Intel Spectre bug?
Moderator: Moderators
Intel Spectre bug?
Does anyone understand how this works? I understand Meltdown fine, but I have no idea what Spectre is supposed to be. Can anyone explain it?
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!
Re: Intel Spectre bug?
To be honest I didn't understand either bug, despite throwing a few hours at them. My understanding they exploit/abuse how branch prediction works and can retrieve data they should not be able to by doing an "if () " reading illegal memory, and measuring time it takes until the exception popus up. The bug is inherent to hardware so the only way to not have it would be to discard branch prediction or not having a reliable timer.
Now, how could nobody think about this between 1995-2017, and wait 6 more month before publishing it until janauary 2018, I really wonder - even though personally I wouldn't have thought of it.
Now, how could nobody think about this between 1995-2017, and wait 6 more month before publishing it until janauary 2018, I really wonder - even though personally I wouldn't have thought of it.
Re: Intel Spectre bug?
Meltdown makes perfect sense. The code snippet from the pdf is very easy to follow:
The byte fetch will trigger an exception, but due to the flaw, it has already gone ahead and done the read into the probe array, so it now cached. Even though the values are discarded, they were still used.
I saw the Youtube video demonstrating dumping kernel memory, so you can see that it clearly works.
Meltdown is easy to follow since it's in the same address space as the process. But Spectre remains a mystery to me.
Code: Select all
; rcx = kernel address
; rbx = probe array
retry:
mov al, byte [rcx]
shl rax, 0xc
jz retry
mov rbx, qword [rbx + rax]
I saw the Youtube video demonstrating dumping kernel memory, so you can see that it clearly works.
Meltdown is easy to follow since it's in the same address space as the process. But Spectre remains a mystery to me.
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!
- rainwarrior
- Posts: 8734
- Joined: Sun Jan 22, 2012 12:03 pm
- Location: Canada
- Contact:
Re: Intel Spectre bug?
I think Meltdown is a more specific form of attack that more or less directly reads from kernel memory.
Spectre on the other hand seems to be a new area of vulnerability for exploiting existing programs. Like how an unchecked array bound in a program might leave you with a way to exploit it, now that we're aware of ways to manipulate and time branch prediction via the cache, a checked bound is vulnerable too if you can get it to mispredict the branch and do the array access anyway.
Like if you can run a javascript program in a browser, you can write that program to cause such mispredictions deliberately and use them to read everything the browser process knows, rather than just the stuff that javascript program is supposed to have access to. You have to know the program to be able to exploit it, not just the CPU.
At least, that's the gist of what I got from this whitepaper:
https://spectreattack.com/spectre.pdf
Spectre on the other hand seems to be a new area of vulnerability for exploiting existing programs. Like how an unchecked array bound in a program might leave you with a way to exploit it, now that we're aware of ways to manipulate and time branch prediction via the cache, a checked bound is vulnerable too if you can get it to mispredict the branch and do the array access anyway.
Like if you can run a javascript program in a browser, you can write that program to cause such mispredictions deliberately and use them to read everything the browser process knows, rather than just the stuff that javascript program is supposed to have access to. You have to know the program to be able to exploit it, not just the CPU.
At least, that's the gist of what I got from this whitepaper:
https://spectreattack.com/spectre.pdf
Re: Intel Spectre bug?
So spectre basically requires scripting or other ways of executing code within another process? Got it.
Seems like it would be useful for exploiting web browsers to find out the address layout before going to ROP.
Seems like it would be useful for exploiting web browsers to find out the address layout before going to ROP.
Here come the fortune cookies! Here come the fortune cookies! They're wearing paper hats!
Re: Intel Spectre bug?
Both flaws require the ability to run arbitrary but jailed code on the target CPU.
Both flaws involve the same ultimate failure: reading memory that you're "supposed" to not be able to. Meltdown's "just" the version that compromises the read protection guarantees made by the page table.
