https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
A fundamental design flaw in Intel’s processor chips related to virtual memory system (Intel x86-64 hardware) allows normal user programs (even JavaScript in web browsers) to discern to some extent the layout or contents of protected kernel memory areas.
It is understood the bug is present in modern Intel processors produced in the past decade. It appears a microcode update can’t address it, so it has to be fixed in software at the OS level. This has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug, which is expected to cause 5 to 30 per cent slow down of your computer on next update!
Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday. Patches for the Linux kernel are available. Apple’s 64-bit macOS, will also need to be updated.
This is bad news for Intel. Last year they had AMT vulnerability remote exploit and now this new blow in Intel security. I don’t think that computer buyers like that their computers become slower!
Details of the vulnerability within Intel’s silicon are under wraps and are expected to be released later this month – so follow the comments for updates.
565 Comments
Tomi Engdahl says:
Microsoft Releases Intel Microcode Patches for Foreshadow Flaws
https://www.securityweek.com/microsoft-releases-intel-microcode-patches-foreshadow-flaws
Microsoft this week made available another round of microcode updates created by Intel for mitigating the recently disclosed speculative
execution vulnerabilities tracked as Foreshadow and L1 Terminal Fault (L1TF).
The Foreshadow/L1TF vulnerabilities are CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts
operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).
Tomi Engdahl says:
Intel Simplifies Microcode Update License Following Complaints
https://www.securityweek.com/intel-simplifies-microcode-update-license-following-complaints
Intel has made significant changes to the license for its latest CPU microcode updates after users complained that the previous version banned benchmarks and comparison tests.
Since January, when researchers disclosed the existence of the speculative execution vulnerabilities known as Spectre and Meltdown, Intel has released several rounds of microcode updates designed to prevent these and similar attacks.
The latest updates are designed to address three vulnerabilities tracked as Foreshadow or L1 Terminal Fault (L1TF). Microsoft and Linux distributions have begun distributing the microcode updates for these flaws, but some people noticed that the license file delivered with the updates prohibits benchmarking.
“Unless expressly permitted under the Agreement, You will not, and will not allow any third party to [...] publish or provide any Software benchmark or comparison test results,” the license read.
The mitigations for speculative execution vulnerabilities have been known to have a significant impact on performance in some cases. In the case of the Foreshadow flaws, Intel and Microsoft said there should not be any performance degradation on consumer PCs and many data center workloads. However, some data center workloads may be slowed down.
Tomi Engdahl says:
Linus Torvalds talks frankly about Intel security bugs
https://www.zdnet.com/article/linus-torvalds-talks-frankly-about-intel-security-bugs/
Linus Torvalds thinks Intel has gotten better about keeping the Linux open-source community in the loop with CPU security problems, but it started out really badly. And it’s still not fair that Linux has to fix hardware problems.
At The Linux Foundation’s Open Source Summit North America in Vancouver, Linus Torvalds, Linux’s creator, and Dirk Hohndel, VMware VP and chief open source officer, had a wide-ranging conversation about Linux security, open-source developer, and quantum computing.
Torvalds would really like his work to get back to being boring. It hasn’t been lately because of Intel’s CPU Meltdown and Spectre security bugs. The root cause behind these security holes was speculative execution.
In speculative execution, when a program does a calculation, which might go several ways, the processor assumes several results and works on them. If it’s wrong, it goes back to the beginning and restarts with the correct data. Because CPUs are so fast these days, it’s much quicker to do this than to have the hardware sit idle waiting for data.
Torvalds “loves speculative execution. CPUs must do this.” But, Torvalds is annoyed that “people didn’t think about the problems of taking shortcuts with speculative execution. We knew speculative work that wasn’t used had to be thrown away.” It wasn’t. That problem is now baked in most modern processors. The long-term fix is a new generation of Intel CPUs.
Also, added Torvalds “The good news is the bugs have become more esoteric. They impact fewer and fewer cases. Intel and other hardware vendors are really getting down to the dregs of the hardware security bugs.”
For the rest of 2018, Torvalds said, “Every three months hardware bugs would show up. There have been eight serious bugs this year. There were only two or three in all the years before.”
Even now though the Spectre problems still haunt the Linux development process. The “Linux 4.19 merge window was not good. Usually it’s not a big deal. It’s just two weeks of me sitting in front of my computer. But the new security issue popped up in early in the merge window, which just added the usual frustration due to having patches that weren’t public. This made it particularly stressful.”
Tomi Engdahl says:
The Security Penalty
https://semiengineering.com/the-security-penalty/
Just building systems based on speed now comes with a well-publicized risk.
It’s not clear if Meltdown, Spectre and Foreshadow caused actual security breaches, but they did prompt big processor vendors like Intel, Arm, AMD and IBM to fix these vulnerabilities before they were made public by Google’s Project Zero.
While all of this may make data center managers and consumers feel better in one respect, it has created a level of panic of a different sort. For decades, the primary job of chip architects was to build the fastest processors possible, and over the past 15 years that has included big improvements in performance per watt. But as the power/performance benefits of Moore’s Law scaling begin to dwindle—the most recent estimates are a maximum of 20% power/performance improvement at each new node after 10/7nm—the cost of adding in security to eliminate security issues could impact that number further. Prior to 40nm, performance improvements for each new node shrink were in 30% to 35% range.
