https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
A fundamental design flaw in Intel’s processor chips related to virtual memory system (Intel x86-64 hardware) allows normal user programs (even JavaScript in web browsers) to discern to some extent the layout or contents of protected kernel memory areas.
It is understood the bug is present in modern Intel processors produced in the past decade. It appears a microcode update can’t address it, so it has to be fixed in software at the OS level. This has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug, which is expected to cause 5 to 30 per cent slow down of your computer on next update!
Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday. Patches for the Linux kernel are available. Apple’s 64-bit macOS, will also need to be updated.
This is bad news for Intel. Last year they had AMT vulnerability remote exploit and now this new blow in Intel security. I don’t think that computer buyers like that their computers become slower!
Details of the vulnerability within Intel’s silicon are under wraps and are expected to be released later this month – so follow the comments for updates.
565 Comments
Tomi Engdahl says:
Apple says Meltdown and Spectre flaws affect ‘all Mac systems and iOS devices,’ but not for long
https://techcrunch.com/2018/01/04/apple-says-meltdown-and-spectre-flaws-affect-all-mac-systems-and-ios-devices-but-not-for-long/
Apple isn’t immune to Meltdown and Spectre, the major bugs in basic computing architecture that were announced yesterday to widespread amazement and horror. In an announcement, the company said that “all Mac systems and iOS devices are affected,” which sounds right, but that mitigations are either already in place or on the way.
About speculative execution vulnerabilities in ARM-based and Intel CPUs
https://support.apple.com/en-us/HT208394
Security researchers have recently uncovered security issues known by two names, Meltdown and Spectre. These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store. Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown.
Tomi Engdahl says:
Processor Speculative Execution Research Disclosure
Concerning: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
Update As Of: 2018/01/04 15:30 PST
https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
All instances across the Amazon EC2 fleet are protected from all known threat vectors from the CVEs previously listed. Customers’ instances are protected against these threats from other instances. We have not observed meaningful performance impact for the overwhelming majority of EC2 workloads.
Recommended Customer Actions for AWS Batch, Amazon EC2, Amazon Elastic Beanstalk, Amazon Elastic Container Service, Amazon Elastic MapReduce, and Amazon Lightsail
While all customer instances are protected, we recommend that customers patch their instance operating systems. This will strengthen the protections that these operating systems provide to isolate software running within the same instance. For more details, refer to specific vendor guidance on patch availability and deployment.
Tomi Engdahl says:
Mozilla Security Blog
Mitigations landing for new class of timing attack
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs. Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins. The full extent of this class of attack is still under investigation
Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. This includes both explicit sources, like performance.now(), and implicit sources that allow building high-resolution timers, viz., SharedArrayBuffer.
Specifically, in all release channels, starting with 57:
The resolution of performance.now() will be reduced to 20µs.
The SharedArrayBuffer feature is being disabled by default.
Furthermore, other timing sources and time-fuzzing techniques are being worked on.
Tomi Engdahl says:
Actions Required to Mitigate Speculative Side-Channel Attack Techniques
https://www.chromium.org/Home/chromium-security/ssca
Researchers from Google’s Project Zero recently disclosed a series of new attack techniques against speculative execution optimizations used by modern CPUs. This research has implications for products and services that execute externally supplied code, including Chrome and other browsers with support for JavaScript and WebAssembly.
Chrome allows users to enable an optional feature called Site Isolation which mitigates exploitation of these vulnerabilities. With Site Isolation enabled, the data exposed to speculative side-channel attacks are reduced as Chrome renders content for each open website in a separate process
Tomi Engdahl says:
Today’s CPU vulnerability: what you need to know
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html?m=1
Tomi Engdahl says:
Google Says Almost All CPUs Since 1995 Vulnerable To ‘Meltdown’ And ‘Spectre’ Flaws
https://tech.slashdot.org/story/18/01/04/0524234/google-says-almost-all-cpus-since-1995-vulnerable-to-meltdown-and-spectre-flaws
Google has just published details on two vulnerabilities named Meltdown and Spectre that in the company’s assessment affect “every processor [released] since 1995.” Google says the two bugs can be exploited to “to steal data which is currently processed on the computer,” which includes “your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”
Google: Almost All CPUs Since 1995 Vulnerable To “Meltdown” And “Spectre” Flaws
https://www.bleepingcomputer.com/news/security/google-almost-all-cpus-since-1995-vulnerable-to-meltdown-and-spectre-flaws/
Google has just published details on two vulnerabilities named Meltdown and Spectre that in the company’s assessment affect “every processor [released] since 1995.”
Google says the two bugs can be exploited to “to steal data which is currently processed on the computer,” which includes “your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”
Furthermore, Google says that tests on virtual machines used in cloud computing environments extracted data from other customers using the same server.
The bugs were discovered by Jann Horn, a security researcher with Google Project Zero, Google’s elite security team, and were based on previous academic research published by researchers from the Graz University of Technology, Cyberus Technology, and others.. These are the same bugs that have been reported today as affecting Intel CPUs.
Tomi Engdahl says:
Security flaws put virtually all phones, computers at risk
https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtually-all-phones-computers-at-risk-idUSKBN1ES1BO
Security researchers on Wednesday disclosed a set of security flaws that they said could let hackers steal sensitive information from nearly every modern computing device containing chips from Intel Corp, Advanced Micro Devices Inc and ARM Holdings.
One of the bugs is specific to Intel but another affects laptops, desktop computers, smartphones, tablets and internet servers alike.
Tomi Engdahl says:
Intel, AMD Chip Vulnerabilities Put Billions of Devices at Risk
http://www.securityweek.com/intel-amd-chip-vulnerabilities-put-billions-devices-risk
Details of “Meltdown” and “Spectre” Attacks Against Intel and AMD Chips Disclosed
Researchers have disclosed technical details of two new attack methods that exploit critical flaws in CPUs from Intel, AMD and other vendors. They claim billions of devices are vulnerable, allowing malicious actors to gain access to passwords and other sensitive data without leaving a trace.
Tomi Engdahl says:
Hackers Expected to Remotely Exploit CPU Vulnerabilities
http://www.securityweek.com/hackers-expected-remotely-exploit-cpu-vulnerabilities
Security experts believe hackers will soon start to remotely exploit the recently disclosed vulnerabilities affecting Intel, AMD and ARM processors, if they haven’t done so already.
Researchers disclosed on Wednesday the details of Spectre and Meltdown, two new attack methods targeting CPUs. The attacks leverage three different flaws and they can be used to bypass memory isolation mechanisms and gain access to sensitive data, including passwords, photos, documents, and emails.
