Meltdown, Spectre: unfixable security flaws

Chat about just about anything else
mike acker
Level 6
Level 6
Posts: 1414
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Meltdown, Spectre: unfixable security flaws

Post by mike acker » Thu Jan 04, 2018 8:14 am

in reading this description of Meltdown/Spectre it seems to me that the attacker will need to have high quality -- asm level -- malware executing in the target in order to activate the attack

thoughts ?

“Meltdown” and “Spectre”: Every modern processor has unfixable security flaws

more info ( By Steven J. Vaughan-Nichols for Linux and Open Source | January 3, 2018 -- 21:48 GMT (13:48 PST) | Topic: Security )

Major Linux redesign in the works to deal with Intel security flaw

"FWIW" it seems to me this is mainly a Supply Chain issue. I say that because, as noted, it appears the attacker needs to get a high-quality asm level virus running in order to exploit either attack. getting such a module into the victim's machine isn't easy in Linux which is why i mention supply chain. if the attack can be incorporated into a software tool-kit or product that is used by or offered by legitimate software agents then the attack might be distributed in the manner that an attacker would prefer.

I think that as an industry we are on the right track in setting up SHA-256 codes for software distributions as well as PGP/GPG signatures. While doing this we must remember to guard against complacency.
¡Viva la Resistencia!

User avatar
BigEasy
Level 6
Level 6
Posts: 1152
Joined: Mon Nov 24, 2014 9:17 am
Location: Chrząszczyżewoszyce, powiat Łękołody

Re: Meltdown, Spectre: unfixable security flaws

Post by BigEasy » Thu Jan 04, 2018 9:16 am

For Windows it is already fixable.
https://support.microsoft.com/en-us/hel ... lative-exe
Moreover, not every system susceptible to the flaws.
https://security-center.intel.com/advis ... geid=en-fr
Windows assumes I'm stupid but Linux demands proof of it

User avatar
thx-1138
Level 6
Level 6
Posts: 1048
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: Meltdown, Spectre: unfixable security flaws

Post by thx-1138 » Thu Jan 04, 2018 9:18 am


User avatar
BigEasy
Level 6
Level 6
Posts: 1152
Joined: Mon Nov 24, 2014 9:17 am
Location: Chrząszczyżewoszyce, powiat Łękołody

Re: Meltdown, Spectre: unfixable security flaws

Post by BigEasy » Thu Jan 04, 2018 9:39 am

With users point of view that flwas not differ from any web-based vulnerabilities. So updates of browsers is important too.
https://www.bleepingcomputer.com/news/s ... e-attacks/
P.S. to steal secret personal data there was and is more simple ways not necessary so exotic but with same amount of panic.
Windows assumes I'm stupid but Linux demands proof of it

joril
Level 1
Level 1
Posts: 12
Joined: Wed May 10, 2017 3:09 am

Re: Meltdown, Spectre: unfixable security flaws

Post by joril » Thu Jan 04, 2018 10:22 am

BigEasy wrote:Moreover, not every system susceptible to the flaws.
https://security-center.intel.com/advis ... geid=en-fr
This page doesn't mention Meltdown or Spectre though (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

mike acker
Level 6
Level 6
Posts: 1414
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Meltdown, Spectre: unfixable security flaws

Post by mike acker » Thu Jan 04, 2018 3:38 pm

good info

disturbing though as it was my understanding JavaScript was more limited with respect to what it can access in the host

Excerpt
Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between different origins.
it leads me to wonder what all JavaScript can really do. It's my understanding that the original concept was that JavaScript could only prepare and transmit HTML to the local browser display, and... save cookies. If Javascript has unfettered access to the local machines data resource that raises real problems. I gotta get to work and learn to edit Firejail profiles
¡Viva la Resistencia!

