Intel Kernel Memory Leak

nsaspook

Joined Aug 27, 2009
13,086
Why so cynical?

Do you have evidence they knew these vulnerabilities existed years ago that they actively neglected to a) inform their customers and b) revise their new silicon?

Do you have evidence that they did not take security at the silicon level seriously until these exploits became known?

Do you think the NSA (and any other intelligence-based 3-letter acronym you can think of) did not review hardware security with their chosen vendors while developing their intelligence and data storage and access systems?

IMHO, Occum's razor applies here: the bad guys only need to be right once. The good guys -- 100% of the time.
I'm not cynical. While maybe this exact attack was not public these types of side-channel attacks have been known for eons and the countermeasures were also known. Look at the speed at which Intel is now pushing new silicon fixes, that research didn't happen in a few months.
https://www.bloomberg.com/news/arti...-inside-the-semiconductor-industry-s-meltdown
Prescher was one of at least 10 researchers and engineers working around the globe -- sometimes independently, sometimes together -- who uncovered Meltdown and Spectre. Interviews with several of these experts reveal a chip industry that, while talking up efforts to secure computers, failed to spot that a common feature of their products had made machines so vulnerable.

"It makes you shudder," said Paul Kocher, who helped find Spectre and started studying trade-offs between security and performance after leaving a full-time job at chip company Rambus Inc. last year. "The processor people were looking at performance and not looking at security." Kocher still works as an adviser to Rambus.
Researchers began writing about the potential for security weaknesses at the heart of central processing units, or CPUs, at least as early as 2005. Yuval Yarom, at the University of Adelaide in Australia, credited with helping discover Spectre last week, penned some of this early work.
...
Despite Fogh’s encouragement, the Graz researchers still didn’t think attacks would ever work in practice. "That would be such a major f*ck-up by Intel that it can’t be possible," Schwarz recalled saying. So the team didn’t dedicate much time to it.
No Kidding, a 'major' for sure.
https://www.blackhat.com/docs/us-16...Layout-Randomization-KASLR-With-Intel-TSX.pdf
https://en.wikipedia.org/wiki/Kernel_page-table_isolation

Intel did know about this research and hopefully designed possible fixes but they all required a performance hit on current hardware like we see with the current microcode patches so we never saw them until the 'major' became public news.
Intel 'decided' to reduce the security envelope to the breaking point for increased performance with speculative execution and its interaction with cache.
 

bogosort

Joined Sep 24, 2011
696
Hardware security has always lagged far behind software security, probably because software is the low-hanging fruit. We interact directly with software (much of it poorly written), and only indirectly with hardware, which greatly reduces the space of possible attack vectors. The seeds of Meltdown and Spectre were planted in 1967, when an IBM engineer named Tomasulo wrote a paper on optimal dynamic scheduling. The closer a processor follows Tomasulo's algorithm, the more susceptible it is to speculative execution attacks. I very much doubt Tomasulo at the time considered the security implications. Likewise for Intel: when they designed the Pentium, their first superscalar processor, the greatest attack vector of them all -- the Internet -- didn't exist for the vast majority of their market.

While hardware side-channel attacks have been well-researched for over a decade now, it wasn't until late 2017 that speculative execution attacks were even discovered. Think about that: an entire industry of commercial and academic security researchers, whose currency is the publication of new attack vectors, did not find an architectural hole that had been hidden in plain sight since at least the early 90s. Rowhammer had effectively been discovered in the 70s; Flush+Reload in the early 2000s. If the Meltdown and Spectre vectors had eluded all these security researchers for so long, I have a hard time believing that Intel was secretly aware of them, crossing their fingers that no one would find them. We mustn't forget that this isn't an Intel problem -- it's an architectural problem. Any superscalar processor that follows Tomasulo's algorithm (which is optimal for performance) is vulnerable. This includes processors from AMD, ARM, and MIPS, at least.

Security is, and has always been, a matter of degree. The lock on your front door only prevents someone from opening it in the usual way. Sadly, there is no such thing as a useful system that is also perfectly secure. We accept risks all the time, whether we're conscious of them or not. Meltdown and Spectre are actually very low risk for most PCs, since they require malicious software to be already running on the machine; it's the virtual machine hosts that need mitigation. Unfortunately, all the negative press is forcing CPU makers to "fix" entire lines of processors, which necessarily reduces performance, all in the name of security theater. It's the TSA all over again. I wonder if the general public was as aware of cache-timing attacks, would they accept a computer without a memory hierarchy, and the enormous computing penalty that would come with it. Probably not, because security is a matter of degree -- we'll accept some inconvenience in the name of security, but everyone has a line.
 