The affected CPUs are present in billions of products, including PCs and smartphones, and attacks can also be launched against cloud environments.
Researchers have developed a proof-of-concept (PoC) for Google Chrome that uses JavaScript to exploit Spectre and read private memory from the process in which it runs.
Mozilla has conducted internal experiments and determined that these techniques can be used “from Web content to read private information between different origins.” While the issue is still under investigation, the organization has decided to implement some partial protections in Firefox 57.
Google pointed out that attacks are possible via both JavaScript and WebAssembly.
Microsoft has also confirmed that attacks can be launched via JavaScript code running in the browser. The company has released updates for its Edge and Internet Explorer web browsers to mitigate the vulnerabilities.
Since a JavaScript PoC is available, experts believe it’s only a matter of time until malicious actors start exploiting the flaws remotely. While some say state-sponsored actors are most likely to leverage these attacks, others point out that mass exploitation is also possible, particularly via the ads served by websites.
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/jattibugi-ei-koske-pelkastaan-intelia-kaksi-uutta-uhkaa-vaanii-lahes-kaikkia-laitteita-puhelimista-pc-koneisiin-6694781
Tomi Engdahl says:
Intel was aware of the chip vulnerability when its CEO sold off $24 million in company stock
http://nordic.businessinsider.com/intel-ceo-krzanich-sold-shares-after-company-was-informed-of-chip-flaw-2018-1?r=US&IR=T
A major stock sale by Intel CEO Brian Krzanich in November has raised eyebrows.
Intel
Intel CEO Brian Krzanich sold off $24 million worth of stock and options in the company in late November.
The stock sale came after Intel was informed by Google of a significant vulnerability in its chips – a flaw that only became public this week.
Intel says the stock sale was unrelated to the vulnerability, but came as part of a planned divestiture program. But Krzanich put that stock sale plan in place in October – several months after Intel was informed of the vulnerability.
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/intelin-suorittimissa-paha-bugi-kaikki-kayttojarjestelmat-paivitetaan-suorituskyky-laskee-6694615
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/haavoittuvuus-joka-voi-vaikuttaa-melkein-kaikkiin-tietokoneisiin-tasta-on-kyse-6694883
Tomi Engdahl says:
”Olemme liemessä” – tästä melkein kaikkia tietokoneita hidastavassa ongelmassa on kyse
https://www.is.fi/digitoday/tietoturva/art-2000005512387.html?ref=rss
Tomi Engdahl says:
A Critical Intel Flaw Breaks Basic Security for Most Computers
https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/
One of the most basic premises of computer security is isolation: If you run somebody else’s sketchy code as an untrusted process on your machine, you should restrict it to its own tightly sealed playpen. Otherwise, it might peer into other processes, or snoop around the computer as a whole. So when a security flaw in computers’ most deep-seated hardware puts a crack in those walls, as one newly discovered vulnerability in millions of processors has done, it breaks some of the most fundamental protections computers promise—and sends practically the entire industry scrambling.
On Wednesday evening, a large team of researchers at Google’s Project Zero, universities including the Graz University of Technology, the University of Pennsylvania, the University of Adelaide in Australia, and security companies including Cyberus and Rambus together released the full details of two attacks based on that flaw, which they call Meltdown and Spectre.
“These hardware bugs allow programs to steal data which [is] currently processed on the computer,” reads a description of the attacks on a website the researchers created. “While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.”
Tomi Engdahl says:
Major Linux redesign in the works to deal with Intel security flaw
http://www.zdnet.com/article/major-linux-redesign-in-the-works-to-deal-with-intel-chip-security-problem/
A serious security memory problem in all Intel chips has led to Linux’s developers resetting how to deal with memory. The result will be a more secure, but — as Linux creator Linus Torvalds says — slower operating system.
Steven J. Vaughan-Nichols
By Steven J. Vaughan-Nichols for Linux and Open Source | January 3, 2018 — 21:48 GMT (21:48 GMT) | Topic: Security
Tomi Engdahl says:
Why Intel x86 must die: Our cloud-centric future depends on open source chips
http://www.zdnet.com/article/why-intel-x86-must-die-our-cloud-centric-future-depends-on-open-source-chips-meltdown/
Perhaps the Meltdown and Spectre bugs are the impetus for making long-overdue changes to the core DNA of the semiconductor industry and how chip architectures are designed.
The new year has indeed started out with a bang for the computer industry.
Two highly publicized security flaws in the Intel x86 chip architecture have now emerged. They appear to affect other microprocessors made by AMD and designs licensed by ARM.
And they may be some of the worst computer bugs in history — if not the worst — because they exist in hardware, not software, and in systems that number in the billions.
These flaws, known as Meltdown and Spectre, are real doozies. They are so serious and far-reaching that the only potential fix in the immediate future is a software workaround that, when implemented, may slow down certain types of workloads as much as 30 percent.
In fact, the potential compromise to the affected systems is so widespread that the flaws are exhibited in the fundamental systems architecture of the chips themselves, and they may have been around in some form since 1995.
Ten years ago, I proposed that we wipe the slate clean with the Intel x86 architecture. My reasoning had much to do with the notion that, at the time, Linux was gaining in popularity and the need for continuing compatibility with Windows-based workloads in the datacenter and on the desktop (ha!) was becoming less and less of a hard requirement.
What has transpired in 10 years? Linux (and other related FOSS tech that forms the overall stack) is now a mainstream operating system that forms the basis of public cloud infrastructure and the foundational software technology in mobile and Internet of Things (IoT).
Virtualization is now widespread and has become standard business practice for large-scale enterprise systems’ design and scalability.
Containerization is now looking to augment and eventually replace virtualization for further growth and improved security in a multi-tenant, highly micro-segmented network future driven by DevOps and large-scale systems’ automation.
All these advances are not necessarily tied to compatibility with x86. If anything, they potentially free us from writing this type of dependent code because of the levels of abstraction and portability that we now have at our disposal.
Tomi Engdahl says:
Major Linux redesign in the works to deal with Intel security flaw
http://www.zdnet.com/article/major-linux-redesign-in-the-works-to-deal-with-intel-chip-security-problem/
A serious security memory problem in all Intel chips has led to Linux’s developers resetting how to deal with memory. The result will be a more secure, but — as Linux creator Linus Torvalds says — slower operating system.
Linux’s developers saw this coming early on and patched Linux to deal with it. That’s the good news. The bad news is it will cause at least a 5-percent performance drop. Applications may see far more serious performance hits. The popular PostgreSQL database is estimated to see at least a 17-percent slowdown.