User avatar
jimallyn
Level 18
Level 18
Posts: 8272
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: Meltdown, Spectre: unfixable security flaws

Post by jimallyn » Thu Jan 04, 2018 7:30 pm

mike acker wrote:thoughts ?
I think a class action suit against Intel would be appropriate.
Image

“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan

mike acker
Level 6
Level 6
Posts: 1414
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Meltdown, Spectre: unfixable security flaws

Post by mike acker » Thu Jan 04, 2018 8:34 pm

jimallyn wrote:
mike acker wrote:thoughts ?
I think a class action suit against Intel would be appropriate.
I've read several essays on this so far and I still don't understand it, actually

I did find this: (Ars Technica)

What’s behind the Intel design flaw forcing numerous patches?

If I'm getting the idea right the "speculative execution" of code -- i.e. running the code out of sequence and then cancelling any errors -- leaves kernel pointers in the process copy of the page table exposed -- thus enabling data theft or other improper mischief.

evidently this is highly time sensitive: the attacker has to catch the processor in a state where such data is left unprotected -- if I'm getting this right ...

which is why I'm thinking only a carefully written asm program -- maybe C -- could exploit this particular vulnerability: the attacker has to be very fast -- and would need the ability to manipulate storage address pointers.

manipulating storage address pointers is common in asm, or C -- but usually not in a scripting language :?

there is a link in the above reference that leads to a comment regarding what may be a significant difference in AMD processors.

in any event, the way i see this bug is similar to some others we've come across, that being that the attacker's malware shouldn't be executing in the first place,-- i.e. the victim must have already been breached and be running un-authorized code before this attack can begin;
Last edited by mike acker on Thu Jan 04, 2018 9:22 pm, edited 2 times in total.
¡Viva la Resistencia!

mike acker
Level 6
Level 6
Posts: 1414
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Meltdown, Spectre: unfixable security flaws

Post by mike acker » Thu Jan 04, 2018 9:13 pm

another reference ( TechRepublic )

Massive Intel CPU flaw: Understanding the technical details of Meltdown and Spectre

at this point I'm not real sure how accurate these reports really are. in the above reference, I found this:
Early reporting on the issue before full details were disclosed does not provide a full view of vulnerable targets. The bounds check bypass can be exploited on Intel, AMD, and ARM processors without privilege escalation, allowing programs to read memory addresses inside their own processes. A JavaScript proof-of-concept of this exploit was developed by researchers, which is capable of reading the memory of the host browser process. The bounds check bypass has also been shown to read kernel memory on Intel and AMD processors. Importantly, this does not work on AMD processors in default configurations. The proof-of-concept requires BPF JIT to be manually enabled in the Linux kernel for AMD processors. (It is not, by default.) The tested Intel processor was vulnerable independent of the BPF JIT setting.
( emphasis added )

which seems to be consistent with the reference in my preceding post. however there appear to be two different exploits: Spectre, and Meltdown; evidently "Meltdown" is one problem while "Spectre" is another.

we'll probably just have to hang on and find out more about this. the thing that worries me most is how such an attack could be launched using JavaScript :?
¡Viva la Resistencia!

mike acker
Level 6
Level 6
Posts: 1414
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

a Sea Change: das untergang x86

Post by mike acker » Fri Jan 05, 2018 8:31 am

interesting essay on ZD Net this morning

it is interesting to keep the Intel/ME in mind when reading this,--

Why Intel x86 must die: Our cloud-centric future depends on open source chips

Joanna Rutkowska at 32C3
Video discusses windows AMT and ME Management Engine

https://www.youtube.com/watch?v=rcwngbU ... tml5=False
Last edited by mike acker on Fri Jan 05, 2018 9:03 am, edited 2 times in total.
¡Viva la Resistencia!

mike acker
Level 6
Level 6
Posts: 1414
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Meltdown, Spectre: unfixable security flaws

Post by mike acker » Fri Jan 05, 2018 8:52 am

article on HelpNetSecurity:

