[Info-vax] Intel x86-64 Processor Design Security Vulnerability?
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Thu Jan 4 11:13:49 EST 2018
On 2018-01-04 12:38:20 +0000, Neil Rieck said:
> I noticed that the security exploit only exists in some products from
> Intel and ARM but no products from AMD.
Of Spectre and Meltdown, Spectre is the nasty one.
>From the Spectre paper:
Abstract
Modern processors use branch prediction and speculative execution to
maximize performance. For example, if the destination of a branch
depends on a memory value that is in the process of being read, CPUs
will try guess the destination and attempt to execute ahead. When the
memory value finally arrives, the CPU either discards or commits the
speculative computation. Speculative logic is unfaithful in how it
executes, can access to the victim’s memory and registers, and can
perform operations with measurable side effects.
Spectre attacks involve inducing a victim to speculatively perform
operations that would not occur during correct program execution and
which leak the victim’s confidential information via a side channel to
the adversary. This paper describes practical attacks that combine
methodology from side channel attacks, fault attacks, and
return-oriented programming that can read arbitrary memory from the
victim’s process.
More broadly, the paper shows that speculative execution
implementations violate the security assumptions underpinning numerous
software security mechanisms, including operating system process
separation, static analysis, containerization, just-in-time (JIT)
compilation, and countermeasures to cache timing/side-channel attacks.
These attacks represent a serious threat to actual systems, since
vulnerable speculative execution capabilities are found in
microprocessors from Intel, AMD, and ARM that are used in billions of
devices.
While makeshift processor-specific countermeasures are possible in some
cases, sound solutions will require fixes to processor designs as well
as updates to instruction set architectures (ISAs) to give hardware
architects and software developers a common understanding as to what
computation state CPU implementations are (and are not) permitted to
leak."
The Spectre and Meltdown technical papers are at https://spectreattack.com
Very h igh-level Intro/overview, if the papers are a little thick or if
your time is limited
https://twitter.com/nicoleperlroth/status/948684376249962496 (NYT reporter)
https://twitter.com/FioraAeterna/status/948684501298761728 (GPU developer)
The Spectre (CVE-2017-5753 bounds-check bypass, CVE-2017-5715 branch
target injection) is known to effect specific Intel, AMD, ARM, IBM
System Z, POWER8 (Big Endian and Little Endian), and POWER9 (Little
Endian), and others. I'd suspect that Alpha and Itanium *might* also
be effected until proven otherwise. Given what's involved, pretty much
any processor designs in the last twenty years or so are suspect, and
the Alpha architecture is particularly aggressive with its
memory-ordering and access and caching.
Statements from Intel, AMD, ARM and others are available:
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
https://www.amd.com/en/corporate/speculative-execution
https://developer.arm.com/support/security-update
https://access.redhat.com/security/vulnerabilities/speculativeexecution
Mitigations are underway for Chrome, Firefox, Edge and MSIE browsers
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
https://www.chromium.org/Home/chromium-security/ssca
https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edge-internet-explorer/
Fixes or workarounds are out for Windows Server (not enabled by default!).
Xen, VMware and other platforms are effected:
https://access.redhat.com/solutions/3307791
https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
Here's the Meltdown(CVE-2017-5754 privileged-memory read) detection,
and related info:
https://twitter.com/aionescu/status/948766895850717184
Intel processor support for PCID helps mitigate the effects of the fix.
The VSI OpenVMS port is currently dependent on the presence of the PCID
feature, too. VSI is also using LLVM, and mitigations are apparently
also under development for that.
https://web.archive.org/web/20180104131631/https://reviews.llvm.org/D41723
I expect the VSI folks will be rummaging around in what's become available.
Unsurprisingly, Torvalds is not happy.
https://lkml.org/lkml/2018/1/3/797
Oh, and while everybody's looking at Spectre and Meltdown, some folks
in the ad networks and elsewhere are now using hidden frames and
Javascript to try to capture identifying data directly from your
password manager. (They're already also using Javascript to capture
what you're entering into text-input boxes, even if you don't actually
enter the data. One of the HP/HPE-associated services was using
something similar a while back, too.)
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list