Tomi Engdahl says:
Major Linux redesign in the works to deal with Intel security flaw
http://www.zdnet.com/article/major-linux-redesign-in-the-works-to-deal-with-intel-chip-security-problem/
A serious security memory problem in all Intel chips has led to Linux’s developers resetting how to deal with memory. The result will be a more secure, but — as Linux creator Linus Torvalds says — slower operating system.
Linux’s developers saw this coming early on and patched Linux to deal with it. That’s the good news. The bad news is it will cause at least a 5-percent performance drop. Applications may see far more serious performance hits. The popular PostgreSQL database is estimated to see at least a 17-percent slowdown.
Tomi Engdahl says:
Spectre and Meltdown Attacks Against Microprocessors
https://www.schneier.com/blog/archives/2018/01/spectre_and_mel_1.html
The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution — which of course is not a solution — is to throw them all away and buy new ones.
On Wednesday, researchers just announced a series of major security vulnerabilities in the microprocessors at the heart of the world’s computers for the past 15-20 years. They’ve been named Spectre and Meltdown
This means that a malicious app on your phone could steal data from your other apps. Or a malicious program on your computer — maybe one running in a browser window from that sketchy site you’re visiting, or as a result of a phishing attack — can steal data elsewhere on your machine. Cloud services, which often share machines amongst several customers, are especially vulnerable.
Information about these flaws has been secretly circulating amongst the major IT companies for months as they researched the ramifications and coordinated updates. The details were supposed to be released next week, but the story broke early and everyone is scrambling. By now all the major cloud vendors have patched their systems against the vulnerabilities that can be patched against.
By now all the major cloud vendors have patched their systems against the vulnerabilities that can be patched against.
“Throw it away and buy a new one” is ridiculous security advice, but it’s what US-CERT recommends. It is also unworkable. The problem is that there isn’t anything to buy that isn’t vulnerable.
This is bad, but expect it more and more. Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement.
The first is that these vulnerabilities affect embedded computers in consumer devices. Unlike our computer and phones, these systems are designed and produced at a lower profit margin with less engineering expertise.
These aren’t normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates.
It shouldn’t be surprising that microprocessor designers have been building insecure hardware for 20 years. What’s surprising is that it took 20 years to discover it.
Tomi Engdahl says:
WHY RASPBERRY PI ISN’T VULNERABLE TO SPECTRE OR MELTDOWN
https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/
Over the last couple of days, there has been a lot of discussion about a pair of security vulnerabilities nicknamed Spectre and Meltdown. These affect all modern Intel processors, and (in the case of Spectre) many AMD processors and ARM cores. Spectre allows an attacker to bypass software checks to read data from arbitrary locations in the current address space; Meltdown allows an attacker to read data from arbitrary locations in the operating system kernel’s address space
Both vulnerabilities exploit performance features (caching and speculative execution) common to many modern processors to leak data via a so-called side-channel attack. Happily, the Raspberry Pi isn’t susceptible to these vulnerabilities, because of the particular ARM cores that we use.
Conclusion
Modern processors go to great lengths to preserve the abstraction that they are in-order scalar machines that access memory directly, while in fact using a host of techniques including caching, instruction reordering, and speculation to deliver much higher performance than a simple processor could hope to achieve. Meltdown and Spectre are examples of what happens when we reason about security in the context of that abstraction, and then encounter minor discrepancies between the abstraction and reality.
The lack of speculation in the ARM1176, Cortex-A7, and Cortex-A53 cores used in Raspberry Pi render us immune to attacks of the sort.
Tomi Engdahl says:
How Linux is dealing with Meltdown and Spectre
http://www.zdnet.com/article/how-linux-is-dealing-with-meltdown-and-spectre/
Torvalds and company are not happy with Intel as they continue to move forward with delivering Linux security patches.
He’s not the only one unhappy with Intel. A Linux security expert is irked at both Google and Intel. He told me that Google Project Zero informed Intel about the security problems in April. But neither Google nor Intel bothered to tell the operating system vendors until months later. In addition, word began to leak out about the patches for these problems. This forced Apple, the Linux developers, and Microsoft to scramble to deliver patches to fundamental CPU security problems.
The result has been fixes that degrade system performance in many instances. While we don’t know yet how badly macOS and Windows will be affected,
Larbel found serious slowdowns in the Compile Bench and FS-Mark 3.3, synthetic I/O benchmarks; significant performance hits with the PostgreSQL database management system; and the Redis in-memory data structure store was also slower. Other processes, such as H.264 video encoding, timed Linux kernel compilation, and FFmpeg video conversion tasks, ran as fast as ever. As Torvalds told me, “There’s no one number. It will depend on your hardware and on your load.”
In an email, Red Hat security wrote that the vulnerability affects x86 (Intel and AMD chipsets), POWER 8, POWER 9, System z, and ARM processors. AMD claimed its chips aren’t vulnerable.
Be that as it may, all three attacks have the potential to allow unauthorized read access to memory. There are three unique attack paths that could allow an attacker to execute a side-channel attack to bypass protections to read memory
Tomi Engdahl says:
Lowering JavaScript Timer Resolution Thwarts Meltdown and Spectre
https://hackaday.com/2018/01/06/lowering-javascript-timer-resolution-thwarts-meltdown-and-spectre/
The computer security vulnerabilities Meltdown and Spectre can infer protected information based on subtle differences in hardware behavior. It takes less time to access data that has been cached versus data that needs to be retrieved from memory, and precisely measuring time difference is a critical part of these attacks.
Our web browsers present a huge potential surface for attack as JavaScript is ubiquitous on the modern web. Executing JavaScript code will definitely involve the processor cache and a high-resolution timer is accessible via browser performance API.
Web browsers can’t change processor cache behavior, but they could take away malicious code’s ability to exploit them. Browser makers are intentionally degrading time measurement capability in the API to make attacks more difficult. These changes are being rolled out for Google Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer. Apple has announced Safari updates in the near future that is likely to follow suit.
After these changes, the time stamp returned by performance.now will be less precise due to lower resolution. Some browsers are going a step further and degrade the accuracy by adding a random jitter. There will also be degradation or outright disabling of other features that can be used to infer data, such as SharedArrayBuffer.
These changes will have no impact for vast majority of users. The performance API are used by developers to debug sluggish code, the actual run speed is unaffected. Other features like SharedArrayBuffer are relatively new and their absence would go largely unnoticed.