Both flaws involve the same ultimate failure: reading memory that you're "supposed" to not be able to. Meltdown's "just" the version that compromises the read protection guarantees made by the page table.
Re: Intel Spectre bug?
It's less restrictive than that. If you have a sequence of bytes you want to run and that sequence of bytes happens to exist in the program's address space, you can train the branch predictor from outside the program to jump there and execute it speculatively. And since speculative execution touches the cache, it can be used to leak information.Dwedit wrote:So spectre basically requires scripting or other ways of executing code within another process? Got it.
- rainwarrior
- Posts: 8734
- Joined: Sun Jan 22, 2012 12:03 pm
- Location: Canada
- Contact:
Re: Intel Spectre bug?
The prognosis I've understood is that Meltdown can be corrected by having the OS take protective measures with its kernel paging, at some performance cost. Spectre is more insidious, since it operates from within a program in its own space, and exploits very normal and extremely common code (e.g. jump tables, bounded array lookups, etc.). Not something that can really be patched directly, or that most software developers could even try to prevent, but probably browsers and other critical stuff can be vigilant in addressing known attacks as they appear. A hydra monster always growing new heads.
I feel like Intel is about to have a very good sales year once they get a new CPU revision out. ;P
(Also, the Spectre attacks work on most CPUs, not just Intel design?)
I feel like Intel is about to have a very good sales year once they get a new CPU revision out. ;P
(Also, the Spectre attacks work on most CPUs, not just Intel design?)
Re: Intel Spectre bug?
Both of these flaws are obvious-in-hindsight failures given any kind of speculative fetch at all. There's a reason why Spectre basically affects every fast CPU ever: speculative fetch is just way too huge a performance benefit to think that you could possibly recoup the performance loss by excluding it.
Meltdown, for whatever it's worth, doesn't only affect Intel's CPU. It's just that Intel was the only corporation to consistently put the permissions check on the wrong (i.e. higher performance) side of the L1 cache fetch. But there's a reason why the newest highest-performing ARM cores are also vulnerable. I think I remember reading it being true of several markedly older POWER cores, too.
There's a fascinating article that came up in the wake of these revelations about the PowerPC core in the Xbox 360 and its cache-coherency-violating XDCBT instruction.
Meltdown, for whatever it's worth, doesn't only affect Intel's CPU. It's just that Intel was the only corporation to consistently put the permissions check on the wrong (i.e. higher performance) side of the L1 cache fetch. But there's a reason why the newest highest-performing ARM cores are also vulnerable. I think I remember reading it being true of several markedly older POWER cores, too.
There's a fascinating article that came up in the wake of these revelations about the PowerPC core in the Xbox 360 and its cache-coherency-violating XDCBT instruction.
Re: Intel Spectre bug?
Also my understanding is that Spectre is more like a family of possible exploits, while Meltdown is a particular implementation of such an exploit that actually works. I might be wrong.rainwarrior wrote:I think Meltdown is a more specific form of attack that more or less directly reads from kernel memory.
So in my understanding for Spectre to work you need a very specific CPU *and* a very specific version of a very specific program, with programs constantly updating every week it needs the exploit has to be updated as well to take account for new low-level code; also it only allows for spying data on one person's computer which is indeed problematic but Google already does that for everyone using Chrome or any Google-related website so it's nothing new - it doesn't allow to write to memory so to actually implement malware.Like if you can run a javascript program in a browser, you can write that program to cause such mispredictions deliberately and use them to read everything the browser process knows, rather than just the stuff that javascript program is supposed to have access to. You have to know the program to be able to exploit it, not just the CPU.
My understanding is that you acess data not by reading it directly, but by measure time it takes to read it, and see whether it was a cache hit or miss, so data is "read" one bit at a time, and some kind of timer is probably used to measure this time. If the timer is made innacurate enough so that it can't distinguish accurately the difference between a cache hit or a cache miss, then data can't be retreived accurately and the exploit is impossible, even if speculative execution is still enabled. Even in current state I think there is some bits which are sometimes read wrongly, as I have seen a video drawing a cat picture with spectre, and there was some random noise on the picture. So just fixing timer to be innacurate might solve the issue.Both of these flaws are obvious-in-hindsight failures given any kind of speculative fetch at all. There's a reason why Spectre basically affects every fast CPU ever: speculative fetch is just way too huge a performance benefit to think that you could possibly recoup the performance loss by excluding it.