Browser makers move to mitigate risk of Spectre browser attacks

Excerpt
“Analysis of these techniques revealed that while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser. Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques.”
it appears to me the larger problem here is that JavaScript now has capabilities that it should never have. It's my understanding that JavaScript, at least by its original design, was not supposed to be able to access the local machine except to store and read cookies,--
¡Viva la Resistencia!

mike acker
Level 6
Level 6
Posts: 1414
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Meltdown, Spectre: unfixable security flaws

Post by mike acker » Fri Jan 05, 2018 3:15 pm

more reading

a link on Schneier's notes on this leads to this information page

Spectre, Meltdown in Browsers / Toms Hdw

a link in the above leads to notes on ECMA Scripting off github:

This Ecma Standard defines the ECMAScript 2018 Language.

excerpt
ECMAScript was originally designed to be a Web scripting language, providing a mechanism to enliven Web pages in browsers and to perform server computation as part of a Web-based client-server architecture. ECMAScript is now used to provide core scripting capabilities for a variety of host environments. Therefore the core language is specified in this document apart from any particular host environment.

ECMAScript usage has moved beyond simple scripting and it is now used for the full spectrum of programming tasks in many different environments and scales. As the usage of ECMAScript has expanded, so has the features and facilities it provides. ECMAScript is now a fully featured general-purpose programming language.

Some of the facilities of ECMAScript are similar to those used in other programming languages; in particular C, Java™, Self, and Scheme as described in:

ISO/IEC 9899:1996, Programming Languages – C.
which leads me to wonder: what all can a web page really do? I know what I can do using C,.......

apparently the SharedArrayBuffer is a component of this ECMAscript. if the browser makers have to mess with the ShareArrayBuffer to block these cpu chip attacks it means ECMA is running in our browsers and who knows what else

Questions,--
is ECMAscript the same as Javascript? of is Javascript a subset of ECMAscript?

i found this
Javascript Tutorial which seems to go over Javascript pretty well. It should not include the ability to define a file or to manipulate address pointers. I'm still looking thru this.

scripts are of their nature interpreted rather than compiled; thus what the script may do in a browser will be limited by what the browser's interpreter allows; hopefully external calls are not one of the allowed options...
Last edited by mike acker on Fri Jan 05, 2018 3:46 pm, edited 1 time in total.
¡Viva la Resistencia!

User avatar
Portreve
Level 6
Level 6
Posts: 1196
Joined: Mon Apr 18, 2011 12:03 am
Location: Florida
Contact:

Re: Meltdown, Spectre: unfixable security flaws

Post by Portreve » Fri Jan 05, 2018 3:38 pm

Here's my I'm-not-a-programmer 2¢ thoughts and questions about the matter...


JavaScript:
1. Why is JavaScript called JavaScript? Is it in some form or fashion related to Java?
2. Has JavaScript been altered or changed over the years it's been around? If so, is this exploiting expansions to the original language?
3. If #2 is false, then does that mean these particular ways to misuse JavaScript are a fundamental part of the language?
4. Whether #2 or #3 are correct, is this something which can be addressed in JavaScript without creating a bunch of incompatibilities?


Speculative Execution:
I know it's been a hard thing to continue to up the clock speed of processors because there's come a point where the chips just aren't all that stable without going to extremes in actively as opposed to passively cooling them, most of which would be impractical for the average desktop user, and all of which would be not just impractical, but impossible for the laptop, tablet, and smartphone form factors. Many things, like MMX, SSE, etc., are part of a wide range of tweaks and other means used to get around actual clock speed limitations (obviously in addition to simply extending the feature set) and so my guess is Speculative Execution's primary purpose was performance enhancement.