Browser makers are calling this a temporary measure for now, but we won’t be surprised if they become permanent. It is a relatively simple change that blunts the immediate impact of Meltdown/Spectre and it would also mitigate yet-to-be-discovered timing attacks of the future. If browser makers offer a “debug mode” to restore high precision timers, developers could activate it just for their performance tuning work and everyone should be happy.
Let’s Talk Intel, Meltdown, and Spectre
https://hackaday.com/2018/01/05/lets-talk-intel-meltdown-and-spectre/
This week we’ve seen a tsunami of news stories about a vulnerability in Intel processors. We’re certain that by now you’ve heard of (and are maybe tired of hearing about) Meltdown and Spectre. However, as a Hackaday reader, you are likely the person who others turn to when they need to get the gist of news like this. Since this has bubbled up in watered-down versions to the highest levels of mass media, let’s take a look at what Meltdown and Spectre are, and also see what’s happening in the other two rings of this three-ring circus.
Meltdown and Spectre in a Nutshell
These two attacks are similar. Meltdown is specific to Intel processors and kernel fixes (basically workarounds implemented by operating systems) will result in a 5%-30% speed penalty depending on how the CPU is being used. Spectre is not limited to Intel, but also affects AMD and ARM processors and kernel fixes are not expected to come with a speed penalty.
The attack exploits something called branch prediction.
These vulnerabilities are in silicon — they can’t be easily fixed with a microcode update which is how CPU manufacturers usually workaround silicon errata (although this appears to be an architectural flaw and not errata per se). An Intel “fix” would amount to a product recall. They’ve already said they won’t be doing a recall, but how would that work anyway? What’s the lead time on spinning up the fabs to replace all the Intel chips in use — yikes!
So the fixes fall on the operating systems at the kernel level. Intel should be (and probably is behind the scenes) bowing down to the kernel developers who are saving their bacon. It is understandably frustrating to have to spend time and resources patching these vulnerabilities, which displaces planned feature updates and improvements. Linus Torvalds has been throwing shade at Intel — anecdotal evidence of this frustration:
“I think somebody inside of Intel needs to really take a long hard look at their CPU’s, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed.”
Stock Sales Kerfuffle is Just a Distraction
The first thing I did on hearing about these vulnerabilities on Tuesday was to check Intel’s stock price and I was surprised it hadn’t fallen much. In fact, peak to peak it’s only seen about an 8% drop this week and has recovered some from that low.
Of course, it came out that back in November Intel’s CEO Bryan Krzanich sold off his Intel stock to the tune of $24 Million, bringing him down to his contractual minimum of shares. He likely knew about Meltdown when arranging that sale. Resist the urge to flame on this decision. Whether it’s legal or not, hating on this guy is just a distraction.
What’s more interesting to me is this: Intel is too big to fail. What are we all going to do, stop using Intel and start using something else? You can’t just pull the chip and put a new one in,
Branch prediction has been commonplace in consumer CPUs going back to 1995 when the Pentium Pro brought it to the x86 architecture. This is a piece of the foundation that will be yanked out and replaced with new designs that provide the same speed benefits without the same risks — but that will take time to make it into the real world.
CPUs are infrastructure and this is the loudest bell to date tolling to signal how important their design is to society. It’s time to take a hard look at what open silicon design would bring to the table. You can’t say this would have been prevented with Open design. You can say that the path to new processors without these issues would be a shorter one if there were more than two companies producing all of the world’s processors — both of which have been affected by these vulnerabilities.
Tomi Engdahl says:
Douglas Busvine / Reuters:
How infosec researcher Daniel Gruss and his team discovered the Meltdown CPU flaw and developed the KAISER tool to patch Meltdown on Windows, Mac, and Linux
How a researcher hacked his own computer and found ‘worst’ chip flaw
https://www.reuters.com/article/us-cyber-intel-researcher/how-a-researcher-hacked-his-own-computer-and-found-worst-chip-flaw-idUSKBN1ET1ZR
Daniel Gruss didn’t sleep much the night he hacked his own computer and exposed a flaw in most of the chips made in the past two decades by hardware giant Intel Corp (INTC.O).
The 31-year-old information security researcher and post-doctoral fellow at Austria’s Graz Technical University had just breached the inner sanctum of his computer’s central processing unit (CPU) and stolen secrets from it.
Until that moment, Gruss and colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor’s ‘kernel’ memory, which is meant to be inaccessible to users, was only theoretically possible.
“When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked,”
“We sat for hours in disbelief until we eliminated any possibility that this result was wrong,”
Gruss and his colleagues had just confirmed the existence of what he regards as “one of the worst CPU bugs ever found”.
The flaw, now named Meltdown, was revealed on Wednesday and affects most processors manufactured by Intel since 1995.
Separately, a second defect called Spectre has been found that also exposes core memory in most computers and mobile devices running on chips made by Intel, Advanced Micro Devices (AMD) (AMD.O) and ARM Holdings, a unit of Japan’s Softbank (9984.T).
The discovery was originally reported by online tech journal The Register. As a result of that report, research on the defect was published a week earlier than the manufacturers had planned, before some had time to work out a complete fix.
The Graz team had already been working on a tool to defend against attempts to steal secrets from kernel memory.
In a paper presented last June they called it KAISER, or Kernel Address Isolation to have Side-channels Effectively Removed.
Researcher Anders Fogh wrote in a subsequent blog that it might be possible to abuse so-called speculative execution in order to read kernel memory. He was not able to do so in practice, however.
Only after the December self-hacking episode did the significance of Graz team’s earlier work become clear. It turned out that the KAISER tool presented an effective defence against Meltdown.
The team quickly got in touch with Intel and learned that other researchers – inspired in part by Fogh’s blog – had made similar discoveries.
They were working under so-called responsible disclosure
There is as yet no fix for Spectre, which tricks programmes into leaking their secrets but is viewed as a harder exploit for a hacker to carry out.
Asked which of the two flaws posed the greater challenge, Gruss said: ”The immediate problem is Meltdown.
“After that it is going to be Spectre. Spectre is more difficult to exploit but also to mitigate. So in the long run I’d bet on Spectre.”
Tomi Engdahl says:
The three Common Vulnerability and Exposures (CVEs) for this issue are:
CVE-2017-5754 is the most severe of the three. This exploit uses speculative cache loading to enable a local attacker to read the contents of memory. This issue is corrected with kernel patches.
CVE-2017-5753 is a Bounds-checking exploit during branching. This issue is corrected with a kernel patch.