This may seem inconsequential for desktop or mobile apps. A slightly slower word-processing or spreadsheet application is an annoyance, but consumers are as likely to blame that on a barrage of software patches. Inside of data centers, however, performance has a direct economic impact. Any loss of performance in the cloud needs to be supplemented by additional servers, which require power, cooling and floorspace. A 10% loss in performance has a measurable effect on profitability.
Tomi Engdahl says:
That moment when you know Intel is fucked. Time for AMD fellas to get triggered.
https://people.cs.kuleuven.be/~jo.vanbulck/ccs18.pdf
Tomi Engdahl says:
The Security Penalty
https://semiengineering.com/the-security-penalty/
Just building systems based on speed now comes with a well-publicized risk.
It’s not clear if Meltdown, Spectre and Foreshadow caused actual security breaches, but they did prompt big processor vendors like Intel, Arm, AMD and IBM to fix these vulnerabilities before they were made public by Google’s Project Zero.
Tomi Engdahl says:
Linux Kernel Vulnerability Affects Red Hat, CentOS, Debian
https://www.securityweek.com/linux-kernel-vulnerability-affects-red-hat-centos-debian
Qualys has disclosed the details of an integer overflow vulnerability in the Linux kernel that can be exploited by a local attacker for privilege
escalation. The flaw, dubbed “Mutagen Astronomy,” affects certain versions of the Red Hat, CentOS and Debian distributions.
The vulnerability affects versions of the kernel released between July 19, 2007, and July 7, 2017. While many Linux distributions have backported the
commit that addresses the bug, the fix hasn’t been implemented in Red Hat Enterprise Linux, CentOS (which is based on Red Hat), and Debian 8 Jessie.
Red Hat, which assigned the flaw an impact rating of “important” and a CVSS score of 7.8 (high severity), has started releasing updates that should
address the issue.
“This issue does not affect 32-bit systems as they do not have a large enough address space to exploit this flaw,” Red Hat explained. “Systems with less
than 32GB of memory are unlikely to be affected by this issue due to memory demands during exploitation.”
Mutagen Astronomy: Integer overflow in Linux’s create_elf_tables()
(CVE-2018-14634)
https://www.qualys.com/2018/09/25/cve-2018-14634/mutagen-astronomy-integer-overflow-linux-create_elf_tables-cve-2018-14634.txt
We discovered an integer overflow in the Linux kernel’s
create_elf_tables() function: on a 64-bit system, a local attacker can
exploit this vulnerability via a SUID-root binary and obtain full root
privileges.
Only kernels with commit b6a2fea39318 (“mm: variable length argument
support”, from July 19, 2007) but without commit da029c11e6b1 (“exec:
Limit arg stack to at most 75% of _STK_LIM”, from July 7, 2017) are
exploitable.
Most Linux distributions backported commit da029c11e6b1 to their
long-term-supported kernels, but Red Hat Enterprise Linux and CentOS
(and Debian 8, the current “oldstable” version) have not, and are
therefore vulnerable and exploitable.
Tomi Engdahl says:
Security
Intel’s commitment to making its stuff secure is called into question
Security is a process or at least an aspiration
https://www.theregister.co.uk/2018/10/08/intel_security_commitment/
Intel claims that “protecting our customers’ data and ensuring the security of our products is a top priority” for the semiconductor giant – however, security researcher Stefan Kanthak argues otherwise.
In an email to The Register in response to our report about the problems posed by the Manufacturing Mode in Intel’s Management Engine (ME), which if left open leaves processors vulnerable to local attack, Kanthak called Intel’s statement “a blatant lie.”
“The statement is typical PR, and as such of no value,” he said.
Tomi Engdahl says:
Windows 10 will banish Spectre slowdowns with Google’s Retpoline patch
https://www.zdnet.com/article/windows-10-will-banish-spectre-slowdowns-with-googles-retpoline-patch/
Google’s Retpoline fix for the Spectre Variant 2 flaw helps minimize performance hit on Windows 10 machines.
Microsoft is including Google’s mitigation for the Spectre Variant 2 speculative execution side-channel attack in the next release of Windows 10, currently codenamed 19H1.
One of the great worries about the Meltdown and Spectre CPU flaws — aside from attackers exploiting them — has been that mitigations for the attacks could have a severe impact on performance, ranging between five and 30 percent.
That concern was greatest for Intel’s microcode mitigations for Spectre variant 2, CVE- 2017-5715, a ‘branch target injection’ flaw.
Intel’s mitigations directly change how hardware speculatively executes. These are Indirect Branch Restricted Speculation (IBRS) and Indirect Branch Predictor Barrier (IBPB), both of which could negatively impact CPU performance.
Google developed a software-based mitigation for Spectre Variant 2 called Retpoline that constrains speculative execution behavior sufficiently to mitigate an attack.
Retpoline was implemented by Linux distributions such as Red Hat and SUSE, as well as by Oracle for Oracle Linux 6 and 7.
And now, as MSPoweruser spotted, Microsoft’s kernel engineers have confirmed that Retpoline will be part of the next version of Windows 10, 19H1, which is due out next year.
Tomi Engdahl says:
Signal Upgrade Process Leaves Unencrypted Messages on Disk
https://www.bleepingcomputer.com/news/security/signal-upgrade-process-leaves-unencrypted-messages-on-disk/
Signal is a communication app that prides itself on offering encrypted messaging, but fails to provide that same protection when performing an upgrade from its Chrome extension to the desktop version, as its exports a user’s messages as unencrypted text files.