That said, it may well be that S.E. just isn't a thing which can be modified effectively or usefully to keep Meltdown, Spectre, or other as yet undiscovered attack vectors from existing. Obviously, simply eliminating S.E. would kill the problem, but then to my mind that also vaguely smacks of throwing the baby out with the bath water. I'm just wondering (not actually expecting anyone here to have the background or competence to comment) what alternatives to S.E. might exist, and alternatively, if S.E. just has to be abandoned, what the performance impact would be.
Everything is in hand. With this tapestry... and with patience, there is nothing one cannot achieve.

No hamsters were harmed in the authoring of this post.

mike acker
Level 6
Level 6
Posts: 1414
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Meltdown, Spectre: unfixable security flaws

Post by mike acker » Fri Jan 05, 2018 4:12 pm

this essay

What’s behind the Intel design flaw forcing numerous patches?

seems helpful. my question remains though how a web page script (JavaScript | ECMAscript ?? ) can get access to the Translation Lookaside Buffer (TLB) -- I would think you'd have to follow a number of address pointers to get there and scripting programs should not be handling address pointers. arrays -- OK, IF: you have subscriptrange enabled to prevent the script from accessing outside the array

for example if "mylist" is a list of 10 names then any attempt to access mylist(less than 0 where 0 is the first entry) or above mylist(9 where 9 is the last name in the list ) -- should throw an error and the requesting instruction should not execute.

I'd love to have $100 today for every COBOL programmer's core dump I had to fix because they didn't do this (and it would have been so easy to do by requiring the INDEXED BY clause as the only means of establishing a subscript. control could then have been applied when the programmer attempted to set the index up or down or to any value; automatic initialization to 1 (COBOL indexes from 1 not 0 ).
¡Viva la Resistencia!

rene
Level 7
Level 7
Posts: 1892
Joined: Sun Mar 27, 2016 6:58 pm

Re: Meltdown, Spectre: unfixable security flaws

Post by rene » Fri Jan 05, 2018 4:52 pm

mike acker wrote:my question remains though how a web page script [ ... ] can get access to the Translation Lookaside Buffer (TLB)
It can not, nor can any code, either user mode or kernel mode code; the TLB is to all code inaccessible. Your own link also makes this explicit but the clearest explanation for those with some machine-level programming know-how is at Google's original Project Zero blog: https://googleprojectzero.blogspot.com/.

What this all boils down to is the ability to dependent on contents of otherwise to an attacker inaccessible data abuse speculative execution to potentially load accessible data into a CPU cache line; measuring the timing of accessing said accessible data will then betray whether or not it was in fact in cache, in turn therefore what the contents of the inaccessible bit of data was.

Browsers and JavaScript or any other web content has nothing to do with any of it other than as a possible avenue of having attacker's malicious code execute on your system, clearly a pre-condition for measuring anything. Firefox 57.0.4 eliminates itself as a possible host for any such code by for the time being removing access to high-precision timers. There's likely going to be few to none legitimate/important JavaScript applications that need resolution on the order of cache hits vs. misses anyway, but research is underway to fix this more fundamentally and not just by denying access to high-resolution timers.

User avatar
Lucap
Level 5
Level 5
Posts: 913
Joined: Tue May 24, 2016 1:40 am

Re: Meltdown, Spectre: unfixable security flaws

Post by Lucap » Sat Jan 06, 2018 5:27 am

jimallyn wrote:I think a class action suit against Intel would be appropriate.
Here come the lawyers! Intel slapped with three Meltdown bug lawsuits

http://www.theregister.co.uk/2018/01/05 ... flaw_sued/

mike acker
Level 6
Level 6
Posts: 1414
Joined: Wed Jul 31, 2013 6:29 pm
Location: Kalamazoo, MI

Re: Meltdown, Spectre: unfixable security flaws

Post by mike acker » Sat Jan 06, 2018 8:03 am

jimallyn wrote:
mike acker wrote:thoughts ?
I think a class action suit against Intel would be appropriate.
Intel faces class action lawsuits regarding Meltdown and Spectre

historically software has been regarded as a tool: as such the operator/user is responsible for the results.

