‘Kernel memory leaking’ Intel processor design flaw

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

A fundamental design flaw in Intel’s processor chips related to virtual memory system (Intel x86-64 hardware) allows normal user programs (even JavaScript in web browsers) to discern to some extent the layout or contents of protected kernel memory areas.

It is understood the bug is present in modern Intel processors produced in the past decade. It appears a microcode update can’t address it, so it has to be fixed in software at the OS level. This has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug, which is expected to cause 5 to 30 per cent slow down of your computer on next update!

Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday. Patches for the Linux kernel are available. Apple’s 64-bit macOS, will also need to be updated.

This is bad news for Intel. Last year they had AMT vulnerability remote exploit and now this new blow in Intel security. I don’t think that computer buyers like that their computers become slower! 

Details of the vulnerability within Intel’s silicon are under wraps and are expected to be released later this month – so follow the comments for updates.

565 Comments

  1. Tomi Engdahl says:

    Intel FUBAR … again – Kernel memory leak in nearly every Intel CPU of the last decade
    https://forum.level1techs.com/t/intel-fubar-again-kernel-memory-leak-in-nearly-every-intel-cpu-of-the-last-decade/123044

    there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement…

    if all the details on this are out yet, but its going to be extra megabad mainly for anyone that runs any kind of virtual machines for multiple customers and needs to ensure security.

    This is very bad.

    remember seeing something about this teased a few months back.

    Reply
  2. Tomi Engdahl says:

    ‘Kernel memory leaking’ Intel processor design flaw forces Linux, Windows redesign. 5 to 30% Performance LOSS across all platforms lmminant
    https://pcpartpicker.com/forums/topic/261273-kernel-memory-leaking-intel-processor-design-flaw-forces-linux-windows-redesign-5-to-30-performance-loss-across-all-platforms-lmminant

    I don’t see anything saying AMD’s CPUs have this problem.

    Reply
  3. Tomi Engdahl says:

    Intel screws up with a major Kernel Memory leak.
    https://www.gamespot.com/forums/system-wars-314159282/intel-screws-up-with-a-major-kernel-memory-leak-33421670/?page=1

    See how it pans out before jumping to conclusions.

    What a clusterf***. AMD say they’re not affected, and their wording suggest what’s wrong here is that Intel chips are executing speculative code without performing security checks. The whole OS patch is therefore to separate the kernel memory so it doesn’t f*** everything else up, costing CPU cycles in the process.

    Meanwhile, deeper in the rabbit hole, Intel’s CEO sold a lot of his stock a month before this bug was disclosed.

    I have no technical insight, but a friend in IT just said that the “fix” still doesn’t solve the issue and the “white hats” were still able to work around this patch. He said it’s not good at all and affects just about everything.

    About executives selling stock: Intel CEO disposes >50% of his holdings
    https://www.reddit.com/r/AMD_Stock/comments/7kd1vz/about_executives_selling_stock_intel_ceo_disposes/

    You’re right, this is a big deal. Intel faces major competition in all of its markets. I’m expecting more delays out of 10nm now. AMD is going to leapfrog them.

    Reply
  4. Tomi Engdahl says:

    Intel’s CEO Just Sold a Lot of Stock
    Pay attention to these transactions.
    https://www.fool.com/investing/2017/12/19/intels-ceo-just-sold-a-lot-of-stock.aspx

    There’s nothing wrong with, or even unusual about, such transactions. Company executives, and even some employees, often receive either stock options and/or restricted stock units (RSUs) as part of their compensation packages, and at some point, the recipients of such compensation are going to want to turn it into cash.

    Indeed, as explained here, insider selling isn’t always a red flag.

    Is Insider Selling a Red Flag?
    Is an executive telling us the company’s in trouble, or his mansion needs an addition?
    https://www.fool.com/investing/brokerage/2003/12/02/is-insider-selling-a-red-flag.aspx

    Reply
  5. Tomi Engdahl says:

    Huge Intel CPU Bug Allegedly Causes Kernel Memory Vulnerability With Up To 30% Performance Hit In Windows And Linux
    https://hothardware.com/news/intel-cpu-bug-kernel-memory-isolation-linux-windows-macos

    If the reports are accurate, it appears that Intel might have a pretty severe chip-level security bug on its hands that cannot be simply swatted away with a microcode update. The bug affects all modern Intel processors dating back at least a decade.

    We should note that squashing the bug requires a patch at the OS level; and Linux patches have already been distributed (with redacted comments). Microsoft is expected to address the bug in its monthly Patch Tuesday update. The circumstances surrounding the exploit are currently under embargo, but some details are starting to make their way to the public spotlight, thanks to reporting over at Python Sweetness and The Register.

