News Serious security flaw in Intel processors

dbeachy1

O-F Administrator
Administrator
Orbiter Contributor
Addon Developer
Donator
Beta Tester
Joined
Jan 14, 2008
Messages
9,214
Reaction score
1,560
Points
203
Location
VA
Website
alteaaerospace.com
Preferred Pronouns
he/him

Face

Well-known member
Orbiter Contributor
Addon Developer
Beta Tester
Joined
Mar 18, 2008
Messages
4,390
Reaction score
577
Points
153
Location
Vienna
For those interested, this here is a windows build of the Spectre example code: https://snoopie.at/face/beta/Spectre.exe . I've added inputs to enter address and length of dump. Default is the location of the secret string like shown in the video above (the content is a different one, though).
 

Artlav

Aperiodic traveller
Addon Developer
Beta Tester
Joined
Jan 7, 2008
Messages
5,789
Reaction score
778
Points
203
Location
Earth
Website
orbides.org
Preferred Pronouns
she/her
Face, given the context of this thread, do you really expect anyone to run an unknown executable on their Windows machines? :)

Anyway, i tried it under Wine (after taking a look with IDA - as expected, there is no funny business in there) with patched kernel, and it appears to work just fine.
 

dbeachy1

O-F Administrator
Administrator
Orbiter Contributor
Addon Developer
Donator
Beta Tester
Joined
Jan 14, 2008
Messages
9,214
Reaction score
1,560
Points
203
Location
VA
Website
alteaaerospace.com
Preferred Pronouns
he/him
Hey, since Face compiled it, I trust him. :)
 

Face

Well-known member
Orbiter Contributor
Addon Developer
Beta Tester
Joined
Mar 18, 2008
Messages
4,390
Reaction score
577
Points
153
Location
Vienna
Anyway, i tried it under Wine (after taking a look with IDA - as expected, there is no funny business in there) with patched kernel, and it appears to work just fine.

Well, I'm afraid you are wrong... there is funny business in there ;) .
 

Xyon

Puts the Fun in Dysfunctional
Administrator
Moderator
Orbiter Contributor
Addon Developer
Webmaster
GFX Staff
Beta Tester
Joined
Aug 9, 2009
Messages
6,922
Reaction score
789
Points
203
Location
10.0.0.1
Website
www.orbiter-radio.co.uk
Preferred Pronouns
she/her
Well, I'm afraid you are wrong... there is funny business in there ;) .

Unless I missed something, the funny business is the whole point. :lol::lol:
 

Artlav

Aperiodic traveller
Addon Developer
Beta Tester
Joined
Jan 7, 2008
Messages
5,789
Reaction score
778
Points
203
Location
Earth
Website
orbides.org
Preferred Pronouns
she/her
the funny business is the whole point. :lol::lol:
Nah, the whole business is not funny, it's plain beautiful. :)

Seriously, that's the first exploit i can think of that i would characterize as "beautiful". It requires deep knowledge of processor internals and creativity to come up with the way to actually capture the leaked information.
 

Quick_Nick

Passed the Turing Test
Donator
Joined
Oct 20, 2007
Messages
4,088
Reaction score
204
Points
103
Location
Tucson, AZ
For those interested, this here is a windows build of the Spectre example code: https://snoopie.at/face/beta/Spectre.exe . I've added inputs to enter address and length of dump. Default is the location of the secret string like shown in the video above (the content is a different one, though).

After I ran your program, Windows Defender flagged another executable in the same directory as WannaCrypt. :blink:
 

Face

Well-known member
Orbiter Contributor
Addon Developer
Beta Tester
Joined
Mar 18, 2008
Messages
4,390
Reaction score
577
Points
153
Location
Vienna
After I ran your program, Windows Defender flagged another executable in the same directory as WannaCrypt. :blink:

That Spectre example from the paper uses a buffer overflow technique to read out arbitrary memory addresses in its own virtual memory space with that page cache method. I don't know what effect reading some ranges might have, so it could well be that AV gets irritated.

What ranges did you dump?
 

