Intel Kernel Memory Leak

Discussion in 'Computing and Networks' started by Raymond Genovese, Jan 3, 2018.

  1. nsaspook

    AAC Fanatic!

    Aug 27, 2009
    5,608
    6,250
    I'm not cynical. While maybe this exact attack was not public these types of side-channel attacks have been known for eons and the countermeasures were also known. Look at the speed at which Intel is now pushing new silicon fixes, that research didn't happen in a few months.
    https://www.bloomberg.com/news/arti...-inside-the-semiconductor-industry-s-meltdown
    No Kidding, a 'major' for sure.
    https://www.blackhat.com/docs/us-16...Layout-Randomization-KASLR-With-Intel-TSX.pdf
    https://en.wikipedia.org/wiki/Kernel_page-table_isolation

    Intel did know about this research and hopefully designed possible fixes but they all required a performance hit on current hardware like we see with the current microcode patches so we never saw them until the 'major' became public news.
    Intel 'decided' to reduce the security envelope to the breaking point for increased performance with speculative execution and its interaction with cache.
     
    joeyd999 likes this.
  2. bogosort

    Active Member

    Sep 24, 2011
    324
    174
    Hardware security has always lagged far behind software security, probably because software is the low-hanging fruit. We interact directly with software (much of it poorly written), and only indirectly with hardware, which greatly reduces the space of possible attack vectors. The seeds of Meltdown and Spectre were planted in 1967, when an IBM engineer named Tomasulo wrote a paper on optimal dynamic scheduling. The closer a processor follows Tomasulo's algorithm, the more susceptible it is to speculative execution attacks. I very much doubt Tomasulo at the time considered the security implications. Likewise for Intel: when they designed the Pentium, their first superscalar processor, the greatest attack vector of them all -- the Internet -- didn't exist for the vast majority of their market.

    While hardware side-channel attacks have been well-researched for over a decade now, it wasn't until late 2017 that speculative execution attacks were even discovered. Think about that: an entire industry of commercial and academic security researchers, whose currency is the publication of new attack vectors, did not find an architectural hole that had been hidden in plain sight since at least the early 90s. Rowhammer had effectively been discovered in the 70s; Flush+Reload in the early 2000s. If the Meltdown and Spectre vectors had eluded all these security researchers for so long, I have a hard time believing that Intel was secretly aware of them, crossing their fingers that no one would find them. We mustn't forget that this isn't an Intel problem -- it's an architectural problem. Any superscalar processor that follows Tomasulo's algorithm (which is optimal for performance) is vulnerable. This includes processors from AMD, ARM, and MIPS, at least.

    Security is, and has always been, a matter of degree. The lock on your front door only prevents someone from opening it in the usual way. Sadly, there is no such thing as a useful system that is also perfectly secure. We accept risks all the time, whether we're conscious of them or not. Meltdown and Spectre are actually very low risk for most PCs, since they require malicious software to be already running on the machine; it's the virtual machine hosts that need mitigation. Unfortunately, all the negative press is forcing CPU makers to "fix" entire lines of processors, which necessarily reduces performance, all in the name of security theater. It's the TSA all over again. I wonder if the general public was as aware of cache-timing attacks, would they accept a computer without a memory hierarchy, and the enormous computing penalty that would come with it. Probably not, because security is a matter of degree -- we'll accept some inconvenience in the name of security, but everyone has a line.
     
  3. Raymond Genovese

    Thread Starter Well-Known Member

    Mar 5, 2016
    1,583
    949
    I think that you make a lot of good points and perhaps the attribution for my "groan" was somewhat simplistic. I note, however, that a lack of publication does not, necessarily, mean undiscovered. Absence of public evidence is not evidence of absence.
     
  4. bogosort

    Active Member

    Sep 24, 2011
    324
    174
    Remember, security researchers make their living by publishing early and often. Here's one of the discoverers of Meltdown talking about its discovery:
    https://cyber.wtf/2018/01/05/behind-the-scene-of-a-bug-collision/
     
  5. nsaspook

    AAC Fanatic!

    Aug 27, 2009
    5,608
    6,250
    In this case it's all on Intel for blotching (AMD didn't) the superscalar processor hardware in a way that's catastrophic to security beyond (a trivial practical attack) the expected speculative execution attacks already known. IMO this is not a case a security theater. The threat is real and easily executed on Intel hardware with trivial example code using things like javascript. Saying 'Meltdown and Spectre are actually very low risk for most PCs' is not a smart way to access the total risk to critical server domain hardware from the same production lines. Speculative execution attacks were the natural progression of side-channel attacks on hardware back from the days of people using glitch attacks with PIC controllers to attack SAT-TV cards so I'm pretty sure Intel had already done the security research for the hardware (I believe these mitigations are already built) needed to counter speculative execution attacks that's being released on the 'fixed' chipsets this year. People will hammer and hammer the new hardware looking for bugs so it must be solid. IMO the odds are the Intel inside club had some sort of heads-up on this problem judging from the lack of security researchers publishing early and often after June 2017 when Google informed Intel of the side-channel attacks on speculative execution and details of the embargo were set. State-level actors can bug internal and external communication so they would have known about the exploit as soon as it hit the research table.

    https://www.zdnet.com/article/meltdown-and-spectre-response-hampered-by-exclusive-club-secrecy/
     
    Last edited: Apr 6, 2018
  6. bogosort

    Active Member

    Sep 24, 2011
    324
    174
    What blotching? Catastrophic?