    In a nutshell, the bug allows everyday programs to “illegally” access certain contents in protected kernel memory. The “fix”, so to speak, is to implement Kernel Page Table Isolation (PTI), which, for all intents and purposes, makes the kernel invisible to running processes. In a perfect world, such training wheels shouldn’t be needed to isolate the kernel, but software patches that are nearing release for Windows, Linux and macOS systems will address the exploit head-on.

    There’s one big problem, however. Fixing this vulnerability in software also comes with a big hit on performance. Additional overhead is introduced to maintain a barrier between memory address spaces, which can result in a performance handicap of 30 percent or more. However, recent Intel processors with PCID (Process-Context Identifiers) enabled could have the performance impact lessened somewhat.

    Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November,” wrote the Python Sweetness blog on Monday. “In the worst case the software fix causes huge slowdowns in typical workloads.

    “There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine.”

    In addition, apparently both Microsoft Azure and Amazon Web Services have scheduled maintenance that will take place over the next week, although there is no detailed explanation for the downtime. However, rampant speculation suggests that the maintenance could be to put the software fixes in place for this specific Intel CPU hardware bug.

    Well, AMD processors aren’t affected by the bug

    Reply
  6. Tomi Engdahl says:

    python sweetness
    The mysterious case of the Linux Page Table Isolation patches
    http://pythonsweetness.tumblr.com/post/169166980422/the-mysterious-case-of-the-linux-page-table

    Bad news: the software mitigation is expensive

    The primary reason for the old Linux behaviour of mapping kernel memory in the same page tables as user memory is so that when the user’s code triggers a system call, fault, or an interrupt fires, it is not necessary to change the virtual memory layout of the running process.

    Since it is unnecessary to change the virtual memory layout, it is further unnecessary to flush highly performance-sensitive CPU caches that are dependant on that layout, primarily the Translation Lookaside Buffer.

    34C3

    Over at this year’s CCC, you can find another of the TU Graz researchers describing a pure-Javascript ASLR attack that works by carefully timing the operation of the CPU memory management unit as it traverses the page tables that describe the layout of virtual memory. The effect is that through a combination of high precision timing and selective eviction of CPU cache lines, a Javascript program running in a web browser can recover the virtual address of a Javascript object, enabling subsequent attacks against browser memory management bugs.

    Reply
  7. Tomi Engdahl says:

    Over at this year’s CCC, you can find another of the TU Graz researchers describing a pure-Javascript ASLR attack that works by carefully timing the operation of the CPU memory management unit as it traverses the page tables that describe the layout of virtual memory. The effect is that through a combination of high precision timing and selective eviction of CPU cache lines, a Javascript program running in a web browser can recover the virtual address of a Javascript object, enabling subsequent attacks against browser memory management bugs.

    https://www.youtube.com/watch?v=ewe3-mUku94

    Reply
  8. Tomi Engdahl says:

    The mysterious case of the Linux Page Table Isolation patches
    https://nixcraft.tumblr.com/post/169209890277/the-mysterious-case-of-the-linux-page-table

    there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November.

    Beware this is very much a connecting-the-invisible-dots type affair, so it mostly represents guesswork until such times as the embargo is lifted. From everything I’ve seen, including the vendors involved, many fireworks and much drama is likely when that day arrives.

    Reply
  9. Tomi Engdahl says:

    A major kernel vulnerability is going to slow down all Intel processors
    https://techcrunch.com/2018/01/03/a-major-kernel-vulnerability-is-going-to-slow-down-all-intel-processors-2/

    A major kernel vulnerability is going to slow down all Intel processors
    Posted 2 hours ago by Romain Dillet (@romaindillet)

    A significant vulnerability has been discovered in all Intel processor chips and it’s going to have a huge impact going forward. The Register first noticed this major design flaw in Linux kernel patch notes. All operating systems will have to be updated (Linux distributions, Windows, macOS…).

    And the worst part is that this patch is going to affect your computer performance.

    The bug allows normal user programs to access the protected memory in the kernel.

    Because of a design flaw, user programs with low privileges can read protected kernel memory. If an attacker or an intelligence agency can find a way to install a normal program on your computer, they could then be able to read passwords stored in the kernel memory, private encryption keys, files cached from the hard drive and more.

    This is even worse on shared systems. Many cloud hosting platforms, such as Amazon Web Services, Microsoft Azure and Google Cloud Platform share computer resources between multiple clients — multiple clients use the same hardware components. With today’s bug, one client could access sensitive information about another client using this kernel exploit.

    Intel will reveal more information about it once Microsoft, Apple and the Linux team have released patches.

    Microsoft has been working on a patch since November. Apple is also working on a similar fix.

    The bad news is that the Kernel Page Table Isolation fix makes everything run slower on Intel x86 processors. AMD said that its processors are not subject to the vulnerability. So if your computer appears slower than it should be, it’s because it is.