MeDiCS

Donator
Donator
Joined
Sep 22, 2008
Messages
602
Reaction score
2
Points
0
That Spectre example from the paper uses a buffer overflow technique to read out arbitrary memory addresses in its own virtual memory space with that page cache method. I don't know what effect reading some ranges might have, so it could well be that AV gets irritated.

What ranges did you dump?

Where? I don't see a buffer overflow in the paper's sample.

So antivirus software might not be as entirely useless as previously claimed.

Not entirely, just mostly useless. It should ID previously known and unobfuscated malware, Spectre or not. Machine code for extracting stuff from the cache may be pretty idiosyncratic, so there might exist some detection opportunities there as well.
 

Face

Well-known member
Orbiter Contributor
Addon Developer
Beta Tester
Joined
Mar 18, 2008
Messages
4,390
Reaction score
577
Points
153
Location
Vienna
Where? I don't see a buffer overflow in the paper's sample.

In the victim function. Of course the classical overflow is prohibited by a conditional jump, but that's the whole point of the exploit. The victim function gets used to train the branch predictor into thinking the x value is always in the range. Then it attacks it by means of giving the malicious x value that is overflowing the buffer. The predictor loads the array addressing part of the victim function into the pipeline, causing pages to get cached. Of course the results are scrubbed due to the x value being out of range, but the read value already can be determined by measuring which page is in cache now.
 

MeDiCS

Donator
Donator
Joined
Sep 22, 2008
Messages
602
Reaction score
2
Points
0
In the victim function. Of course the classical overflow is prohibited by a conditional jump, but that's the whole point of the exploit. The victim function gets used to train the branch predictor into thinking the x value is always in the range. Then it attacks it by means of giving the malicious x value that is overflowing the buffer. The predictor loads the array addressing part of the victim function into the pipeline, causing pages to get cached. Of course the results are scrubbed due to the x value being out of range, but the read value already can be determined by measuring which page is in cache now.
Ah, I see. No AV is able to find that out though, so it shouldn't be triggering anything even if speculative execution tries to read from invalid memory.
 

RisingFury

OBSP developer
Addon Developer
Joined
Aug 15, 2008
Messages
6,427
Reaction score
491
Points
173
Location
Among bits and Bytes...
Wouldn't an antivirus software be able to detect a file with Spectre attack, once the file becomes known to the company?

I mean, the attack doesn't spread through the entire internet instantly. It takes days in fastest cases. But that's long enough for antivirus definitions to become updated. Yes, it then becomes a game of cat and mouse as hackers change the file and antivirus companies update definitions, but still, AV software should provide some protection as long as you don't stumble onto the attack early on.


But what about JavaScript? Is there an "antivirus for JavaScript"?
 

MeDiCS

Donator
Donator
Joined
Sep 22, 2008
Messages
602
Reaction score
2
Points
0
Wouldn't an antivirus software be able to detect a file with Spectre attack, once the file becomes known to the company?
Yes and no. There are many ways to carry out the attack, and there are many actual legitimate uses of the functionality used in any one Spectre implementation.

Think of a malware that excludes all images you save in your My Documents folder. No part of that malware's code is inherently malicious (it does what any program could do normally), and it's, generally, hard for a computer to understand what any one program does (google "formal verification" and "halting problem" to get an idea of how hard it can be for a program to understand another one). You can, however, try to ID this malware so that, in the future, the same executable can be prevented to run.

But even IDing advanced malware is way harder than it looks. For example, https://en.wikipedia.org/wiki/Polymorphic_code.

But what about JavaScript? Is there an "antivirus for JavaScript"?
There are extensions that block specific bad JS scripts, for example: https://chrome.google.com/webstore/...s-on-t/gojamcfopckidlocpkbelmpjcgmbgjcl?hl=en. There are Spectre-specific countermeasures being embedded in browsers, so you probably don't need to install anything.
 

dbeachy1

O-F Administrator
Administrator
Orbiter Contributor
Addon Developer
Donator
Beta Tester
Joined
Jan 14, 2008
Messages
9,214
Reaction score
1,560
Points
203
Location
VA
Website
alteaaerospace.com
Preferred Pronouns
he/him
This thread shows the performance impact of the Meltdown patch on a single Fortnight MMO server. Server #1 was patched; servers 2 & 3 were not:

meltdown_patch_perf_impact_fortnight.JPG


You can see that the CPU load more than doubled due to the patch.