Thread Starter

Raymond Genovese

Joined Mar 5, 2016
1,653
/--/
While hardware side-channel attacks have been well-researched for over a decade now, it wasn't until late 2017 that speculative execution attacks were even discovered. Think about that: an entire industry of commercial and academic security researchers, whose currency is the publication of new attack vectors, did not find an architectural hole that had been hidden in plain sight since at least the early 90s.
/--/
I think that you make a lot of good points and perhaps the attribution for my "groan" was somewhat simplistic. I note, however, that a lack of publication does not, necessarily, mean undiscovered. Absence of public evidence is not evidence of absence.
 

bogosort

Joined Sep 24, 2011
696
I think that you make a lot of good points and perhaps the attribution for my "groan" was somewhat simplistic. I note, however, that a lack of publication does not, necessarily, mean undiscovered. Absence of public evidence is not evidence of absence.
Remember, security researchers make their living by publishing early and often. Here's one of the discoverers of Meltdown talking about its discovery:
https://cyber.wtf/2018/01/05/behind-the-scene-of-a-bug-collision/
 

nsaspook

Joined Aug 27, 2009
13,086
While hardware side-channel attacks have been well-researched for over a decade now, it wasn't until late 2017 that speculative execution attacks were even discovered. Think about that: an entire industry of commercial and academic security researchers, whose currency is the publication of new attack vectors, did not find an architectural hole that had been hidden in plain sight since at least the early 90s. Rowhammer had effectively been discovered in the 70s; Flush+Reload in the early 2000s. If the Meltdown and Spectre vectors had eluded all these security researchers for so long, I have a hard time believing that Intel was secretly aware of them, crossing their fingers that no one would find them. We mustn't forget that this isn't an Intel problem -- it's an architectural problem. Any superscalar processor that follows Tomasulo's algorithm (which is optimal for performance) is vulnerable. This includes processors from AMD, ARM, and MIPS, at least.
In this case it's all on Intel for blotching (AMD didn't) the superscalar processor hardware in a way that's catastrophic to security beyond (a trivial practical attack) the expected speculative execution attacks already known. IMO this is not a case a security theater. The threat is real and easily executed on Intel hardware with trivial example code using things like javascript. Saying 'Meltdown and Spectre are actually very low risk for most PCs' is not a smart way to access the total risk to critical server domain hardware from the same production lines. Speculative execution attacks were the natural progression of side-channel attacks on hardware back from the days of people using glitch attacks with PIC controllers to attack SAT-TV cards so I'm pretty sure Intel had already done the security research for the hardware (I believe these mitigations are already built) needed to counter speculative execution attacks that's being released on the 'fixed' chipsets this year. People will hammer and hammer the new hardware looking for bugs so it must be solid. IMO the odds are the Intel inside club had some sort of heads-up on this problem judging from the lack of security researchers publishing early and often after June 2017 when Google informed Intel of the side-channel attacks on speculative execution and details of the embargo were set. State-level actors can bug internal and external communication so they would have known about the exploit as soon as it hit the research table.

https://www.zdnet.com/article/meltdown-and-spectre-response-hampered-by-exclusive-club-secrecy/
"I think maybe a way to fix it in the future would obviously be not having an absolute sh*t show of an embargo," Frazelle said.
...
"It's the largest customers of Intel products that get the first drops from Intel, and as community projects that don't have a specific vendor relationship with Intel, that puts us kind of on a 'dunno' list."
 
Last edited:

bogosort

Joined Sep 24, 2011
696
In this case it's all on Intel for blotching (AMD didn't) the superscalar processor hardware in a way that's catastrophic to security beyond (a trivial practical attack) the expected speculative execution attacks already known. IMO this is not a case a security theater. The threat is real and easily executed on Intel hardware with trivial example code using things like javascript.
What blotching? Catastrophic?

