Main Area and Open Discussion > Living Room

How a researcher hacked his own computer and found 'worst' chip flaw

<< < (2/5) > >>

IainB:
^^ Good link. Thanks. And the author is right - it is FUD, and generally, wherever one finds FUD, one will usually find an accompanying $commercial and/or a political motivation, if not simply an "ulterior" motive.

mwb1100:
Regardless of the FUD, I think the technique is fascinating.  From the little I understand, the attack uses instructions that access inaccessible memory, but the instructions are "never executed" so they don't cause the program to crash. However the processor does "speculatively execute" the instructions so they affect the cache. And by observing the cache behavior the attacker can determine the contents of memory that the program is not permitted to access.

Amazing.

IainB:
@mwb1100:
Yes. Method is described per links in my comment above:
From <https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/>
   1. The meltdown paper: <https://meltdownattack.com/meltdown.pdf>
   2. The spectre paper: <https://spectreattack.com/spectre.pdf>

By the way, "FUD" in the context that I was using it, refers to:
"Fear, uncertainty and doubt, known as the FUD concept, was coined in the 1970s by computer architect Gene Amdahl when he left IBM to start his own company. Amdahl later accused the prominent technology corporation of using FUD tactics to scare consumers into sticking with "safe" IBM products instead of purchasing competitors' products."
 - <https://www.thefreelibrary.com/Effective+decision-making%3A+managing+fear%2C+uncertainty+and+doubt%3A+...-a0278509274>

--- End quote ---

Similarly, sales of Y2K "risk mitigation" projects were arguably - and from experience - largely reliant on FUD. As a species, we seem to be gullible and susceptible to FUD, as the folk tale of Henny Penny so adroitly displays. Most scams have the precursors of FUD and/or Greed, where the Fear component is typically the fear of an imaginary potential risk/loss - an irrational illusion - that takes on the nature of a concrete and incontrovertible reality in the victim's paradigms.
(See also "the precautionary principle" and "the improbability drive".)

IainB:
Aannd...it's started:
Disable Meltdown Fix on AMD CPUs After Installing KB4056892
The Meltdown vulnerability and AMD CPUs
AMD CPUs are not affected by the Meltdown vulnerability. However, depending on the usage scenario, the fixes released to the operating system can cause notable performance slow down. Also, there are reports coming from AMD CPU users that the Windows patch, KB4056892 is causing serious issues for them.

While one can quickly uninstall the appropriate update package, which is KB4056892, there is also a Registry tweak you can apply to disable the Meltdown fix.

This could improve your computer's performance.

Copied from: Disable Meltdown Fix on AMD CPUs After Installing KB4056892 - <https://winaero.com/blog/disable-meltdown-fix-amd-cpus-installing-kb4056892/>
--- End quote ---

That was quick, but not unexpected.

IainB:
MBAM has some useful comment (and about the performance hit):
(Copied below sans embedded hyperlinks/images.)
Meltdown and Spectre: what you need to know
https://blog.malwarebytes.com/security-world/2018/01/meltdown-and-spectre-what-you-need-to-know/

tags: Security world, AMD, ARM, Intel, Meltdown, memory, processor, Spectre
Malwarebytes Labs
UPDATE (as of 1/04/18): Since the Malwarebytes Database Update 1.0.3624, all Malwarebytes users are able to receive the Microsoft patch to mitigate Meltdown.

Overview
If you’ve been keeping up with computer news over the last few days, you might have heard about Meltdown and Spectre, and you might be wondering what they are and what they can do. Basically, Meltdown and Spectre are the names for multiple new vulnerabilities discovered and reported for numerous processors. Meltdown is a vulnerability for Intel processors while Spectre can be used to attack nearly all processor types.

The potential danger of an attack using these vulnerabilities includes being able to read “secured” memory belonging to a process. This can do things like reveal personally identifiable information, banking information, and of course usernames and passwords. For Meltdown, an actual malicious process needs to be running on the system to interact, while Spectre can be launched from the browser using a script.

Microsoft, Google, Mozilla, and other vendors have been releasing patches all day to help protect users from this vulnerability. Some of the updates from Microsoft may negatively interact with certain antivirus solutions. However, Malwarebytes is completely compatible with our latest database update. The best thing to do to protect yourself is to update your browsers and your operating system with these patches as soon as you see an update available.