When upgrading from the Signal Chrome extension to Signal Desktop, the process requires the user to pick a location to save the message data (text and attachments), in order to import it automatically into the new version.
Tomi Engdahl says:
Foreshadow
Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution
https://foreshadowattack.eu/
Tomi Engdahl says:
[Update: Intel Responds] Yet Another Side-Channel Vulnerability Discovered – Verified on Skylake and Kaby Lake
https://wccftech.com/side-channel-portsmash-hits-intel-cpus/
Intel doesn’t seem to be catching a break… Security researchers have now discovered another chip flaw that could allow attackers to leak encrypted processor data. Dubbed as PortSmash, researchers have verified the exploit on Intel Skylake and Kaby Lake processors. However, they suggested that all CPUs that use a Simultaneous Multithreading (SMT) architecture are impacted.
SMT allows multiple computing threads to be executed in parallel on a CPU core and with this security flaw, attackers can run a malicious process next to legitimate processes using the architecture’s parallel thread running capabilities. By doing this, the malicious process can then exfiltrate data from the legit processes running on the same core.
“We recently discovered a new CPU microarchitecture attack vector,” the researchers wrote. “The nature of the leakage is due to execution engine sharing on SMT (e.g. Hyper-Threading) architectures.”
The proof-of-concept code is currently available on GitHub that can be used to execute PortSmash attack on Intel Skylake and Kaby Lake out of the box. “For other SMT architectures, customizing the strategies and/or waiting times in spy is likely needed,” the researchers said. As for the impact on AMD systems, the research team told ZDNet that they strongly suspect that AMD CPUs are also impacted.
The research team suggested to “disable SMT/Hyper-Threading in the bios” and “upgrade to OpenSSL 1.1.1 (or >= 1.1.0i” as potential fixes.
This latest discovery is one of the first results of “SCARE: Side-Channel Aware Engineering” research project
Tracked as CVE-2018-5407
https://github.com/bbbrumley/portsmash
Tomi Engdahl says:
Intel CPUs impacted by new PortSmash side-channel vulnerability
https://www.zdnet.com/article/intel-cpus-impacted-by-new-portsmash-side-channel-vulnerability/
Vulnerability confirmed on Skylake and Kaby Lake CPU series. Researchers suspect AMD processors are also impacted.
Tomi Engdahl says:
[Update: Intel Responds] Yet Another Side-Channel Vulnerability Discovered – Verified on Skylake and Kaby Lake
https://wccftech.com/side-channel-portsmash-hits-intel-cpus/
The research team suggested to “disable SMT/Hyper-Threading in the bios” and “upgrade to OpenSSL 1.1.1 (or >= 1.1.0i” as potential fixes.
This latest discovery is one of the first results of “SCARE: Side-Channel Aware Engineering” research project funded by the European Research Council, with an aim to find and mitigate new side-channel attacks. Tracked as CVE-2018-5407, the researchers went public with their discovery yesterday. Intel was notified of this vulnerability last month but is yet to respond to this new attack or any possible fixes.
[Update]: Intel responds to the latest security flaw
In an emailed statement to Wccftech, an Intel spokesperson said the company believes the issue isn’t unique to Intel platforms.
“Intel received notice of the research. This issue is not reliant on speculative execution, and is therefore unrelated to Spectre, Meltdown or L1 Terminal Fault. We expect that it is not unique to Intel platforms. Research on side-channel analysis methods often focuses on manipulating and measuring the characteristics, such as timing, of shared hardware resources. Software or software libraries can be protected against such issues by employing side channel safe development practices.”
Tomi Engdahl says:
PortSmash attack steals secrets from Intel chips on the side
https://nakedsecurity.sophos.com/2018/11/05/portsmash-attack-steals-secrets-from-intel-chips-on-the-side/
The proof of concept steals an OpenSSL private key from a TLS server. That’s just one example of what the attack can do, and the code could easily be reconfigured to steal other information too.
How can it be fixed? Disable SMT, said researcher Billy Brumley in this mailing list post. Many machines don’t allow this in the BIOS, so OpenBSD already disabled support for SMT in its scheduler by default in June. That came just days before the disclosure of another side channel flaw called TLSBleed, which Dutch researchers used to extract cryptography keys from victim threads on Intel chips.
This bug is different to the Spectre and Meltdown attacks, revealed in January
Tomi Engdahl says:
PortSmash attack steals secrets from Intel chips on the side
https://nakedsecurity.sophos.com/2018/11/05/portsmash-attack-steals-secrets-from-intel-chips-on-the-side/
The proof of concept code, called PortSmash, comes from researchers at Finland’s Tampere University of Technology and the Technical University of Havana, Cuba. It uses a category of exploit called a side channel attack, in which one program spies on another as it runs.
The attack exploits a feature called Simultaneous Multi Threading (SMT), which runs two programs separately on a single physical CPU core.
https://github.com/bbbrumley/portsmash
Tomi Engdahl says:
New Side-Channel Vulnerability Leaks Sensitive Data From Intel Chips
https://www.securityweek.com/portsmash-new-side-channel-vulnerability-leaks-sensitive-data-intel-chips-CVE-2018-5407
A newly revealed side-channel attack can leak encrypted data from Intel microprocessors that use a Simultaneous Multithreading (SMT) architecture.