Beyond toy implementations, the threat is not easily executed. Browsers reduced their timer resolution, closing the Javascript vector, within days of Meltdown and Spectre being announced. Note that CVSS lists them as medium level threats.

As for the other stuff, this was no conspiracy; there was no cover-up. If the several researchers who independently found the vulnerabilities were indeed being bugged by state-level actors, it had nothing to do with speculative execution.
 

nsaspook

Joined Aug 27, 2009
13,086
What blotching? Catastrophic?

Beyond toy implementations, the threat is not easily executed. Browsers reduced their timer resolution, closing the Javascript vector, within days of Meltdown and Spectre being announced. Note that CVSS lists them as medium level threats.

As for the other stuff, this was no conspiracy; there was no cover-up. If the several researchers who independently found the vulnerabilities were indeed being bugged by state-level actors, it had nothing to do with speculative execution.
OK, you're right. blotching is much too nice a word for their "Meltdown" Intel specific issue chip errata.
I would call the loss of kernel protected data by useland programs catastrophic to security (the equivalent to cracking an encryption system) in an operating system and that would have been the general state of affairs without the many patches from hardware makers to software producers to prevent the known attacks. No conspiracy by Intel, the profit motive explains their actions easily.

https://danluu.com/cpu-bugs/
 

takao21203

Joined Apr 28, 2012
3,702
the internet and computers are Machiavelli architecture.

Connection drops off randomly and strange error messages since years.
Windows cant be closed.
Videos autoplay, nice if you use laptop in the night and have thin walls.
You can create a stunning website with WIX and need this info on youtube over several years
Youll receive SPAM for years and years
Your Android tablet will stall for no visible reasons
Youll at times not be able to pay online
Loading pages will take forever, uploads as well, eventually drop off at some stage for no visible reason
Youre forced to click NO THANKS say thanks to a machine.
There will be 50 USB yokes afer some years of which several will not work properly.
Your new PC or laptop will be outdated when you buy it already
Youll need to fiddle with drivers very often + products not working except on one of your machines if youre lucky

Just a small selection of hostilities
 

nsaspook

Joined Aug 27, 2009
13,086
https://www.bleepingcomputer.com/ne...re-vulnerability-affects-all-intel-core-cpus/
Intel has told BleepingComputer that this vulnerability has been addressed by operating system and hypervisor software for many years.

"This issue, known as Lazy FP state restore, is similar to Variant 3a. It has already been addressed for many years by operating system and hypervisor software used in many client and data center products. Our industry partners are working on software updates to address this issue for the remaining impacted environments and we expect these updates to be available in the coming weeks. We continue to believe in coordinated disclosure and we are thankful to Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology GmbH, Zdenek Sojka from SYSGO AG, and Colin Percival for reporting this issue to us. We strongly encourage others in the industry to adhere to coordinated disclosure as well."
 

Thread Starter

Raymond Genovese

Joined Mar 5, 2016
1,653
Thanks for that link @nsaspook I am going to buy a new desktop within a few months and I have not forgotten this issue. That link, unfortunately, does more to demonstrate the rampant growth of such vulnerabilities and the difficulty of determining protection. It's not that I am obsessed with it, but if I am going to move to a new box that will be used for years, I certainly want to try to consider all aspects of hardware and software - including such vulnerabilities.
 

nsaspook

Joined Aug 27, 2009
13,086
Thanks for that link @nsaspook I am going to buy a new desktop within a few months and I have not forgotten this issue. That link, unfortunately, does more to demonstrate the rampant growth of such vulnerabilities and the difficulty of determining protection. It's not that I am obsessed with it, but if I am going to move to a new box that will be used for years, I certainly want to try to consider all aspects of hardware and software - including such vulnerabilities.
That's one reason I'm buying used, somewhat modern server grade hardware to replace most of the old home computer systems I use daily. It's not a good choice (loud, power hungry with limited choices for AV upgrades) for everyone but companies like HP still deliver mitigation bios updates for older machines so hopefully I can keep pace with the bugs and hacks. All of the OS software, firmware and CPU microcode fixes can reduce performance up to 30% so the extra compute power comes in handy. I'm buying another HP DL360 G7 with 12 cores to replace my netbooting G5 8 core desktop. The old G5 will be reconfigured as the firewall cold standby server or it and the new G7 can netbooted to one of several separate remotely mounted boot desktop environments from the main nfs file-server.
 