To reiterate, the above performance impact was due to the Meltdown patch (KPTI, or "Kernel Page Table Isolation" patch), which is not necessary on AMD CPUs. Intel's propaganda PR machine has been doing a good job at conflating Meltdown (more serious and is only on Intel CPUs) and SPECTRE (applies to virtually all modern CPUs but is much harder to exploit and can't be patched via the OS) into a "single issue" to make it look like the KPTI patch will affect AMD performance, too, but the Meltdown (KPTI) patch does not need to be applied to AMD CPUs (see this Linux commit from AMD). So while the performance impact to consumer PCs running Intel CPUs may be minor, the performance impact to servers running Intel CPUs is another matter. :(
 

Linguofreak

Well-known member
Joined
May 10, 2008
Messages
5,017
Reaction score
1,254
Points
188
Location
Dallas, TX
Intel's PR machine has been doing a good job at conflating Meltdown (more serious and is only on Intel CPUs) and SPECTRE (applies to virtually all modern CPUs but is much harder to exploit and can't be patched via the OS) into a "single issue" to make it look like the KPTI patch will affect AMD performance, too, but the Meltdown (KPTI) patch does not need to be applied to AMD CPUs (see this Linux commit from AMD).

It's being a bit soft on Intel to say that SPECTRE "can't be patched by the OS" as if Meltdown *can*. Yeah, it's trivially true that KPTI is a kernel patch that mitigates meltdown, but it basically achieves that by emulating the defective CPU feature in software, which causes a significant performance hit in real-world workloads (as your graph demonstrates), and your trampoline code is still vulnerable to it (hopefully the trampoline that unmaps/remaps the kernel doesn't deal with any security-critical data, but one of the biggest things that makes security bugs happen is that people underestimate what can be read out of a given chunk of innocuous-looking data).
 

Quick_Nick

Passed the Turing Test
Donator
Joined
Oct 20, 2007
Messages
4,088
Reaction score
204
Points
103
Location
Tucson, AZ
That Spectre example from the paper uses a buffer overflow technique to read out arbitrary memory addresses in its own virtual memory space with that page cache method. I don't know what effect reading some ranges might have, so it could well be that AV gets irritated.

What ranges did you dump?

I did the default range, but typed it in (instead of 0s).

The flagged file was flstudio_12.5.1.5.exe, an installer for FL Studio 12. I have only ever run it once, some months ago, without any hint of malware. Granted, I never did check the checksum. This was just sitting in my Downloads folder. No clue if something could have come along and genuinely injected something into the file, but Windows Defender never gave an alert until just after running your Spectre.exe.

So antivirus software might not be as entirely useless as previously claimed.

I'm wondering why an OS (or 3rd party antimalware program) can't just flag and/or kill processes that excessively try to read protected memory. The OS has that sort of info, doesn't it? Sure, you want to allow a few bits/bytes every so often due to innocent software bugs, but at least you would stop an attacker from systematically reading your memory at max rate.
 
Last edited:

Artlav

Aperiodic traveller
Addon Developer
Beta Tester
Joined
Jan 7, 2008
Messages
5,789
Reaction score
778
Points
203
Location
Earth
Website
orbides.org
Preferred Pronouns
she/her
I'm wondering why an OS (or 3rd party antimalware program) can't just flag and/or kill processes that excessively try to read protected memory. The OS has that sort of info, doesn't it?
Nope. The beauty of it is that there is nothing detectable going on - it will appear simply as a process that is getting an awful lot of exceptions, which is not by itself suspicious.

You can add some heuristics to the exception handling (i.e. a series of exceptions that are all for addresses in sequence), but once added they will be instantly worked around.
 

Quick_Nick

Passed the Turing Test
Donator
Joined
Oct 20, 2007
Messages
4,088
Reaction score
204
Points
103
Location
Tucson, AZ
I don't really know what Windows' patch was meant to do, nor the inner workings of your Spectre.exe, but your program still shows me the 'secret' even with KB4056892 now on my PC.
 
Top