    Beyond toy implementations, the threat is not easily executed. Browsers reduced their timer resolution, closing the Javascript vector, within days of Meltdown and Spectre being announced. Note that CVSS lists them as medium level threats.

    As for the other stuff, this was no conspiracy; there was no cover-up. If the several researchers who independently found the vulnerabilities were indeed being bugged by state-level actors, it had nothing to do with speculative execution.
     
  7. nsaspook

    AAC Fanatic!

    Aug 27, 2009
    5,608
    6,250
    OK, you're right. blotching is much too nice a word for their "Meltdown" Intel specific issue chip errata.
    I would call the loss of kernel protected data by useland programs catastrophic to security (the equivalent to cracking an encryption system) in an operating system and that would have been the general state of affairs without the many patches from hardware makers to software producers to prevent the known attacks. No conspiracy by Intel, the profit motive explains their actions easily.

    https://danluu.com/cpu-bugs/
     
  8. takao21203

    AAC Fanatic!

    Apr 28, 2012
    3,682
    491
    the internet and computers are Machiavelli architecture.

    Connection drops off randomly and strange error messages since years.
    Windows cant be closed.
    Videos autoplay, nice if you use laptop in the night and have thin walls.
    You can create a stunning website with WIX and need this info on youtube over several years
    Youll receive SPAM for years and years
    Your Android tablet will stall for no visible reasons
    Youll at times not be able to pay online
    Loading pages will take forever, uploads as well, eventually drop off at some stage for no visible reason
    Youre forced to click NO THANKS say thanks to a machine.
    There will be 50 USB yokes afer some years of which several will not work properly.
    Your new PC or laptop will be outdated when you buy it already
    Youll need to fiddle with drivers very often + products not working except on one of your machines if youre lucky

    Just a small selection of hostilities
     
  9. nsaspook

    AAC Fanatic!

    Aug 27, 2009
    5,608
    6,250
    https://www.bleepingcomputer.com/ne...re-vulnerability-affects-all-intel-core-cpus/
     
  10. nsaspook

    AAC Fanatic!

    Aug 27, 2009
    5,608
    6,250
  11. Raymond Genovese

    Thread Starter Well-Known Member

    Mar 5, 2016
    1,583
    949
    Thanks for that link @nsaspook I am going to buy a new desktop within a few months and I have not forgotten this issue. That link, unfortunately, does more to demonstrate the rampant growth of such vulnerabilities and the difficulty of determining protection. It's not that I am obsessed with it, but if I am going to move to a new box that will be used for years, I certainly want to try to consider all aspects of hardware and software - including such vulnerabilities.
     
  12. nsaspook

    AAC Fanatic!

    Aug 27, 2009
    5,608
    6,250
    That's one reason I'm buying used, somewhat modern server grade hardware to replace most of the old home computer systems I use daily. It's not a good choice (loud, power hungry with limited choices for AV upgrades) for everyone but companies like HP still deliver mitigation bios updates for older machines so hopefully I can keep pace with the bugs and hacks. All of the OS software, firmware and CPU microcode fixes can reduce performance up to 30% so the extra compute power comes in handy. I'm buying another HP DL360 G7 with 12 cores to replace my netbooting G5 8 core desktop. The old G5 will be reconfigured as the firewall cold standby server or it and the new G7 can netbooted to one of several separate remotely mounted boot desktop environments from the main nfs file-server.
     
  13. joeyd999

    AAC Fanatic!

    Jun 6, 2011
    4,139
    6,070
    Too bad you're not near me. I've got enough unused boxes lying around to build a pretty decent Beowulf cluster.
     
  14. nsaspook

    AAC Fanatic!

    Aug 27, 2009
    5,608
    6,250
    I've got plenty of old machines already. I encrypt the old drives at the sector level, reformat and donate the really old stuff.
    https://linux.die.net/man/8/cryptsetup

    Traditional Beowulf clusters are old school for home 'super' computers. Server grade Linux clusters with MPI is pretty much the standard today.
    https://computing.llnl.gov/tutorials/mpi/
     
  15. nsaspook

    AAC Fanatic!

    Aug 27, 2009
    5,608
    6,250
  16. nsaspook

    AAC Fanatic!

    Aug 27, 2009
    5,608
    6,250
    https://www.wired.com/story/intel-mds-attack-speculative-execution-buffer/
     
  17. joeyd999

    AAC Fanatic!

    Jun 6, 2011
    4,139
    6,070
  18. nsaspook

    AAC Fanatic!

    Aug 27, 2009
    5,608
    6,250
    It's up to the exploit writer and data collector to craft a set of load and stores to find something useful. For Linux systems breaking Kernel Address Space Layout Randomization by using this flaw can be used to inject other exploits.

    https://mdsattacks.com/files/fallout.pdf
     
Loading...