CVE-2017-5715 is an indirect branching poisoning attack that can lead to data leakage. This attack allows for a virtualized guest to read memory from the host system. This issue is corrected with microcode, along with kernel and virtualization updates to both guest and host virtualization software.
Source: http://www.zdnet.com/article/how-linux-is-dealing-with-meltdown-and-spectre/
Tomi Engdahl says:
Negative Result: Reading Kernel Memory From User Mode
https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/
Abusing speculative execution
Imagine the following instruction executed in usermode
mov rax,[somekernelmodeaddress]
It will cause an interrupt when retired, but it’s not clear what happens between when the instruction is finished executing and the actual retirement. We know that once retired any information it may or may not have read is gone as it’ll never be committed to the architectural registers.. However, maybe we have a chance of seeing what was read if Intel relies perfectly on Tomasulo’s algorithm.
Tomi Engdahl says:
Samuel Gibbs / The Guardian:
Intel faces at least three class action lawsuits over Spectre and Meltdown vulnerabilities, while additional claims may come from big cloud service providers
Intel facing class-action lawsuits over Meltdown and Spectre bugs
https://www.theguardian.com/technology/2018/jan/05/intel-class-action-lawsuits-meltdown-spectre-bugs-computer
Plaintiffs claim compensation for security flaws and alleged slowdown that fixing computers will cause, while corporations count cost of corrections
Intel has been hit with at least three class-action lawsuits over the major processor vulnerabilities revealed this week.
The flaws, called Meltdown and Spectre, exist within virtually all modern processors and could allow hackers to steal sensitive data although no data breaches have been reported yet. While Spectre affects processors made by a variety of firms, Meltdown appears to primarily affect Intel processors made since 1995.
Three separate class-action lawsuits have been filed by plaintiffs in California, Oregon and Indiana seeking compensation, with more expected. All three cite the security vulnerability and Intel’s delay in public disclosure from when it was first notified by researchers of the flaws in June. Intel said in a statement it “can confirm it is aware of the class actions but as these proceedings are ongoing, it would be inappropriate to comment”.
“The security vulnerability revealed by these reports suggests that this may be one of the largest security flaws ever facing the American public,” said Bill Doyle of Doyle APC, one of the lawyers representing plaintiffs Steven Garcia and Anthony Stachowiak who filed suit in the northern district of California. “It is imperative that Intel act swiftly to fix the problem and ensure consumers are fully compensated for all losses suffered as a result of their actions.”
Amazon, Microsoft and Google all said they do not expect significant performance problems for most of their cloud computing customers.
But the incident is likely to spur cloud companies to press Intel for lower prices on chips in future talks, said Kim Forrest, senior equity research analyst at Fort Pitt Capital Group in Pittsburgh, which owns shares in Intel.
“What [Intel’s cloud customers] are going to say is, ‘you wronged us, we hate you, but if we can get a discount, we’ll still buy from you’,” Forrest said.
Forrest also suggests Intel may have to increase its chip development spending to focus on security.
Banks and financial services firms are trying to understand what it will cost to respond to the security issues, the Financial Services Information Sharing and Analysis Center (FS-ISAC) said in a statement.
The global industry group added: “In addition to the security considerations raised by this design flaw, performance degradation is expected, which could require more processing power for affected systems to compensate and maintain current baseline performance.
“There will need to be consideration and balance between fixing the potential security threat v the performance and other possible impact to systems.”
Tomi Engdahl says:
Apple says almost all its devices are affected by the Spectre and Meltdown bugs
Apple Watches not affected
http://www.independent.co.uk/news/apple-bugs-intel-spectre-meltdown-all-devices-affected-latest-a8142836.html?lipi=urn%3Ali%3Apage%3Ad_flagship3_feed%3B9CwvlfYtSDGDz8xsBlHxRg%3D%3D
A pair of security vulnerabilities affect virtually all Apple products but are not currently affecting users, the company said.
Known as “Spectre” and “Meltdown”
Tomi Engdahl says:
SpecuCheck
https://ionescu007.github.io/SpecuCheck/
SpecuCheck is a Windows utility for checking the state of the software mitigations against CVE-2017-5754 (Meltdown) and hardware mitigations against CVE-2017-5715 (Spectre)
It uses two new information classes that were added to the NtQuerySystemInformation API call as part of the recent patches introduced in January 2018 and reports the data as seen by the Windows Kernel.
An official Microsoft Powershell Cmdlet Module now exists as well, which is the recommended and supported way to get this information.
Tomi Engdahl says:
Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in
Microsoft is aware of a new publicly disclosed class of vulnerabilities that are called “speculative execution side-channel attacks” that affect many modern processors and operating systems, including Intel, AMD, and ARM.
Note This issue also affects other operating systems, such as Android, Chrome, iOS, and MacOS. Therefore, we advise customers to seek guidance from those vendors.
Microsoft has released several updates to help mitigate these vulnerabilities. We have also taken action to secure our cloud services. See the following sections for more details.
Tomi Engdahl says:
Project Zero
Reading privileged memory with a side-channel
https://googleprojectzero.blogspot.fi/2018/01/reading-privileged-memory-with-side.html?m=1
We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.
Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. We reported this issue to Intel, AMD and ARM on 2017-06-01 [1].
Tomi Engdahl says:
How Tier 2 cloud vendors banded together to cope with Spectre and Meltdown
https://techcrunch.com/2018/01/06/how-tier-2-cloud-vendors-banded-together-to-cope-with-spectre-and-meltdown/?utm_source=tcfbpage&sr_share=facebook
We learned that the larger cloud vendors like Amazon, Google and Microsoft have been in touch with chip vendors and have been working behind the scenes to mitigate the vulnerabilities.
But what about smaller cloud hosting vendors like Linode, OVH and Packet who were not in the inner circle? How were they coping with it?
Details have begun to emerge. These companies left on the outside looking in have been forced to scramble to find answers for their hundreds of thousands of customers and to find ways to protect them from this massive threat. Executives from these “Tier 2” vendors began informally contacting one another when the news of the threats broke on Wednesday.
Tomi Engdahl says:
Tom Warren / The Verge:
Epic Games blames Meltdown CPU performance issues for Fortnite downtime, releases chart showing CPU usage rise from ~17% to ~44% after patching one server — As the technology industry continues to react to two major CPU bugs, we’re starting to see early signs of performance issues from security patches designed to fix the problems.