As I read thru the essays on this topic I am coming to understand that a "modern" processor, i.e. a processor implementing speculative execution -- i.e. executing a program out of order and then fixing things as necessary -- such a processor is really a very advanced "code execution system", i.e. a highly advanced process -- a program itself actually -- the purpose of which is to effect code execution.

i.e. a computer chip provides a very advanced program for effecting the execution of computer code.

should this be the case then the legal action seeking relief of damages for defective design may well serve as a precedent for such action against any program. this will, no doubt, be hashed out in the courts, possibly end up at SCOTUS.

I was reading a statement released from AMD:
An Update on AMD Processor Security

I found this:
The research described was performed in a controlled, dedicated lab environment by a highly knowledgeable team with detailed, non-public information about the processors targeted.
(emphasis added)

after having pursued this question a bit myself yesterday I had come to the conclusion that not all of the pertinent information regarding the vulnerability has been made public. The above tends to confirm this. I think the problem is worse than we think and I base this on the note that the exploit can be accessed by browser code. Browser code should not be getting into addressing of any kind, let alone this mess.
¡Viva la Resistencia!

User avatar
Portreve
Level 6
Level 6
Posts: 1196
Joined: Mon Apr 18, 2011 12:03 am
Location: Florida
Contact:

Re: Meltdown, Spectre: unfixable security flaws

Post by Portreve » Sat Jan 06, 2018 11:08 am

mike acker wrote:I was reading a statement released from AMD:
An Update on AMD Processor Security

I found this:
The research described was performed in a controlled, dedicated lab environment by a highly knowledgeable team with detailed, non-public information about the processors targeted.
(emphasis added)

after having pursued this question a bit myself yesterday I had come to the conclusion that not all of the pertinent information regarding the vulnerability has been made public. The above tends to confirm this. I think the problem is worse than we think and I base this on the note that the exploit can be accessed by browser code. Browser code should not be getting into addressing of any kind, let alone this mess.
The very first thing to go through my mind in reading that is there's been a kind of "tinfoil hat" theory idea floating around for a very long time that, basically, the (ostensibly U.S.) government has over the years planted knowledgeable and capable operatives in companies in order to compromise their products — particularly, technology products — to establish back doors. My thought was: I wonder if this might not be an example of such an act.

Ever since computer technology has become a credible "thing" in the world, it has progressively seemed, to me at least, to decline in how much "fun" it is, whether due to viruses, commoditization, "AOL losers", ridiculous government regulation and laws forced upon it by Corporate America, exploitation by crackers, or now (as we keep learning more and more about) invasion and exploitation by various governments.
Everything is in hand. With this tapestry... and with patience, there is nothing one cannot achieve.

No hamsters were harmed in the authoring of this post.

User avatar
Pjotr
Level 20
Level 20
Posts: 10638
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Meltdown, Spectre: unfixable security flaws

Post by Pjotr » Sat Jan 06, 2018 11:58 am

OK, relief is at hand, namely on January, 9:
https://insights.ubuntu.com/2018/01/04/ ... abilities/

Apparently those Ubuntu devs have worked through the Christmas and New Year holidays.... Not much fun for them.

Some things that stand out: it seems that for Ubuntu 16.04.x (and therefore Mint 18.x) only the 4.4 kernel series and the 4.13 kernel series will be fixed. Furthermore, these fixes are only for 64-bit kernels.
Tip: 10 things to do after installing Linux Mint 19 Tara
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

rene
Level 7
Level 7
Posts: 1892
Joined: Sun Mar 27, 2016 6:58 pm

Re: Meltdown, Spectre: unfixable security flaws

Post by rene » Sat Jan 06, 2018 12:04 pm

Pjotr wrote:Apparently those Ubuntu devs have worked through the Christmas and New Year holidays.... Not much fun for them.
I take it you don't have in-laws. This all is way more fun...

Post Reply

Return to “Open chat”