    Reply
  10. Tomi Engdahl says:

    The question on everyone’s minds: Does MacOS fix the Intel #KPTI Issue? Why yes, yes it does. Say hello to the “Double Map” since 10.13.2 — and with some surprises in 10.13.3 (under Developer NDA so can’t talk/show you). cc @i0n1c @s1guza @patrickwardle https://t.co/S1YJ9tMS63

    Reply
  11. Tomi Engdahl says:

    Responding to ‘incorrect’ reports, Intel says major flaw affects ‘many different vendors’
    https://techcrunch.com/2018/01/03/intel-calls-reports-of-major-vulnerability-incorrect/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    Intel has now officially responded to these reports, calling them “incorrect” and “inaccurate,” and saying it had planned to discuss this very issue next week.

    https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

    Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.

    Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.

    Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

    Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.

    Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available.

    Intel believes its products are the most secure in the world

    Reply
  12. Tomi Engdahl says:

    Mitigations Prepared for Critical Vulnerability in Intel CPUs
    http://www.securityweek.com/mitigations-prepared-critical-flaw-intel-cpus

    Researchers have apparently discovered a serious vulnerability affecting all Intel CPUs. Software-level mitigations have already been developed, but they could cause significant performance penalties.

    Details of the vulnerability are expected to become available on January 9. The impact of the flaw is comparable to the notorious Heartbleed bug, but an attack is said to be more practical.

    The existence of the security hole came to light following the introduction of kernel page table isolation (KPTI) in Linux. A similar feature is being implemented by Microsoft in Windows and Apple is also expected to make some changes in macOS. Experts believe it will not be easy for Intel to address the problem directly in its processors.

    KPTI is a hardening technique designed to improve security by isolating the kernel space from user space memory.

    Back in July 2017, researcher Anders Fogh shared some thoughts on how it may be possible to read kernel memory from an unprivileged process via speculative execution. While his attempts were unsuccessful, his work did yield some results. Some believe that researchers at Graz University – Fogh has previously collaborated with Graz University researchers on memory-related attacks – may have found a way to make it work.

    AMD says its processors are not vulnerable to the type of attacks mitigated by KPTI, but the company does mention speculative execution.

    Reply
  13. Tomi Engdahl says:

    Security flaws put virtually all phones, computers at risk
    https://www.reuters.com/article/us-cyber-intel/security-flaws-put-virtually-all-phones-computers-at-risk-idUSKBN1ES1BO

    steal sensitive information from nearly every modern computing device containing chips from Intel Corp (INTC.O), Advanced Micro Devices Inc (AMD.O) and ARM Holdings.

    One of the bugs is specific to Intel but another affects laptops, desktop computers, smartphones, tablets and internet servers alike. Intel and ARM insisted that the issue was not a design flaw, but it will require users to download a patch and update their operating system to fix.

    two flaws.

    The first, called Meltdown, affects Intel chips

    The second, called Spectre, affects chips from Intel, AMD and ARM

    Reply
  14. Tomi Engdahl says:

    Cloud infrastructure vendors begin responding to chip kernel vulnerability
    https://techcrunch.com/2018/01/03/cloud-infrastructure-vendors-begin-responding-to-chip-kernel-vulnerability/?utm_source=tcfbpage&sr_share=facebook

    Cloud infrastructure vendors begin responding to chip kernel vulnerability
    Posted 4 hours ago by Ron Miller (@ron_miller)

    Several cloud vendors began responding to the chip kernel vulnerability that has the industry reeling today. Each Infrastructure as a Service vendor clearly has a stake here because each one is selling CPU cycles on their platforms.

    TechCrunch sent a request for comment to six major cloud vendors, including AWS, Microsoft, Google, IBM, Rackspace and DigitalOcean. At the time of publication, we had heard directly from three of the companies: Microsoft, Rackspace and DigitalOcean. In the case of Google and AWS, we learned their response indirectly through published blog posts.

    “This is a vulnerability that has existed for more than 20 years in modern processor architectures like Intel, AMD and ARM across servers, desktops and mobile devices. All but a small single-digit percentage of instances across the Amazon EC2 fleet are already protected.

    Microsoft
    “We’re aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers
    releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM and Intel.

    Google
    We have updated our systems and affected products to protect against this new type of attack.

    DigitalOcean has been actively investigating the Intel chip issue which was disclosed earlier today.

    On 2 January 2018, Rackspace was made aware of a suspected Intel CPU architecture vulnerability. The full extent and performance impact of this vulnerability and potential remediation are currently unknown as the vulnerability has not yet been publicly disclosed.

    Reply
  15. Tomi Engdahl says:

    Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device?
    https://techcrunch.com/2018/01/03/kernel-panic-what-are-meltdown-and-spectre-the-bugs-affecting-nearly-every-computer-and-device/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    avalanche of early reports, denials, and conflicting statements about the massive security issues announced

    Here’s what you need to know about Meltdown and Spectre, the two huge bugs that affect practically every computer and device out there.