Dubbed PortSmash and tracked as CVE-2018-5407, the vulnerability affects all CPUs that rely on SMT, including Intel’s Hyper-Threading architectures. By exploiting the vulnerability, an attacker could extract sensitive data such as encryption keys from a computer’s memory or processor.
The issue was discovered by researchers at Tampere University of Technology in Finland, and Universidad Tecnológica de la Habana (CUJAE) in Cuba. By exploiting the vulnerability, they were able to steal an OpenSSL P-384 private key from a TLS server.
As Billy Brumley from the Tampere University of Technology explains, the bug can be categorized as information disclosure through timing discrepancy and exists due to execution engine sharing on SMT.
The SMT technology makes it possible for multiple threads to be executed simultaneously on a CPU core
CVE-2018-5407: new side-channel vulnerability on SMT/Hyper-Threading architectures
https://seclists.org/oss-sec/2018/q4/123
More specifically, we detect port
contention to construct a timing side channel to exfiltrate
information from processes running in parallel on the same physical
core.
We steal an OpenSSL (<= 1.1.0h) P-384 private key from a TLS server
using this new side-channel vector. It is a local attack in the sense
that the malicious process must be running on the same physical core
as the victim (an OpenSSL-powered TLS server in this case).
## Affected hardware
SMT/Hyper-Threading architectures (verified on Skylake and Kaby Lake)
## Affected software
OpenSSL = 1.1.0i if you are looking for patches)
Tomi Engdahl says:
https://marc.info/?l=openbsd-cvs&m=152943660103446
CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2018/06/19 13:29:52
Modified files:
sys/arch/amd64/amd64: cpu.c
sys/arch/amd64/include: cpu.h
sys/kern : kern_sched.c kern_sysctl.c
sys/sys : sched.h sysctl.h
Log message:
SMT (Simultanious Multi Threading) implementations typically share
TLBs and L1 caches between threads. This can make cache timing
attacks a lot easier and we strongly suspect that this will make
several spectre-class bugs exploitable. Especially on Intel’s SMT
implementation which is better known as Hypter-threading. We really
should not run different security domains on different processor
threads of the same core.
https://marc.info/?l=openbsd-tech&m=153504937925732
Two recently disclosed hardware bugs affected Intel cpus:
– TLBleed
– T1TF (the name “Foreshadow” refers to 1 of 3 aspects of this
bug, more aspects are surely on the way)
Solving these bugs requires new cpu microcode, a coding workaround,
*AND* the disabling of SMT / Hyperthreading.
SMT is fundamentally broken because it shares resources between the two
cpu instances and those shared resources lack security differentiators.
Some of these side channel attacks aren’t trivial, but we can expect
most of them to eventually work and leak kernel or cross-VM memory in
common usage circumstances, even such as javascript directly in a
browser.
There will be more hardware bugs and artifacts disclosed. Due to the
way SMT interacts with speculative execution on Intel cpus, I expect SMT
to exacerbate most of the future problems.
A few months back, I urged people to disable hyperthreading on all
Intel cpus. I need to repeat that:
DISABLE HYPERTHREADING ON ALL YOUR INTEL MACHINES IN THE BIOS.
Also, update your BIOS firmware, if you can.
OpenBSD -current (and therefore 6.4) will not use hyperthreading if it
is enabled, and will update the cpu microcode if possible.
Tomi Engdahl says:
PortSmash attack blasts hole in Intel’s Hyper-Threading CPUs, leaves with secret crypto keys
Malware already on machines can exploit SMT using side-channel techniques to snatch private info
https://www.theregister.co.uk/2018/11/02/portsmash_intel_security_attack/
Brainiacs in Cuba and Finland have found a new side-channel vulnerability in Intel x64 processors that could allow an attacker to sniff out cryptographic keys and other privileged information.
Tomi Engdahl says:
https://security.stackexchange.com/questions/197016/new-cve-2018-5407-portsmash-vulnerablity-in-intel-cpu
As with a lot of breaking-news coverage of computer security, there’s a lot of questionable reporting on PortSmash. It’s not actually very interesting, as it doesn’t really add much to the attacker toolkit. It only affects a very narrow set of targets, which are already vulnerable to other attacks (and have been for years).
Colin Percival actually described the attack in question 13 years ago. The scope, specifically, is where there’s a secret held in memory (a cryptographic key, for example) that alters what code your program executes.
The defence against PortSmash is exactly the same as the defence against microarchitectural side channel attacks from 2005: Make sure that the cryptographic key you’re using does not affect the sequence of instructions or memory accesses performed by your code.
So this story can be filed under “confirming what we already knew”. It’s great work — and I’m glad that after 13 years someone has finally gotten around to writing the exploit — but it’s not something users need to worry about at all.
So PortSmash isn’t really anything that new; it’s a small evolution in a class of side-channel attacks that all hyper-threading processors are vulnerable to, and have been since the beginning.
Tomi Engdahl says:
https://it.slashdot.org/story/18/11/02/1543237/intel-cpus-impacted-by-new-portsmash-side-channel-vulnerability
Hyperthreading usually can be shut off in BIOS, why not do that if you’re worried and your apps don’t need it? my apps certainly don’t benefit from it much…
No BIOS on Macintoshes. And no other way to permanently disable HT, AFAICT. You can disable it with Instruments.app and probably with sysctl. (I do not own a Mac with an Intel CPU, I just googled.)