joeyd999

Joined Jun 6, 2011
5,237
That's one reason I'm buying used, somewhat modern server grade hardware to replace most of the old home computer systems I use daily. It's not a good choice (loud, power hungry with limited choices for AV upgrades) for everyone but companies like HP still deliver mitigation bios updates for older machines so hopefully I can keep pace with the bugs and hacks. All of the OS software, firmware and CPU microcode fixes can reduce performance up to 30% so the extra compute power comes in handy. I'm buying another HP DL360 G7 with 12 cores to replace my netbooting G5 8 core desktop. The old G5 will be reconfigured as the firewall cold standby server or it and the new G7 can netbooted to one of several separate remotely mounted boot desktop environments from the main nfs file-server.
Too bad you're not near me. I've got enough unused boxes lying around to build a pretty decent Beowulf cluster.
 

nsaspook

Joined Aug 27, 2009
13,086
Too bad you're not near me. I've got enough unused boxes lying around to build a pretty decent Beowulf cluster.
I've got plenty of old machines already. I encrypt the old drives at the sector level, reformat and donate the really old stuff.
https://linux.die.net/man/8/cryptsetup

Traditional Beowulf clusters are old school for home 'super' computers. Server grade Linux clusters with MPI is pretty much the standard today.
https://computing.llnl.gov/tutorials/mpi/
 

nsaspook

Joined Aug 27, 2009
13,086
https://www.wired.com/story/intel-mds-attack-speculative-execution-buffer/
In these new cases, researchers found that they could use speculative execution to trick Intel's processors into grabbing sensitive data that's moving from one component of a chip to another. Unlike Meltdown, which used speculative execution to grab sensitive data sitting in memory, MDS attacks focus on the buffers that sit between a chip's components, such as between a processor and its cache, the small portion of memory allotted to the processor to keep frequently accessed data close at hand.
...
The four different MDS attack variants all take advantage of a quirk in how Intel's chips perform their time-saving trick. In speculative execution, a CPU frequently follows a branch of commands in code before a program asks it to, or guesses at the data the program is requesting, in order to get a head start. Think of that guess like a lazy waiter offering a random drink from his tray, in hopes of sparing himself a trip back to the bar. If the CPU guesses incorrectly, it immediately discards it. (Under different conditions, the chip can grab data out of three different buffers, hence the researchers' multiple attacks.)

Intel's chip designers may have believed that a wrong guess, even one that serves up sensitive data, didn't matter. "It throws these results away," says VUSec's Guiffrida. "But we still have this window of vulnerability that we use to leak the information."
 

nsaspook

Joined Aug 27, 2009
13,086
It's up to the exploit writer and data collector to craft a set of load and stores to find something useful. For Linux systems breaking Kernel Address Space Layout Randomization by using this flaw can be used to inject other exploits.

https://mdsattacks.com/files/fallout.pdf
Experimental Setup. We evaluate Fallout on two Intel machines, a Kaby Lake i7-7600U and a Coffee Lake R i9-9900K. Both machines run a fully updated Ubuntu 16.04 system, with all countermeasures in their default configuration. On both systems, we empirically test the possible locations on the kernel in its address space obtaining about 490 locations, implying about 9 bits of entropy.
Experimental Results. We run the attack 1000 times each, on both the Kaby Lake and the Coffee Lake machines. Our attack can recover the kernel location with 100% accuracy on both machines, within about 0.27 second

Flushing-Based Countermeasures. Because the store buffer is not shared across hyperthreads, leaks can only occur when the security domain changes within a hyperthread. Thus, flushing the store buffer on security domain change is sufficient to mitigate the attack. In particular, we verified that using mfence as part of the switch from kernel mode to user mode thwarts the attack.
Limitations. As mentioned above, the attacks described in Section 4 are unable to leak information across hyperthreads . Moreover, as Meltdown software countermeasures (KPTI) flush the buffer on leaving the kernel, and as the store buffer is automatically flushed on change of the CR3 register (i.e., on context switch), only latest generation Coffee Lake R machines are vulnerable to the attack described in Section 4. Ironically, the hardware mitigations present in newer generation Coffee Lake R machines make them more vulnerable to Fallout than older generation hardware
 
Top