    Short answer: Bugs at a fundamental level that allow critical information stored deep inside computer systems to be exposed.

    Security researchers released official documentation — complete with nicknames and logos — of two major flaws found in nearly all modern central processing units, or CPUs.

    It’s not a physical problem with the CPUs themselves, or a plain software bug you might find in an application like Word or Chrome. It’s in between,

    Meltdown and Spectre are two techniques researchers have discovered that circumvent those protections, exposing nearly any data the computer processes, such as passwords, proprietary information, or encrypted communications.

    Meltdown affects Intel processors
    Segregating and protecting memory spaces prevents applications from accidentally interfering with one another’s data

    Meltdown makes this fundamental process fundamentally unreliable.

    Spectre affects Intel, AMD, and ARM processors, broadening its reach to include mobile phones, embedded devices, and pretty much anything with a chip in it.

    Spectre essentially tricks applications into accidentally disclosing information that would normally be inaccessible, safe inside their protected memory area. This is a trickier one to pull off, but because it’s based on an established practice in multiple chip architectures, it’s going to be even trickier to fix.

    The assumption going forward should be that any untested device should be considered vulnerable.

    Not only that, but Meltdown in particular could conceivably be applied to and across cloud platforms
    it’s not easy to pull this off remotely

    Can this be fixed?
    Short answer: Only partially, and it’s going to take a while.

    Reply
  16. Tomi Engdahl says:

    Meltdown and Spectre
    https://meltdownattack.com

    Bugs in modern computers leak passwords and sensitive data.

    Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

    Meltdown and Spectre work on personal computers, mobile devices, and in the cloud.

    Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

    Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre

    Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.

    Reply
  17. Tomi Engdahl says:

    Your computer may run 30 per cent slower due to Intel chip bug
    https://www.newscientist.com/article/computer-may-run-30-per-cent-slower-due-intel-chip-bug/amp/

    The good news is that there is a fix. But unfortunately the security patch will slow down processing power by as much as 30 per cent, hitting personal computers and cloud services around the world.

    “This is the worst bug I’ve seen for a long time,” says Kevin Curran at Ulster University

    Slow down
    Fixing this problem means getting rid of the fast switching that can currently happen between a program and the kernel in favour of a process that’s slower, but more secure. The resulting slowdown seems to range from 5 and 30 per cent depending on the situation.

    Though there have been many security bugs in the past, one that requires a fix that results in such a computational constraint is almost unheard of. “Never have I seen a patch that causes the CPU to be slowed down on such a scale,” says Curran.

    Reply
  18. Tomi Engdahl says:

    Intel, AMD Chip Vulnerabilities Put Billions of Devices at Risk
    http://www.securityweek.com/intel-amd-chip-vulnerabilities-put-billions-devices-risk

    Details of “Meltdown” and “Spectre” Attacks Against Intel and AMD Chips Disclosed

    Researchers have disclosed technical details of two new attack methods that exploit critical flaws in CPUs from Intel, AMD and other vendors. They claim billions of devices are vulnerable, allowing malicious actors to gain access to passwords and other sensitive data without leaving a trace.

    There have been reports in the past few days about a critical flaw in Intel CPUs that allows an attacker to gain access to kernel space memory. It turns out that there are actually two different attacks and researchers say one of them impacts AMD and ARM processors as well.

    AMD representatives have claimed that their products are not vulnerable, which has contributed to the company’s stock going up 7 percent. Intel released a statement saying that the vulnerabilities are not unique to its products after its shares lost 4 percent in value.

    Meltdown and Spectre

    The side-channel attacks, dubbed Meltdown and Spectre by researchers, allow malicious applications installed on a device to access data as it’s being processed. This can include passwords stored in a password manager or web browser, photos, documents, emails, and data from instant messaging apps.

    Attacks can be launched not only against PCs, but also mobile devices and cloud servers. While there is no evidence of exploitation in the wild, researchers pointed out that the attacks don’t leave any traces in traditional log files and they are unlikely to be detected by security products – although security products may detect the malware that launches Meltdown and Spectre.

    Meltdown was discovered independently by Jann Horn of Google Project Zero, researchers from Cyberus Technology, and a team from the Graz University of Technology in Austria. Spectre was found independently by Horn, and a group of experts from various universities and companies. Technical papers and proof-of-concept (PoC) code have been published for each of the attack methods, and Intel, Microsoft, ARM and Google Project Zero are expected to publish their own advisories.

    Meltdown, named so because it “melts” security boundaries normally enforced by hardware, can be leveraged to read arbitrary kernel memory locations.

    Meltdown is tracked as CVE-2017-5754.

    Researchers say it’s unclear if Meltdown affects ARM and AMD processors, but it has been confirmed to impact nearly every Intel processor made since 1995, specifically CPUs that implement a system known as out-of-order execution.