Although no one has tested it, the article indicates that the people who discovered this vulnerability think that AMD’s SMT implementation would also be vulnerable to this kind of attack. While that isn’t a confirmation, it does appear as though this exploit is general enough that it wouldn’t be specific to Intel.
If a hyperthread can spy on the other hyperthread that runs on the same core, it is possible to disable hyperthreading.
Tomi Engdahl says:
https://en.wikipedia.org/wiki/Foreshadow_(security_vulnerability)
Foreshadow (known as L1 Terminal Fault (L1TF) by Intel)[1][2] is a vulnerability that affects modern microprocessors that was first discovered by two independent teams of researchers in January 2018, but was first disclosed to the public on 14 August 2018.[
The vulnerability is a speculative execution attack on Intel processors that may result in the disclosure of sensitive information stored in personal computers and third-party clouds.[1] There are two versions: the first version (original/Foreshadow) (CVE-2018-3615) targets data from SGX enclaves; and the second version (next-generation/Foreshadow-NG) (CVE-2018-3620 and CVE-2018-3646) targets virtual machines (VMs), hypervisors (VMM), operating systems (OS) kernel memory, and System Management Mode (SMM) memory.[
Tomi Engdahl says:
Intel CPUs fall to new hyperthreading exploit that pilfers crypto keys
https://arstechnica.com/information-technology/2018/11/intel-cpus-fall-to-new-hyperthreading-exploit-that-pilfers-crypto-keys/
Side-channel leak in Skylake and Kaby Lake chips probably affects AMD CPUs, too.
Tomi Engdahl says:
https://www.thomas-krenn.com/en/wiki/PortSmash_Side-Channel_Vulnerability_CVE-2018-5407
Tomi Engdahl says:
The Intel Microcode Boot Loader Protects Older CPUs From Spectre
https://www.bleepingcomputer.com/news/security/the-intel-microcode-boot-loader-protects-older-cpus-from-spectre/
The Intel Microcode Boot Loader creates a bootable USB flash drive that automatically applies the latest Intel microcodes to your identified CPU so that you are protected from the speculative execution side-channel attacks called Spectre.
Spectre is vulnerability found in Intel & AMD CPUs that allow a malicious process to steal information from another running process on the computer. To fix these vulnerabilities, Intel released updated microcodes that patch Intel CPUs so that they become protected from the vulnerability.
For Windows 10 and Windows Server 2016 users, Microsoft distributed these updated microcodes automatically as a Windows update. Unfortunately, older operating systems and thus the CPUs that run them, would not be receiving the patches and would not be protected. This is where the Intel Microcode Boot Loader comes into play.
https://www.techpowerup.com/forums/threads/intel-microcode-boot-loader.248858/
Tomi Engdahl says:
A Systematic Evaluation of Transient Execution Attacks Reveal 7 New Variants of Meltdown and Spectre class Vulnerabilities
Recent research on transient execution attacks including Spectre and Meltdown showed, however, that exception or branch misprediction events may leave secret-dependent traces in the CPU’s micro-architectural state. This observation led to a proliferation of new Spectre and Meltdown attack variants and even more ad-hoc defenses (e.g., microcode and software patches).
The systematization uncovers 7 (new) transient execution attacks that have been overlooked and not been investigated so far. This includes 2 new Meltdown variants: Meltdown-PK on Intel, and Meltdown-BR on Intel and AMD. It also includes 5 new Spectre mistraining strategies. The research paper evaluates all 7 attacks in proof-of-concept implementations on 3 major processor vendors (Intel, AMD, ARM).
Link: https://arxiv.org/abs/1811.05441
Research Paper: https://arxiv.org/pdf/1811.05441
Tomi Engdahl says:
Researchers Disclose 7 New Meltdown, Spectre Attacks
https://www.securityweek.com/researchers-disclose-7-new-meltdown-spectre-attacks
Tomi Engdahl says:
More Spectre/Meltdown-Like Attacks
https://www.schneier.com/blog/archives/2018/11/more_spectremel.html
Back in January, we learned about a class of vulnerabilities against microprocessors that leverages various performance and efficiency shortcuts for attack. I wrote that the first two attacks would be just the start:
It shouldn’t be surprising that microprocessor designers have been building insecure hardware for 20 years. What’s surprising is that it took 20 years to discover it. In their rush to make computers faster, they weren’t thinking about security. They didn’t have the expertise to find these vulnerabilities.
We saw several variants over the year. And now researchers have discovered seven more.
Tomi Engdahl says:
More Spectre/Meltdown-Like Attacks
https://www.schneier.com/blog/archives/2018/11/more_spectremel.html
We saw several variants over the year. And now researchers have discovered seven more.
The research team says they’ve successfully demonstrated all seven attacks with proof-of-concept code. Experiments to confirm six other Meltdown-attacks did not succeed, according to a graph published by researchers.
Another Meltdown, Spectre security scare: Data-leaking holes riddle Intel, AMD, Arm chips
CPU slingers insist existing defenses will stop attacks – but eggheads disagree
https://www.theregister.co.uk/2018/11/14/spectre_meltdown_variants/
In short, these processor security flaws can be exploited by malicious users and malware on a vulnerable machine potentially to lift passwords, encryption keys, and other secrets, out of memory that should be off-limits. To date, we’re not aware of any software nasties exploiting these holes in the wild, but nonetheless they have been a wake-up call for the semiconductor industry, forcing redesigns of silicon and changes to toolchains.
he not-so-magnificent seven
The researchers describe seven new transient execution attacks, consisting of two new Meltdown variants (Meltdown-PK on Intel, and Meltdown-BR on Intel and AMD) and five new Spectre branch predictor mistraining strategies for previously disclosed flaws known as Spectre-PHT (Bounds Check Bypass) and Spectre-BTB (Branch Target Injection). They say they’ve responsibly disclosed their findings to chip vendors.