For a quick guide on how to protect yourself from this threat, please check out “Meltdown and Spectre Vulnerabilities – what you should do to protect your computer” on the Malwarebytes support knowledge base.

Details
The Google Project Zero team, in collaboration with other academic researchers, has published information about three variants of a hardware bug with important ramifications. These variants—branch target injection (CVE-2017-5715), bounds check bypass (CVE-2017-5753), and rogue data cache load (CVE-2017-5754)—affect all modern processors.

If you’re wondering if you could be impacted, the answer is most certainly yes.

The vulnerabilities, named Meltdown and Spectre, are particularly nasty, since they take place at a low level on the system, which makes them hard to find and hard to fix.

Modern computer architecture isolates user applications and the operating system, which helps to prevent unauthorized reading or writing to the system’s memory. Similarly, this design prevents programs from accessing memory used by other programs. What Meltdown and Spectre do is bypass those security measures, therefore opening countless possibilities for exploitation.

The core issue stems from a design flaw that allows attackers access to memory contents from any device, be it desktop, smart phone, or cloud server, exposing passwords and other sensitive data. The flaw in question is tied to what is called speculative execution, which happens when a processor guesses the next operations to perform based on previously cached iterations.

The Meltdown variant only impacts Intel CPUs, whereas the second set of Spectre variants impacts all vendors of CPUs with support of speculative execution. This includes most CPUs produced during the last 15 years from Intel, AMD, ARM, and IBM.

It is not known whether threat actors are currently using these bugs. Although due to their implementation, it might be impossible to find out, as confirmed by the vulnerability researchers:

Can I detect if someone has exploited Meltdown or Spectre against me?
Probably not. The exploitation does not leave any traces in traditional log files.

While there are no attacks reported in the wild as of yet, several Proof of Concepts have been made available, including this video that shows a memory extraction (using a non-disclosed POC). This is particularly damaging because 1. There aren’t many options for protection currently and 2. as previously stated, even if threat actors do spring to action, it might be impossible to verify if that’s the case.

Mitigations
Because the Meltdown and Spectre variants are hardware vulnerabilities, deploying security programs or adopting safer surfing habits will do little to protect against potential attack. However, a patch for the Meltdown variant has already been rolled out on Linux, macOS, and all supported versions of Windows.

According to our telemetry, most Malwarebytes users are already able to receive the latest Microsoft update. However, we are working to ensure that our entire user base has access to the patch.

Unfortunately, Microsoft’s fix comes with significant impact on performance, although estimates of how much vary greatly. An advisory from Microsoft recommends users to:

Keep computers up to date.
Install the applicable firmware update provided by OEM device manufacturers.
If you are having issues getting the Windows update, please refer to this article, as Microsoft has stated some possible incompatibility issues with certain security software.

No software patch for Spectre is available at the time of this article. Partial hardening and mitigations are being worked on, but they are unlikely to be published soon.

The Spectre bug can be exploited via JavaScript and WebAssembly, which makes it even more critical. It is therefore recommended to apply some countermeasures such as Site Isolation in Chrome. Mozilla is rolling out a Firefox patch to mitigate the issue while working on a long-term solution. Microsoft is taking similar action for Edge and Internet Explorer.

Cloud providers (Amazon, Online.net, DigitalOcean) also rushed to issue emergency notifications to their customers for upcoming downtimes in order to prevent situations where code from the hypervisor could be leaked from a virtual machine, for example.

The aftermath from these bugs is far from being completely understood, so please check back on this blog for further updates.

Vendor advisories:

Intel: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
AMD: http://www.amd.com/en/corporate/speculative-execution
ARM: https://developer.arm.com/support/security-update
The post Meltdown and Spectre: what you need to know appeared first on Malwarebytes Labs.

Copied from: bq | Malwarebytes Unpacked - <https://blog.malwarebytes.com/security-world/2018/01/meltdown-and-spectre-what-you-need-to-know/>
--- End quote ---

Navigation

[0] Message Index

[#] Next page

[*] Previous page