    Spectre, on the other hand, has been confirmed to affect not just Intel, but also AMD and ARM processors. However, AMD claims there is a “near zero risk” to its processors due to their architecture.

    Desktops, laptops, smartphones and cloud servers are impacted, but the vulnerability is more difficult to exploit compared to Meltdown.

    The CVE identifiers CVE-2017-5753 and CVE-2017-5715 have been assigned to Spectre.

    “Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory,” researchers explained. “Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.”

    Meltdown attacks can be prevented using kernel page table isolation (KPTI), a hardening technique designed to improve security by isolating the kernel space from user space memory.

    KPTI has already been implemented in the Linux kernel and Microsoft has been working on a similar system for Windows. Apple is also said to be working on patches for macOS.

    Cloud providers that use Intel CPUs and Xen paravirtualization are impacted. Amazon Web Services (AWS) and Microsoft Azure have been working on patches

    Google has addressed the vulnerabilities in its Cloud products and services.

    The company pointed out that while attacks are not easy to launch against Android devices, the latest Android security updates do provide additional protection.

    Since KPTI has already been implemented in the Linux kernel before the disclosure – this actually led to experts figuring out that there was a serious vulnerability in Intel CPUs – several tests have been conducted to determine the impact of the mitigation on performance.

    The researchers who developed the KAISER method reported a negative impact of only 0.28 percent on performance, but tests conducted now showed that performance penalties can reach as much as 30 percent, depending on what types of operations are being conducted.

    Reply
  19. Tomi Engdahl says:

    Industry Responds to Unprecedented CPU Security Vulnerability
    https://www.eetimes.com/author.asp?section_id=36&doc_id=1332800

    Unique collaboration between chip makers and software firms may be a sign of things to come for a tech landscape facing a barrage of security threats.

    Early leaks on the so-called security bug focused on Intel, but it’s now clear that the security vulnerabilities announced Wednesday have a much broader impact on many contemporary, high-performance processors and, not just Intel.

    There are actually three different side-channel attacks that security researchers at Google Project Zero and other firms have identified. These attacks use a combination of knowledge of the internal operation of modern CPU and some level of brute force testing.

    It’s important to note that, to date, these vulnerabilities have not been seen exploited in the wild. But with this disclosure, attacks can be crafted by knowledgeable hackers — which is why there has been a race to patch these vulnerabilities throughout the software ecosystem.

    Part of the team that was needed to fix the vulnerabilities were CPU designers AMD, ARM and Intel. Key system software vendors included Apple, Citrix, Linux, Microsoft and VMWare.

    These vendors were contacted back in June about these vulnerabilities and given time to prepare fixes. Because the vulnerabilities were set in chip designs already shipping, the only solution was to patch system software (operating systems and virtualization software/hypervisors) to work around the issues.

    I’m using the word “vulnerability” and not “bug” because the circuits are doing exactly what they were designed to do. The side channel attack uses knowledge of those correct operations to infer data that should be protected.

    There were three vulnerabilities revealed Wednesday (Common Vulnerabilities and Exposures number):

    Bounds Check Bypass (CVE-2017-5753)
    Branch Target Injection (CVE-2017-5715)
    Rogue Data Load (CVE-2017-5754)

    The bounds check bypass (threat No. 1) has a software fix because its difficult to change the CPU design to eliminate the speculative execution. During a rare briefing with AMD, ARM and Intel, all three companies said this was a shared threat and was being address through system software changes. It appears the performance impact is negligible.

    The impact of threats No. 2 and No. 3 do vary depending on CPU vendor. Intel has confirmed both threats, but AMD has said that it cannot observe No. 2 and that, by design, it is not vulnerable to No. 3.

    Intel said threat No. 2 may slow performance on benchmarks by 0-5 percent. Threat No. 3 may see an impact on typical workloads of between 3-5 percent, software that accesses kernel services a lot will bear the brunt of the slow down.

    The case for ARM is more complicated. Many ARM cores have limited or no speculative execution, even mainstream Cortex-A cores. But higher performing cores do offer speculative operations for performance.

    While the early reports put a lot of the focus on Intel, this was a really unique industry collaboration between competitors and both software and chip companies.

    Reply
  20. Tomi Engdahl says:

    Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs
    https://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/

    AMD, Arm also affected by data-leak design blunders, Chipzilla hit hardest

    Reply
  21. Tomi Engdahl says:

    We translated Intel’s crap attempt to spin its way out of CPU security bug PR nightmare
    http://www.theregister.co.uk/2018/01/04/intel_meltdown_spectre_bugs_the_registers_annotations/

    As Linus Torvalds lets rip on Chipzilla

    Analysis In the wake of The Register’s report on Tuesday about the vulnerabilities affecting Intel chips, Chipzilla on Wednesday issued a press release to address the problems disclosed by Google’s security researchers that afternoon.