Epic Games blames Meltdown CPU performance issues for Fortnite downtime
https://www.theverge.com/2018/1/6/16857878/meltdown-cpu-performance-issues-epic-games-fortnite
As the technology industry continues to react to two major CPU bugs, we’re starting to see early signs of performance issues from security patches designed to fix the problems. Epic Games has released a chart of CPU usage after it patched its back-end services to address the Meltdown vulnerability. It shows a roughly 20 percent increase in CPU utilization, immediately after the patches were applied. The company released the chart to “provide a bit more context” around recent login issues and stability with its Fortnite game.
“All of our cloud services are affected by updates required to mitigate the Meltdown vulnerability,”
Tomi Engdahl says:
Anders Fogh / cyber.wtf:
Meltdown researcher Anders Fogh explains how multiple researchers discovered the same vulnerabilities in modern CPUs at around the same time
Behind the scenes of a bug collision
https://cyber.wtf/2018/01/05/behind-the-scene-of-a-bug-collision/
ntroduction
In this blog post I’ll speculate as to how we ended up with multiple researchers arriving at the same vulnerabilities in modern CPU’s concurrently. The conclusion is that the bug was ripe because of a years long build up of knowledge about CPU security, carried out by many research groups. I’ll also detail the rough story behind the research that let me to the bug. My story is probably different than that of the other researchers, but while unique I relatively sure that it’s the same for all researchers on most security issues: Security research is a long haul thing. This remainder of this blog post is semi technical.
Research collision in CPU research isn’t that uncommon.
So why do things like this happen (granted the story about Daniel is a freaky one) Well CPU research is much like drawing a map of an uncharted world. Researchers start from known research and proceed into the unknown, and if they find something they document it and add it to the map. This essentially means that the frontier looks very similar to everybody leading people into the same paths. This processed is very much sustained by the fact that almost all research in this area is academic and academia is much better organized in terms of recording and documenting than hackers.
For a thing like meltdown the real foundation was laid with the work on cache side channels sometime back around 2005. THere are many papers from this time
Tomi Engdahl says:
Lowering JavaScript Timer Resolution Thwarts Meltdown and Spectre
https://hackaday.com/2018/01/06/lowering-javascript-timer-resolution-thwarts-meltdown-and-spectre/
The computer security vulnerabilities Meltdown and Spectre can infer protected information based on subtle differences in hardware behavior. It takes less time to access data that has been cached versus data that needs to be retrieved from memory, and precisely measuring time difference is a critical part of these attacks.
Our web browsers present a huge potential surface for attack as JavaScript is ubiquitous on the modern web.
Web browsers can’t change processor cache behavior, but they could take away malicious code’s ability to exploit them.
Tomi Engdahl says:
Let’s Talk Intel, Meltdown, and Spectre
https://hackaday.com/2018/01/05/lets-talk-intel-meltdown-and-spectre/
Tomi Engdahl says:
https://www.io-tech.fi/uutinen/amd-julkaisi-oman-tiedotteensa-koskien-meltdown-ja-spectre-tietoturvauhkia/
Tomi Engdahl says:
An Update on AMD Processor Security
https://www.amd.com/en/corporate/speculative-execution
There has been recent press coverage regarding a potential security issue related to modern microprocessors and speculative execution.
When AMD learned that researchers had discovered a new CPU attack targeting the speculative execution functionality used by multiple chip companies’ products, we immediately engaged across the ecosystem to address the teams’ findings.
The research team identified three variants within the speculative execution research
Variant One
Bounds Check Bypass
Resolved by software / OS updates to be made available by system vendors and manufacturers. Negligible performance impact expected.
Variant Two
Branch Target Injection
Differences in AMD architecture mean there is a near zero risk of exploitation of this variant.
Variant Three
Rogue Data Cache Load
Zero AMD vulnerability due to AMD architecture differences.
Tomi Engdahl says:
Meltdown and Spectre Fixes Arrive—But Don’t Solve Everything
https://www.wired.com/story/meltdown-and-spectre-vulnerability-fix/
This week, a pair of vulnerabilities broke basic security for practically all computers. That’s not an overstatement. Revelations about Meltdown and Spectre have wreaked digital havoc and left a critical mass of confusion in their wake. Not only are they terrifically complex vulnerabilities, the fixes that do exist have come in patchwork fashion. With most computing devices made in the last two decades at risk, it’s worth taking stock of how the clean-up efforts are going.
Part of the pandemonium over addressing these vulnerabilities stems from the necessary involvement of multiple players. Processor manufacturers like Intel, AMD, Qualcomm, and ARM are working with the hardware companies that incorporate their chips, as well as the software companies that actually run code on them to add protections. Intel can’t single-handedly patch the problem, because third-party companies implement its processors differently across the tech industry. As a result, groups like Microsoft, Apple, Google, Amazon, and the Linux Project have all been interacting and collaborating with researchers and the processor makers to push out fixes.
So how’s it going so far? Better, at least, than it seemed at first. The United States Computer Emergency Readiness Team and others initially believed that the only way to protect against Meltdown and Spectre would be total hardware replacement. The vulnerabilities impact fundamental aspects of how mainstream processors manage and silo data, and replacing them with chips that correct these flaws still may be the best bet for high-security environments. In general, though, replacing basically every processor ever simply isn’t going to happen. CERT now recommends “apply updates” as the solution for Meltdown and Spectre.
“Everybody is saying ‘we’re not affected’ or ‘hey, we released patches,’ and it has been really confusing,” says Archie Agarwal, CEO of the enterprise security firm ThreatModeler. “And in the security community it’s hard to tell who is the right person to resolve this and how soon can it be resolved. The impact is pretty big on this one.”
‘It’s hard to tell who is the right person to resolve this and how soon can it be resolved.’
Rapid Response
Meltdown, a bug that could allow an attacker to read kernel memory (the protected core of an operating system), impacts Intel and Qualcomm processors, and one type of ARM chip. Intel has released firmware patches for its processors, and has been working with numerous manufacturers, like Apple and HP to distribute them. Intel has also coordinated with operating system developers to distribute software-level mitigations. Patches are already out for recent versions of Windows, Android, macOS, iOS, Chrome OS, and Linux.
The other bug, Spectre, involves two known attack strategies so far, and is far more difficult to patch. (And in fact, it may be impossible to defend against it entirely in the long term without updating hardware.)
It affects processors from Intel, ARM, AMD, and Qualcomm. Browsers like Chrome, Firefox, and Edge/Internet Explorer all have preliminary Spectre patches, as do some operating systems.