Previously, there were five publicly disclosed Meltdown variants: Meltdown-US (Meltdown), Meltdown-P (Foreshadow), Meltdown-GP (Variant 3a), Meltdown-NM (Lazy FP), and Meltdown-RW (Variant 1.2).
The researchers propose two more: Meltdown-PK and Meltdown-BR.
The researchers demonstrated their attack on an Intel Skylake i5-6200U CPU with MPX support, an AMD 2013 E2-2000 and an AMD 2017 Ryzen Threadripper 1920X. They note this is the first time a Meltdown-style transient execution attack has been shown to be able to take advantage of delayed exception handling on AMD hardware.
Tomi Engdahl says:
Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism
Updated on 23/Oct/2018
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
Tomi Engdahl says:
Another Meltdown, Spectre security scare: Data-leaking holes riddle Intel, AMD, Arm chips
https://www.theregister.co.uk/2018/11/14/spectre_meltdown_variants/
Link: https://arxiv.org/abs/1811.05441
Research Paper: https://arxiv.org/pdf/1811.05441
https://access.redhat.com/security/cve/cve-2018-5407
https://thehackernews.com/2018/11/meltdown-spectre-vulnerabilities.html
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
https://www.securityweek.com/researchers-disclose-7-new-meltdown-spectre-attacks
Tomi Engdahl says:
7 New Meltdown and Spectre-type CPU Flaws Affect Intel, AMD, ARM CPUs
https://thehackernews.com/2018/11/meltdown-spectre-vulnerabilities.html
Since then, several more variants of speculative execution attacks have been discovered, including Spectre-NG, SpectreRSB, Spectre 1.1, Spectre1.2, TLBleed, Lazy FP, NetSpectre and Foreshadow, patches for which were released by affected vendors time-to-time.
Now, the same team of cybersecurity researchers who discovered original Meltdown and Spectre vulnerabilities have uncovered 7 new transient execution attacks affecting 3 major processor vendors—Intel, AMD, ARM.
Out of 7 newly discovered attacks, as listed below, two are Meltdown variants, named as Meltdown-PK and Meltdown-BR, and other 5 are new Spectre mistraining strategies.
1. Meltdown-PK (Protection Key Bypass)—On Intel CPUs, an attacker with code execution ability in the containing process can bypass both read and write isolation guarantees enforced through memory-protection keys for userspace.
2. Meltdown-BR (Bounds Check Bypass)—Intel and AMD x86 processors that ship with Memory Protection eXtensions (MPX) for efficient array bounds checking can be bypassed to encode out-of-bounds secrets that are never architecturally visible.
Spectre-PHT (Pattern History Table)
3. Spectre-PHT-CA-OP (Cross-Address-space Out of Place)—Performing previously disclosed Spectre-PHT attacks within an attacker-controlled address space at a congruent address to the victim branch.
4. Spectre-PHT-SA-IP (Same Address-space In Place)—Performing Spectre-PHT attacks within the same address space and the same branch location that is later on exploited.
5. Spectre-PHT-SA-OP (Same Address-space Out of Place)—Performing Spectre-PHT attacks within the same address space with a different branch.
Spectre-BTB (Branch Target Buffer)
6. Spectre-BTB-SA-IP (Same Address-space In Place)—Performing Spectre-BTB attacks within the same address space and the same branch location that is later on exploited.
7. Spectre-BTB-SA-OP (Same Address-space Out of Place)—Performing Spectre-BTB attacks within the same address space with a different branch.
Tomi Engdahl says:
Speculative Processor Vulnerability
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism
Updated on 23/Oct/2018
Researchers Disclose 7 New Meltdown, Spectre Attacks
https://www.securityweek.com/researchers-disclose-7-new-meltdown-spectre-attacks
UPDATE. ARM also told SecurityWeek that the recent Spectre and Meltdown vulnerabilities identified by academic researchers can be addressed by applying existing mitigations as described in a previously published white paper.
Tomi Engdahl says:
Talk about a cache flow problem: This JavaScript can snoop on other browser tabs to work out what you’re visiting
Yes, even the Tor browser can be spied on by this nasty code
https://www.theregister.co.uk/2018/11/21/unmasking_browsers_side_channels/
Special report Computer science boffins have demonstrated a side-channel attack technique that bypasses recently-introduced privacy defenses, and makes even the Tor browser subject to tracking. The result: it is possible for malicious JavaScript in one web browser tab to spy on other open tabs, and work out which websites you’re visiting.
This information can be used to target adverts at you based on your interests, or otherwise work out the kind of stuff you’re into and collect it in safe-keeping for future reference.
Tomi Engdahl says:
Researchers discover SplitSpectre, a new Spectre-like CPU attack
Spectre-like variations continue to be discovered, just as academics predicted at the start of 2018.
https://www.zdnet.com/article/researchers-discover-splitspectre-a-new-spectre-like-cpu-attack/
Tomi Engdahl says:
Researchers discover SplitSpectre, a new Spectre-like CPU attack
Spectre-like variations continue to be discovered, just as academics predicted at the start of 2018.
https://www.zdnet.com/article/researchers-discover-splitspectre-a-new-spectre-like-cpu-attack/
The vulnerability, which researchers codenamed SplitSpectre, is a variation of the original Spectre v1 vulnerability discovered last
year and which became public in January 2018.