Or AMD ;PI feel like Intel is about to have a very good sales year once they get a new CPU revision out. ;P
(By the way Intel Itanium processors seems to be unaffected because they lack hardware speculative execution, which is mostly done compile time)
- rainwarrior
- Posts: 8734
- Joined: Sun Jan 22, 2012 12:03 pm
- Location: Canada
- Contact:
Re: Intel Spectre bug?
It doesn't need to be quite that specific, I don't think. Your exploiting program can actually search for the needed code fragments to exploit (and you can even use stuff in shared DLLs). I think you need to know something about the program to find an opening in the first place, but I think it'd be tough to sanitize a big API like javascript. There's probably clever ways to prevent a lot of it, but it seems like there are a lot of open holes.
As for timers, you can always repeat the tests to get around timer accuracy. It doesn't close the hole, just reduces bandwidth? That might actually be one of the things browsers have currently disabled in response, though there might be multiple ways to create effective timers?
Edit: Yes, it looks like exactly that was done. https://blog.mozilla.org/security/2018/ ... ng-attack/
Then again, I'm surprised that I haven't yet seen news of this thing in action. Just research demos. Where's the spectre supervirus? Maybe we're lucky and its too hard to use effectively?
As for timers, you can always repeat the tests to get around timer accuracy. It doesn't close the hole, just reduces bandwidth? That might actually be one of the things browsers have currently disabled in response, though there might be multiple ways to create effective timers?
Edit: Yes, it looks like exactly that was done. https://blog.mozilla.org/security/2018/ ... ng-attack/
Then again, I'm surprised that I haven't yet seen news of this thing in action. Just research demos. Where's the spectre supervirus? Maybe we're lucky and its too hard to use effectively?
Re: Intel Spectre bug?
Both Spectre and Meltdown are "only" (n.b. scare quotes; I don't mean to imply this isn't a serious problem) useful for exfiltration. Meltdown lets you bypass kASLR ... if you have an attack that would have been hampered by having to find entry points. Spectre lets you use javascript to read sensitive data out of another web browser tab ... if the attackee has sensitive data to read.
Like an FTP server providing read-only access to the entire filesystem, the attacker still has to have something to actually attack. It just makes that attack easier.
Like an FTP server providing read-only access to the entire filesystem, the attacker still has to have something to actually attack. It just makes that attack easier.
Re: Intel Spectre bug?
Your password manager, your cryptocurrency wallets, and your PGP and SSH private keys, for a start. Someone who can SSH in can install ransomware.lidnariq wrote:Like an FTP server providing read-only access to the entire filesystem, the attacker still has to have something to actually attack.
- rainwarrior
- Posts: 8734
- Joined: Sun Jan 22, 2012 12:03 pm
- Location: Canada
- Contact:
Re: Intel Spectre bug?
Seeing news today about bitcoin miners slipping into YouTube ads doesn't fill me with hope.
https://arstechnica.com/information-tec ... cy-miners/
Not a Spectre thing, of course, but it's a bit scary that unintended execution like this can even happen on a site like YouTube, that I'd normally presume is safe to visit.
https://arstechnica.com/information-tec ... cy-miners/
Not a Spectre thing, of course, but it's a bit scary that unintended execution like this can even happen on a site like YouTube, that I'd normally presume is safe to visit.
Re: Intel Spectre bug?
And this is exactly why ad blockers are such a valuable anti-malware tool.rainwarrior wrote:Not a Spectre thing, of course, but it's a bit scary that unintended execution like this can even happen on a site like YouTube, that I'd normally presume is safe to visit.