“One of the most confusing parts of this whole thing is that there are two vulnerabilities that affect similar things, so it’s been challenging just to keep the two separate,”
Cloud providers like Amazon Web Services are working to apply patches to their systems as well, and are grappling with corresponding performance slowdowns
The average user shouldn’t see significant performance changes from applying Meltdown and Spectre patches, except perhaps with processor-intensive tasks like video editing. It even seems like gaming won’t be significantly affecte
Consumers frustrated with the risk the vulnerabilities pose and their potential impact have brought three class action lawsuits against Intel so far, filed in California, Indiana, and Oregon.
Though many of the most prominent manufacturers and software makers have taken steps to address the issue, countless smaller vendors and developers will inevitably become stragglers—and some may never directly address the flaws in their existing products at all.
Experts also note that the rush to push out patches, while necessary, makes the ultimate efficacy of these early updates somewhat suspect. There hasn’t been much time for extensive testing and refinement, so slapdash fixes may not offer total protection, or could create other bugs and instabilities that will need to be resolved.
This process will play out over the next weeks and months, but will be particularly significant in industrial control and critical infrastructure settings.
“You can’t bring down a power grid just to try out a patch,” says Agarwal. “Industrial systems, hospital machines, airline control systems—they will have to wait. They can’t just patch and hope that things will work out.”
Meanwhile, actors looking to exploit Meltdown and Spectre will be hard at work perfecting attacks—if they haven’t already. So far there is no evidence that either vulnerability was known and exploited in the past, but that can’t serve as definitive assurance.
Security researchers say that the vulnerabilities are difficult to exploit in practice, which may limit its real-world use, but a motivated and well-funded attacker could develop more efficient techniques.
Though possible, exploiting Meltdown and especially Spectre is complicated and challenging in practice, and some attacks require physical access
“The serious thing for me is the unknown,” TrustedSec’s Hamerstone says. “There may be attacks in the wild, so not knowing what’s coming and not knowing how something is going to be exploited is tough.”
Tomi Engdahl says:
After Meltdown and Spectre revelation, questions arise about timing of Intel CEO’s stock sales
https://techcrunch.com/2018/01/04/after-meltdown-and-spectre-revelation-questions-arise-about-timing-of-intel-ceos-stock-sales/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
The timing of Intel CEO Brian Krzanich’s large sale of shares in November is raising questions because a Securities and Exchange Commission filing appeared to show that the transactions were planned after the company was informed about the Meltdown and Spectre bugs, but before they were made public.
Tomi Engdahl says:
http://turnoff.us/geek/intel-bug/
Tomi Engdahl says:
Tom Warren / The Verge:
Epic Games blames Meltdown CPU performance issues for Fortnite downtime, releases chart showing CPU usage rise from ~17% to ~44% after patching one server
Epic Games blames Meltdown CPU performance issues for Fortnite downtime
https://www.theverge.com/2018/1/6/16857878/meltdown-cpu-performance-issues-epic-games-fortnite
As the technology industry continues to react to two major CPU bugs, we’re starting to see early signs of performance issues from security patches designed to fix the problems. Epic Games has released a chart of CPU usage after it patched its back-end services to address the Meltdown vulnerability. It shows a roughly 20 percent increase in CPU utilization, immediately after the patches were applied.
Intel has been rolling out firmware updates to protect against the Meltdown and Spectre CPU vulnerabilities. The flaws affect nearly every device made in the past 20 years, and could allow attackers to use JavaScript code running in a browser to access memory in the attacker’s process. That memory content could contain key strokes, passwords, and other valuable information. Cloud platforms are the most at risk
Tomi Engdahl says:
Cisco to release patches for Meltdown, Spectre CPU vulns, just in case
Switchzilla is investigating a whole bunch of products
https://www.theregister.co.uk/2018/01/05/cisco_releases_meltdown_patch/
Cisco is the latest company to prepare patches to tackle the serious security vulnerabilities affecting the majority of CPUs, Meltdown and Spectre.
Cybersecurity group CERT has warned companies that the only way to protect themselves from the flaw was to rip out and replace their processors. It has since backtracked on that advice, saying patches or repairs should do the job instead.
Outfits to have released patches so far include Amazon, Microsoft, Linux and Apple.
Tomi Engdahl says:
Qualcomm joins Intel, Apple, Arm, AMD in confirming its CPUs suffer hack bugs, too
Just in time for Friday night
https://www.theregister.co.uk/2018/01/06/qualcomm_processor_security_vulnerabilities/
Qualcomm has confirmed its processors have the same security vulnerabilities disclosed this week in Intel, Arm, AMD and IBM CPU cores.
The California tech giant picked the favored Friday US West Coast afternoon “news dump” slot to admit at least some of its billions of Arm-compatible Snapdragon system-on-chips and newly released Centriq server-grade processors are subject to the Meltdown and/or Spectre data-theft bugs.
“Qualcomm Technologies, Inc is aware of the security research on industry-wide processor vulnerabilities that have been reported,” a spokesperson for Qualcomm told The Register on Friday.
Qualcomm declined to comment further on precisely which of the three CVE-listed vulnerabilities its chips were subject to, or give any details on which of its CPU models may be vulnerable. The paper describing the Spectre data-snooping attacks mentions that Qualcomm’s CPUs are affected, while the Meltdown paper doesn’t conclude either way.
Qualcomm uses a mix of customized off-the-shelf Arm cores and its homegrown Arm-compatible CPUs in its products, which drive tons of Android-based smartphones, tablets, and other devices.
A selection of Arm Cortex-A and Cortex-R CPU core designs are vulnerable to the CVE-2017-5753 and CVE-2017-5715 Spectre vulnerabilities, but only one – the Cortex-A75 – is also vulnerable to the easily exploitable CVE-2017-5754 Meltdown flaw. The A75 is not in any shipping product at the moment.
Qualcomm will use that A75 core for its Snapdragon 845, while other Snapdragon lines list the A53 and A72, which are only vulnerable to the two Spectre variants. As we said, Qualcomm uses a mix of custom and off-the-shelf cores; they are probably affected by Spectre, and maybe Meltdown. Qualy won’t clarify either way.
Apple, which too bases its iOS A-series processors on Arm’s instruction set, said earlier this week that its mobile CPUs were vulnerable to Spectre and Meltdown – patches are available or incoming for iOS.
IBM said firmware updates will arrive next week for its POWER CPUs to address Spectre-like bugs in its designs
Tomi Engdahl says:
It gets worse: Microsoft’s Spectre-fixer bricks some AMD PCs
KB4056892 is not your friend if you run an Athlon
https://www.theregister.co.uk/2018/01/08/microsofts_spectre_fixer_bricks_some_amd_powered_pcs/
Microsoft’s fix for the Meltdown and Spectre bugs may be crocking AMD-powered PCs.