    To help put Intel’s claims into context, we’ve annotated the text.

    Reply
  22. Tomi Engdahl says:

    “Everyone Is Affected”: Why The Implications Of The Intel “Bug” Are Staggering
    https://www.zerohedge.com/news/2018-01-03/everyone-affected-why-implications-intel-bug-are-staggering

    Earlier today, we reported that according to a press reports, Intel’s computer chips were affected by a bug that makes them vulnerable to hacking. Specifically, The Register said the bug lets some software gain access to parts of a computer’s memory that are set aside to protect things like passwords, and making matters worse, all computers with Intel chips from the past 10 years appear to be affected. The news, which sent Intel’s stock tumbling, was later confirmed by the company.

    As Bloomberg writes, “the vulnerability may have consequences beyond just computers, and is not the result of a design or testing error.” Here’s how the bug “works”:

    All modern microprocessors, including those that run smartphones, are built to essentially guess what functions they’re likely to be asked to run next. By queuing up possible executions in advance, they’re able to crunch data and run software much faster.

    The problem in this case is that this predictive loading of instructions allows access to data that’s normally cordoned off securely, Intel Vice President Stephen Smith said on a conference call. That means, in theory, that malicious code could find a way to access information that would otherwise be out of reach, such as passwords.

    Security vulnerability aside, the fix may be just as bad: it would result in a significant slowdown of the CPU, and the resultant machine.

    In response to the bug, Microsoft on Wednesday released a security update for its Windows 10 operating system and older versions of the product to protect users of devices with chips from Intel, ARM and AMD.

    Meanwhile, Advanced Micro Devices, whose stock surged on news of Intel’s misfortune, said “there is near zero risk” to its processors because of differences in the way they are designed and built

    And then there are the questions about revenue and lost profit.

    Quoted by Bloomberg, Frank Gillett, an analyst at Forrester Research, said that providers of computing over the internet will have to upgrade software to work around the potential vulnerability, which will require additional lines of code, computing power and energy to perform the same functions while maintaining security.

    “When you’re running billions of servers, a 5 percent hit is huge,” he said.

    What follows is the transcription of the Monday afternoon tweetstorm by Nicole Perlroth – cybersecurity reporter at the NYT – according to whom today’s “bug” is “not an Intel problem but an entire chipmaker design problem that affects virtually all processors on the market.” In fact, according to the cybersecurity expert, one aspect of the bug is extremely troubling simply because there is no fix.

    Reply
  23. Tomi Engdahl says:

    How the Meltdown Vulnerability Fix Was Invented
    https://spectrum.ieee.org/tech-talk/semiconductors/processors/how-the-intel-processor-meltdown-vulnerability-was-thwarted

    A major security flaw has surfaced that’s thought to affect all Intel microprocessors since at least 2011, some ARM processors and, according to Intel, perhaps those of others. Unusually, the exploit, called Meltdown, takes advantage of the processors’ hardware rather than a software flaw, so it circumvents security schemes built into major operating systems.

    In 2016 they examined ways to harden the core of an operating system—the kernel—against such attacks, and came up with a scheme they called KAISER.

    They published a paper on it in July 2017.

    “We thought it would be a good countermeasure for generally hardening systems,”

    Then things got weird. “Starting in October we heard of some effort by Intel to merge a KAISER patch into the upstream kernel, which surprised us,” he says. “We weren’t aware of any attacks.” They then got wind of Amazon working on an implementation and became more suspicious. “We thought there must be something.”

    Reply
  24. Tomi Engdahl says:

    Read what Linus has to say on this
    https://lkml.org/lkml/2018/1/3/797

    A *competent* CPU engineer would fix this by making sure speculation
    doesn’t happen across protection domains.

    I think somebody inside of Intel needs to really take a long hard look
    at their CPU’s, and actually admit that they have issues instead of
    writing PR blurbs that say that everything works as designed.

    Reply
  25. Tomi Engdahl says:

    How to patch Meltdown CPU Vulnerability CVE-2017-5754 on Linux
    https://www.cyberciti.biz/faq/patch-meltdown-cpu-vulnerability-cve-2017-5754-linux/

    Meltdown CPU Vulnerability CVE-2017-5754 breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. How do I protect my Linux server and laptop/desktop against such attack?

    A very serious security problem has been found and patched in the Linux kernel. It was announced on 3rd January 2018.