According to the research team, a SplitSpectre attack is far easier to execute than an original Spectre attack.
Researchers say that this attack technically extends the length of the speculative execution window, which “is an instrumental part in
extending the capabilities of [an][...] attacker.”
For their academic paper, the research team says it successfully carried out a SplitSpectre attack against Intel Haswell and Skylake
CPUs, and AMD Ryzen processors, via SpiderMonkey 52.7.4, Firefox’s JavaScript engine.
Nonetheless, researchers said that existing Spectre mitigations would thwart the SplitSpectre attacks. This includes CPU microcode
updates that CPU vendors have released over the past year, updates to popular code compilers to harden apps against Spectre-like attacks, and the browser-level modifications that browser vendors have shipped with post-January 2018 browser releases to make it infeasible to carry out web-based Spectre attacks.
Tomi Engdahl says:
Researchers discover SplitSpectre, a new Spectre-like CPU attack
Spectre-like variations continue to be discovered, just as academics predicted at the start of 2018.
https://www.zdnet.com/article/researchers-discover-splitspectre-a-new-spectre-like-cpu-attack/#ftag=RSSbaffb68
Reading privileged memory with a side-channel
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
Tomi Engdahl says:
Windows Internals: Mitigating Spectre Variant 0×2 With Retpoline on Windows
The original mitigations for Spectre Variant 2 made use of new capabilities exposed by CPU microcode updates to restrict indirect branch speculation when executing within kernel mode (IBRS and IBPB). While it was an effective mitigation from security standpoint, it resulted in a larger performance degradation than normal on certain processors and workloads. However, MS tweaked up an approach developed by Google, known as Retpoline which works by replacing all indirect call or jumps in Kernel-mode binaries with an indirect branch sequence that has safe speculation behavior.
Writeup: https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Mitigating-Spectre-variant-2-with-Retpoline-on-Windows/ba-p/295618
Whitepaper by Intel: https://software.intel.com/security-software-guidance/api-app/sites/default/files/Retpoline-A-Branch-Target-Injection-Mitigation.pdf
Tomi Engdahl says:
In case you’re not already sick of Spectre… Boffins demo Speculator tool for sniffing out data-leaking CPU holes
First proof-of-concept, SplitSpectre, requires fewer instructions in victim
https://www.theregister.co.uk/2018/12/07/splitspectre_attack/
Analysis You’ve patched your Intel, AMD, Power, and Arm gear to crush those pesky data-leaking speculative execution processor bugs, right? Good, because IBM eggheads in Switzerland have teamed up with Northeastern University boffins in the US to cook up Spectre exploit code they’ve dubbed SplitSpectre.
SplitSpectre is a proof-of-concept built from Speculator, the team’s automated CPU bug-discovery tool, which the group plans to release as open-source software. Their work is described here in an academic paper emitted earlier this week.
Let’s Not Speculate: Discovering and Analyzing Speculative Execution Attacks
https://domino.research.ibm.com/library/cyberdig.nsf/1e4115aea78b6e7c85256b360066f0d4/d66e56756964d8998525835200494b74!OpenDocument&Highlight=0,RZ3933
Reading privileged memory with a side-channel
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
Tomi Engdahl says:
Let’s Not Speculate: Discovering and Analyzing Speculative Execution Attack
https://domino.research.ibm.com/library/cyberdig.nsf/1e4115aea78b6e7c85256b360066f0d4/d66e56756964d8998525835200494b74!OpenDocument&Highlight=0,RZ3933
Tomi Engdahl says:
Intel Announces Faster Processor Patched for Meltdown and Spectre
https://hackaday.com/2018/12/12/intel-announces-faster-processor-patched-for-meltdown-and-spectre/
Intel just announced their new Sunny Cove Architecture that comes with a lot of new bells and whistles. The Intel processor line-up has been based off the Skylake architecture since 2015, so the new architecture is a fresh breath for the world’s largest chip maker. They’ve been in the limelight this year with hardware vulnerabilities exposed, known as Spectre and Meltdown. The new designs have of course been patched against those weaknesses.
Fact Sheet: New Intel Architectures and Technologies Target Expanded Market Opportunities
https://newsroom.intel.com/articles/new-intel-architectures-technologies-target-expanded-market-opportunities/
Intel Demonstrates 10nm-based PCs, Data Center and Networking Systems, Next-Gen ‘Sunny Cove’ Architecture with AI and Crypto Acceleration, and Industry’s First 3D Logic Chip Packaging Technology
Tomi Engdahl says:
Is Spectre making a comeback? Processors in the spotlight
https://www.pandasecurity.com/mediacenter/security/spectre-making-comeback-processors/
We began 2018 with a real scare: Meltdown and Spectre, two serious vulnerabilities in the processors used by the vast majority of mobiles, computers and tablets in the world. And as if that weren’t enough, we’re going to finish the year with the same sensation.
The findings of nine academics are to blame here: last month they discovered the existence of seven new cybersecurity attacks via processors. Of these seven, two are variations of Meltdown, while the other five are variations of Spectre. According to the researchers, the vulnerability in this second case even managed to gain access through applications that were classified as safe.