A lengthy thread on answers.microsoft.com records numerous instances in which Security Update for Windows KB4056892, Redmond’s Meltdown/Spectre patch, leaves some AMD-powered PCs with the Windows startup logo and not much more.
Users report Athlon-powered machines in perfect working order before the patch just don’t work after it. The patch doesn’t create a recovery point, so rollback is little use and the machines emerge from a patch in a state from which rollback is sometimes not accessible. Some say that even re-installing Windows 10 doesn’t help matters. Others have been able to do so, only to have their machines quickly download and install the problematic patch all over again …
Those who have suffered from the putrid patch will therefore need to disable Windows Update as just about the first thing they do.
Tomi Engdahl says:
Meltdown and Spectre Fixes Arrive—But Don’t Solve Everything
https://www.wired.com/story/meltdown-and-spectre-vulnerability-fix/
Triple Meltdown: How So Many Researchers Found a 20-Year-Old Chip Flaw At the Same Time
https://www.wired.com/story/meltdown-spectre-bug-collision-intel-chip-flaw-discovery/
Tomi Engdahl says:
Go Retro to Build a Spectre and Meltdown-Proof x86 Desktop
https://hackaday.com/2018/01/07/go-retro-to-build-a-spectre-and-meltdown-proof-x86-desktop/
[Yeo Kheng Meng] had a question: what is the oldest x86 processor that is still supported by a modern Linux kernel? Furthermore, is it actually possible to use modern software with this processor? It’s a question that surely involves experimentation, staring into the bluescreen abyss of BIOS configurations, and compiling your own kernel. Considering Linux dropped support for the 386 in 2012, the obvious answer is a 486. This supposition was tested, and the results are fantastic. You can, indeed, install a modern Linux on an ancient desktop.
This project got its start last month at a Super Silly Hackathon where [Yeo] and [Hui Jing] installed Damn Small Linux on an ancient IBM PS/1 desktop of 1993 vintage.
A Science Project: “Make the 486 Great Again!” – Modern Linux in an ancient PC
http://yeokhengmeng.com/2018/01/make-the-486-great-again/
Tomi Engdahl says:
OpenBSD’s De Raadt Pans ‘Incredibly Bad’ Disclsoure of Intel CPU Bug
https://bsd.slashdot.org/story/18/01/08/0533237/openbsds-de-raadt-pans-incredibly-bad-disclsoure-of-intel-cpu-bug
Disclosure of the Meltdown and Spectre vulnerabilities, which affect mainly Intel CPUs, was handled “in an incredibly bad way” by both Intel and Google, the leader of the OpenBSD project Theo de Raadt claims. “Only Tier-1 companies received advance information, and that is not responsible disclosure — it is selective disclosure,” De Raadt told iTWire in response to queries. “Everyone below Tier-1 has just gotten screwed.”
Handling of CPU bugs disclosure ‘incredibly bad’: OpenBSD’s de Raadt
https://www.itwire.com/security/81338-handling-of-cpu-bug-disclosure-incredibly-bad-openbsd-s-de-raadt.html
Disclosure of the Meltdown and Spectre vulnerabilities, which affect mainly Intel CPUs, was handled “in an incredibly bad way” by both Intel and Google, the leader of the OpenBSD project Theo de Raadt claims.
“Only Tier-1 companies received advance information, and that is not responsible disclosure – it is selective disclosure,” De Raadt (below, right) told iTWire in response to queries. “Everyone below Tier-1 has just gotten screwed.”
Details of the bugs were published on the Web on 3 January though there had been an understanding that disclosure would only take place on 9 January, that being the day when Microsoft is scheduled to release its monthly security updates.
The reason for this is because the bugs mainly affect Intel CPUs and Windows is the operating system that has the biggest share of such processors.
Google justified breaking the embargo, saying: “We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation.”
The reason why such bugs had come about was put down by De Raadt to Intel’s desire to stay far ahead of the competition; hence it had played “fast and loose”.
Meltdown removes the barrier between user applications and sensitive parts of the operating system while Spectre, which is also reportedly found in some AMD and ARM processors, can trick vulnerable applications into leaking the contents of their memory.
“There are papers about the risky side-effects of speculative loads – people knew, and as a result no other vendor’s chips does speculative loads (Meltdown – Intel Only) in a significant way,”
“Intel engineers attended the same conferences as other company engineers, and read the same papers about performance enhancing strategies – so it is hard to believe they ignored the risky aspects. I bet they were instructed to ignore the risk,”
“It is a scandal, and I want repaired processors for free. I don’t care if they are 30% slower, as long as they work to spec. Intel has been exceedingly clever to mix Meltdown (speculative loads) with a separate issue (Spectre). This is pulling the wool over the public’s eyes.”
De Raadt found an analogy with the Volkswagen emission issue.
OpenBSD has a good reputation for security and runs some of the public servers with the longest uptimes. De Raadt himself is obsessed with security
. “I am terrified of where this leads. Intel architecture is already very inconsistent, complex, and difficult to deal with,” he said.
“Suddenly the trickiest parts of a kernel need to do backflips to cope with problems deep in the micro-architecture. This tricky component of kernel software is now becoming more complicated than it was in the past.”
De Raadt said there would be a “big price to pay for the complexity of handling exposure to the micro-architecture down the road, mark my words”.
“Decades old trap/fault software is being replaced by 10-20 operating systems, and there are going to be mistakes made.”
Tomi Engdahl says:
Jokes related to this incident:
http://www.commitstrip.com/en/2018/01/04/reactions-to-meltdown-and-spectre-exploits/
https://xkcd.com/1938/
Tomi Engdahl says:
Apple to issue fix for iPhones, Macs at risk from ‘Spectre’ chip flaw
https://www.reuters.com/article/us-apple-cyber/apple-to-issue-fix-for-iphones-macs-at-risk-from-spectre-chip-flaw-idUSKBN1EU04F
SAN FRANCISCO (Reuters) – Apple Inc will release a patch for the Safari web browser on its iPhones, iPads and Macs within days, it said on Thursday, after major chipmakers disclosed flaws that leave nearly every modern computing device vulnerable to hackers.
Browser makers Google, Microsoft Corp and Mozilla Corp’s Firefox all confirmed to Reuters that the patches they currently have in place do not protect iOS users. With Safari and virtually all other popular browsers not patched, hundreds of millions of iPhone and iPad users may have no secure means of browsing the web until Apple issues its patch.