.com/article/intel-finally-issues-spoiler-attack-alert-now-non-spectre-exploit-gets-cve-but-no-patch/

    No patch for Spoiler attack affecting all Intel chips, but a security advisory gives it an official CVE identifier.

    Intel has finally posted an official security advisory in response to the recently revealed Spoiler attack, which uses a weakness in Intel CPUs to enhance already known attacks that leak secrets from memory.

    Researchers from Worcester Polytechnic Institute, Massachusetts, and the University of Lübeck in north Germany in March drew attention to a weakness in Intel’s proprietary memory subsystem that affects Intel CPUs all the way back to its 1st generation Intel Core processors, regardless of the operating system.

    Intel has now assigned the vulnerability identifier CVE-2019-0162 to Spoiler and given it a CVSS severity score of 3.8 out of a possible 10. The ‘low’ severity rating is likely because an attacker would need to be authenticated and have local access to the hardware, while existing mitigations further reduce risks.

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0162

    Reply
  20. Tomi Engdahl says:

    How Intel wants to backdoor every computer in the world | Intel Management Engine explained
    https://www.youtube.com/watch?v=Lr-9aCMUXzI

    Intel embeds Management Engine into all of its computers since 2008. Intel Management Engine has been criticized for its security risks and has been called a backdoor with rootkit possibilities by many security experts and researchers.

    This is Intel Management Engine. A subsystem microprocessor that’s operating inside every Intel CPU platform made from 2008 onward.
    Despite its name and some basic functions, we don’t know anything about what Intel Management really does.

    Intel Management Engine is a computer within a computer. It is running it’s own operating system, called Minix, and is installed by default on every modern computer with an Intel CPU. This probably makes Minix the most widely used operating system in the world.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*