    Reply
  26. Tomi Engdahl says:

    Spectre will require a complete re-architecture of the way processors are designed and the threats posed will be with us for an entire hardware lifecycle, likely the next decade.
    7. The basic issue is the age old security dilemma: Speed vs Security. For the past decade, processors were designed to gain every performance advantage. In the process, chipmakers failed to ask basic questions about whether their design was secure. (Narrator: They were not)

    Source: https://www.zerohedge.com/news/2018-01-03/everyone-affected-why-implications-intel-bug-are-staggering

    Reply
  27. Tomi Engdahl says:

    The CPU catastrophe will hit hardest in the cloud
    Cloud platforms have patched fast — but the hardest work is yet to come
    https://www.theverge.com/2018/1/4/16850120/meltdown-spectre-vulnerability-cloud-aws-google-cpu

    This week, two disastrous new processor vulnerabilities spilled out into the open — and the tech world is still coming to terms with the damage. The vulnerabilities, dubbed Meltdown and Spectre, affect nearly every processor made in the last 20 years. Meltdown is the immediate threat, with proof-of-concept exploits already available, but Spectre is much deeper and harder to patch, potentially leading to generations of more subtle exploits in the years to come. The result has left nearly every major technology company scrambling to protect themselves and their customers.

    The focus so far has been on personal devices, with a flood of patches already available this morning, but many experts think the most severe damage is likely to come when the exploits are turned on cloud services. “These vulnerabilities will allow one tenant to peer into the data of another co-hosted tenant,”

    Reply
  28. Tomi Engdahl says:

    Meltdown and Spectre
    Bugs in modern computers leak passwords and sensitive data.
    https://meltdownattack.com

    Reply
  29. Tomi Engdahl says:

    Spectreattack.com:
    Researchers wrote a Spectre attack in JavaScript that violates browser sandboxing and reads data from the address space of the browser process running it — Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination …
    https://spectreattack.com/spectre.pdf

    Reply
  30. Tomi Engdahl says:

    Jeremy Horwitz / VentureBeat:
    Intel begins issuing patches to combat Spectre and Meltdown flaws, with plans to release updates for 90% of chips from past five years this week — Following up on yesterday’s confirmation that security exploits can compromise computers with Intel processors, Intel today announced a timetable …

    Intel plans security updates for 90% of past 5 years’ processors by end of next week
    https://venturebeat.com/2018/01/04/intel-plans-security-updates-for-90-of-past-5-years-processors-by-end-of-next-week/

    Reply
  31. Tomi Engdahl says:

    Troy Wolverton / Business Insider:
    Intel CEO Brian Krzanich sold ~$24M of stock in Nov. and now owns 250K shares, the minimum he’s required to hold; Intel was informed about chip flaws in June — – Intel CEO Brian Krzanich sold off $24 million worth of stock and options in the company in late November.

    Intel was aware of the chip vulnerability when its CEO sold off $24 million in company stock
    http://nordic.businessinsider.com/intel-ceo-krzanich-sold-shares-after-company-was-informed-of-chip-flaw-2018-1?op=1&r=US&IR=T

    Reply
  32. Tomi Engdahl says:

    Google Online Security Blog:
    Google’s Project Zero says it discovered three variants of CPU attack, affecting AMD, ARM, and Intel; Android devices with latest security update are safe

    Today’s CPU vulnerability: what you need to know
    https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html

    Reply
  33. Tomi Engdahl says:

    New York Times:
    Researchers say there is no known fix for Spectre CPU flaw; Meltdown flaw affects almost all Intel CPUs, requires software patch that could cause slowness
    http://www.nytimes.com/2018/01/03/business/computer-flaws.html

    Reply
  34. Tomi Engdahl says:

    Albert Wenger / Continuations:
    Potential upsides to Meltdown and Spectre flaws: improved architectures, more secure browsers and operating systems, faster adoption of utility cloud computing
    http://continuations.com/post/169299842665/meltdown-and-spectre-are-good-for-innovation

    Reply
  35. Tomi Engdahl says:

    Tom Warren / The Verge:
    Microsoft issued a rare out-of-band security patch today to protect against Intel, AMD, ARM flaws; sources say patch will be applied automatically on Windows 10
    http://www.theverge.com/2018/1/3/16846784/microsoft-processor-bug-windows-10-fix

    Reply
  36. Tomi Engdahl says:

    Thomas Fox-Brewster / Forbes:
    Spectre researcher Daniel Gruss says attacks work “super-reliably” on AMD CPUs, despite the company claiming “near zero risk” due to different architecture
    https://www.forbes.com/sites/thomasbrewster/2018/01/03/intel-meltdown-spectre-vulnerabilities-leave-millions-open-to-cyber-attack/#5765d5df3932

    Reply
  37. Tomi Engdahl says:

    https://lkml.org/lkml/2018/1/2/703

    From Linus Torvalds
    Date Tue, 2 Jan 2018 13:09:13 -0800
    Subject Re: Linux 4.15-rc6

    On Tue, Jan 2, 2018 at 12:28 PM, Andres Freund wrote:
    >
    > I thought it’d be interesting to run a short benchmark to be able to
    > estimate the impact of the PTI work on postgres workloads (which I work
    > on). On my skylake laptop, a memory resident, OLTP workload with 16
    > connections results in:

    Yeah, that’s actually pretty much in line with expectations.