Tomi Engdahl says:
Why are Spectre and Meltdown So Dangerous?
https://www.youtube.com/watch?v=NArwG6yaWJ8&list=PLQMVnqe4XbictUtFZK1-gBYvyUzTWJnOk
Tomi Engdahl says:
The Elite Intel Team Still Fighting Meltdown and Spectre
https://www.wired.com/story/intel-meltdown-spectre-storm/
A year ago today, Intel coordinated with a web of academic and independent researchers to disclose a pair of security vulnerabilities with unprecedented impact. Since then, a core Intel hacking team has worked to help clean up the mess—by creating attacks of their own.
Known as Spectre and Meltdown, the two original flaws
On top of all of this, Meltdown and particularly Spectre revealed fundamental security weaknesses in how chips have been designed for over two decades. Throughout 2018, researchers inside and outside Intel continued to find exploitable weaknesses related to this class of “speculative execution” vulnerabilities.
At the center of these efforts for Intel is STORM, the company’s strategic offensive research and mitigation group, a team of hackers from around the world tasked with heading off next-generation security threats. Reacting to speculative execution vulnerabilities in particular has taken extensive collaboration among product development teams, legacy architecture groups, outreach and communications departments to coordinate response, and security-focused research groups at Intel. STORM has been at the heart of the technical side.
” In the past no one was aware of these issues, so they weren’t willing to sacrifice any performance for security.”
Jon Masters, Red Hat
“With Meltdown and Spectre we were very aggressive with how we approached this problem,” says Dhinesh Manoharan, who heads Intel’s offensive security research division, which includes STORM. “The amount of products that we needed to deal with and address and the pace in which we did this—we set a really high bar.”
Intel received industry criticism—especially early in 2018—for haphazard communication, and for pushing some bad patches as the company attempted to steer the Spectre and Meltdown ship. But researchers who have been heavily involved in speculative execution vulnerability response outside of Intel say that the company has largely earned back goodwill through how relentless it has been in dealing with Spectre and Meltdown.
“New things will be found no matter what,” says Jon Masters, an architecture specialist at the open source enterprise IT services group Red Hat, which was recently acquired by IBM. “But in the past no one was aware of these issues, so they weren’t willing to sacrifice any performance for security. Now, for Intel, security is not just a checkbox but a key feature, and future machines will be built differently.”
Tomi Engdahl says:
New side-channel leak: Boffins bash operating system page caches until they spill secrets
Novel data-siphoning attack is hardware agnostic
https://www.theregister.co.uk/2019/01/05/boffins_beat_page_cache/
Some of the computer security boffins who revealed last year’s data-leaking speculative-execution holes have identified yet another side-channel attack that can bypass security protections in modern systems.
Tomi Engdahl says:
The Elite Intel Team Still Fighting Meltdown and Spectre
https://www.wired.com/story/intel-meltdown-spectre-storm/
Tomi Engdahl says:
New Side-Channel Attack Targets OS Page Cache
https://www.securityweek.com/new-side-channel-attack-targets-os-page-cache
A team of researchers, including experts involved in the discovery of the Meltdown and Spectre vulnerabilities, have disclosed a new type of side-channel attack that targets the operating system page cache.
Unlike Meltdown, Spectre and other side-channel attack methods disclosed in the past year – these were possible due to design flaws in microprocessors – page cache attacks are hardware agnostic and they have been demonstrated to work against both Windows and Linux systems.
Page caches are software caches containing all the memory pages associated with files and applications. Page caches give the operating system quicker access to data and reduce the number of disk reads, thus improving performance.
Tomi Engdahl says:
Linux kernel gets another option to disable Spectre mitigations
People want more control over the Spectre mitigations for the sake of performance.
https://www.zdnet.com/article/linux-kernel-gets-another-option-to-disable-spectre-mitigations/
Believe it or not, the mitigations for the Spectre-class of CPU vulnerabilities are now some of the biggest enemies of system administrators.
Despite being security-focused patches, these mitigations are known to introduce huge performance hits to Linux systems.
A recent benchmark showed that just one of the many Spectre mitigations –namely the one named Single Thread Indirect Branch Predictors (STIBP)– introduced a 30 percent performance dip for PHP servers, causing system administrators to reconsider applying some of these patches.
Despite being more than one year old, the Meltdown or Spectre vulnerabilities have remained a theoretical threat, and no malware strain or threat actor has ever used any in a real-world attack.
Over the course of the last year, system and network administrators have called on the Linux project for options to disable these protections.
Tomi Engdahl says:
https://www.mikrobitti.fi/uutiset/hyva-ja-suositeltava-paivitys-pida-pcn-peruskivi-ajan-tasalla-niin-koneesta-tulee-turvallisempi-vakaampi-ja-nopeampi/99146122-e961-444e-94eb-bcfb41f0a283
Tomi Engdahl says:
Researchers Implant “Protected” Malware On Intel SGX Enclaves
https://thehackernews.com/2019/02/intel-sgx-malware-hacking.html
Cybersecurity researchers have discovered a way to hide malicious code in Intel SGX enclaves, a hardware-based memory encryption feature in modern processors that isolates sensitive code and data to protect it from disclosure or modification.
In other words, the technique allows attackers to implant malware code in a secure memory that uses protection features of SGX which are otherwise designed to protect important data from prying eyes or from being tampered, even on a compromised system.