    Something around 5% performance impact of the isolation is what people
    are looking at.

    Obviously it depends on just exactly what you do. Some loads will
    hardly be affected at all, if they just spend all their time in user
    space. And if you do a lot of small system calls, you might see
    double-digit slowdowns.

    Note that it will depend heavily on the hardware too. Older CPU’s
    without PCID will be impacted more by the isolation.

    Reply
  38. Tomi Engdahl says:

    https://lkml.org/lkml/2018/1/3/797

    Why is this all done without any configuration options?

    A *competent* CPU engineer would fix this by making sure speculation
    doesn’t happen across protection domains. Maybe even a L1 I$ that is
    keyed by CPL.

    I think somebody inside of Intel needs to really take a long hard look
    at their CPU’s, and actually admit that they have issues instead of
    writing PR blurbs that say that everything works as designed.

    .. and that really means that all these mitigation patches should be
    written with “not all CPU’s are crap” in mind.

    Reply
  39. Tomi Engdahl says:

    https://www.reddit.com/r/hardware/comments/7o1jwd/spectre_and_meltdown_a_brief_overview/

    A lot of people have been writing posts about not getting Intel CPUs due to the exploit(meltdown) being in the news. Unfortunately, there were two exploits found, one of which affects all processors…

    The first is Meltdown. This ONLY affects Intel CPUs(besides from Atom and Itanium CPUs). AMD is not affected because they handle memory allocation differently.

    The second is Spectre, which affects AMD, Intel, ARMA, powerPC, IBM Z-series and a few more.

    Both are fairly devastating. Meltdown should have a patch soon, but at the cost of performance loss(mainly with syscall operations like virtualization).

    Spectre will take longer, since it’s much harder to fix than a software patch.

    https://spectreattack.com/

    Reply
  40. Tomi Engdahl says:

    Is PowerPC susceptible to Spectre? Yep.
    http://tenfourfox.blogspot.fi/2018/01/is-powerpc-susceptible-to-spectre-yep.html

    UPDATE: Yes, TenFourFox will implement relevant Spectre-hardening features being deployed to Firefox, and the changes to performance.now will be part of FPR5 final.

    Meltdown is specific to x86 processors made by Intel; it does not appear to affect AMD. But virtually every CPU going back decades that has a feature called speculative execution is vulnerable to a variety of the Spectre attack. In short, for those processors that execute “future” code downstream in anticipation of what the results of certain branching operations will be, Spectre exploits the timing differences that occur when certain kinds of speculatively executed code changes what’s in the processor cache. The attacker may not be able to read the memory directly, but (s)he can find out if it’s in the cache by looking at those differences (in broad strokes, stuff in the cache is accessed more quickly), and/or exploit those timing changes as a way of signaling the attacking software with the actual data itself. Although only certain kinds of code can be vulnerable to this technique, an attacker could trick the processor into mistakenly speculatively executing code it wouldn’t ordinarily run. These side effects are intrinsic to the processor’s internal implementation of this feature, though it is made easier if you have the source code of the victim process, which is increasingly common.

    Power ISA is fundamentally vulnerable going back even to the days of the original PowerPC 601, as is virtually all current architectures, and there are no simple fixes.

    There are ways to stop speculative execution using certain instructions the processor must serialize, but this can seriously harm performance: speculative execution, after all, is a way to keep the processor busy with (hopefully) useful work while it waits for previous instructions to complete. On PowerPC, cache manipulation instructions, some kinds of special-purpose register accesses and even instructions like b . (branch to the next instruction, essentially a no-op) can halt speculative execution with a sometimes notable time penalty.

    Anyway, you can sleep well, because everybody’s all in the same boat. Perhaps it’s time to dust off those old strict CPUs. The world needs a port of Classilla to the Commodore 64. :)

    Reply
  41. Tomi Engdahl says:

    Mitigations landing for new class of timing attack
    https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

    Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs. Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins. The full extent of this class of attack is still under investigation and we are working with security researchers and other browser vendors to fully understand the threat and fixes. Since this new class of attacks involves measuring precise time intervals, as a partial, short-term, mitigation we are disabling or reducing the precision of several time sources in Firefox. This includes both explicit sources, like performance.now(), and implicit sources that allow building high-resolution timers, viz., SharedArrayBuffer.

    Specifically, in all release channels, starting with 57:

    The resolution of performance.now() will be reduced to 20µs.
    The SharedArrayBuffer feature is being disabled by default.

    Furthermore, other timing sources and time-fuzzing techniques are being worked on.

    In the longer term, we have started experimenting with techniques to remove the information leak closer to the source, instead of just hiding the leak by disabling timers.

    Fantastic Timers and Where to Find Them:
    High-Resolution Microarchitectural
    Attacks in JavaScript
    https://gruss.cc/files/fantastictimers.pdf

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*