Attacking Multicore CPUs

Ant writes "The Register reports that the world of current multi-core central processing units (CPUs) just entered is facing a serious threat. A security researcher at Cambridge disclosed a new class of vulnerabilities that takes advantage of concurrency to bypass security protections such as anti-virus software The attack is based on the assumption that the software that interacts with the kernel can be used without interference. The researcher, Robert Watson, showed that a carefully written exploit can attack in the window when this happens, and literally change the "words" that they are exchanging. Even if some of these dark aspects of concurrency were already known, Watson proved that real attacks can be developed, and showed that developers have to fix their code. Fast..."

Fast?

[JordanL]

and showed that developers have to fix their code. Fast...

Ummm... no. In a world where the list of things that most developers need to fix is quite lengthy, some of which renders your average app unusable or even dangerous, fixing an exploit of a hardware configuration which has no proven virii in the wild is not at the top of the list.

Yes, it's important to be proactive. No, such a difficult and obscure attack is not something that is priority one.

Re:Fast?

[g0dsp33d]

I agree. If you read the article, you'll notice that such attacks as "This was possible on both uniprocessor systems and multiprocessor systems." Also, it has been known since at least 1998. I'm guessing its not that big of a deal, because exploit code would be difficult, there are easier targets, and lastly because anti-virus software could probably still look for the code(not in real time, but only when its infected on disk or transit).

Re:Fast?

Maybe because he said "think" instead of "thinks". Good job being a grammar nazi!

Re:Fast?

[legirons]

"Windows NT (and its later incarnations like XP and Vista) aren't vulnerable because kernel components facing user mode are always expected to make copies of user arguments before they're validated and used"

So Windows has a coding standard that says this shouldn't happen. I don't see how it necessarily follows that Windows isn't vulnerable. You're assuming that all the kernel-mode code in Windows is following the standard/reccomendation that you refer to. Let's say that even one occurance of code that doesn't meet the standard is potentially enough to do major damage (like break the most hardened-possible system). Have there been any other times when Windows code didn't follow recommended security rules? Did they make it past code-audits and onto customers' computers? What's the frequency? What's the chances of it occuring with this set of vulnerabilities?

A phrase like "isn't vulnerable" seems awfully strong to use, when the only thing protecting against it is a warning in the developer documentation...

Re:Fast?

[Foolhardy]

What I should have said is that the design of Windows NT isn't vulnerable. The article seems to be implying that this is a new sort of vulnerability, but it's not for NT because its preemptable nature has always required this to be done properly to be secure. No, I haven't personally verified the source code because I don't have access to it. Still, the core kernel team that writes such code has a good reputation for writing secure, correct code. Of all the security vulnerabilities I know of on Windows, only one is due to a syscall not validating its arguments correctly (see the NtCreateAtom bug), and only a few are in the kernel. I'm confident that guideline went into the infamous NT design book and the syscalls were audited for it, being such an obvious trust boundary. Being preemptable, race condition opportunities like this are common in NT, so I would think that the core devs would be aware of and doing this already.

As for programs that intercept syscalls in order to filter them (e.g. on-access virus scanners) this behavior is inherently unsafe, and the kernel takes extra steps to disallow this in AMD64 versions. The chances of third party virus scanner ISVs getting this wrong is much higher than Microsoft's kernel devs.

Re:Fast?

[petermgreen]

more common is a HUGE understatement, multicore CPUs have brought SMP from something servers and high end workstations sometimes had to something that all but the lowest end computers sold today have.

Multicore?

How much does the hardware platform affect the attack?
Multiprocessor systems are marginally easier to exploit since they do not require forcing kernel context switches via paging or other techniques. However, I was able to successfully bypass the same wrappers on uniprocessor systems. I did my experimental work on Intel hardware, but they should work across a range of hardware architectures and configurations.

Re:So what?

[ByTor-2112]

That's you, though. Most people believe that because they have anti-virus software they CAN safely run anything. I still find it an amusing shame that people are so willing to accept the huge performance penalties of anti-virus and now anti-spyware/adware for their utterly broken OS. Intel and AMD have to love this arms race.

a dozen anti-virus companies just squealed in glee

(Insert Brand Name) Anti-Virus 2008: Multi-Core version (+$25 extra per core)

The example they give is wrong

[A+beautiful+mind]

to bypass security protections such as anti-virus software

Anti-virus software isn't by any means "security protection", especially the type that works on a heuristical basis. They are simply long lists of known to be disadvantageous programs and a daemon that tries to match the list to data on the system.

Sure, they might offer some kind of bandaid for systems operated by people who do not have the necessary knowledge to operate a computer, but it is first and foremost a security theater and it does more harm than good by providing a false sense of security.

There are two solutions to the problem by the way. The former is educate the users and the latter is to switch to linux. No, seriously. The important part isn't linux, but switching away from a monoculture preferably to a desktop environment that is ruled by at least 3-4 systems that are different from each other and they are interoperating in well defined ways with each other. That way, you can get the platform (the systems it can possibly infect) down for a virus to a threshold where the percentage is simply too low for it to be able to spread.

Re:The example they give is wrong

[tgd]

There's a billion PCs in the world -- if you think four OS's sharing 25% of that market makes it too small to be of interest to criminals, you're nuts.

Monoculture is not the problem, although its a convenient flag to fly when "free as in beer" and "windows sux0rs" runs out.

Re:The example they give is wrong

[GreatBunzinni]

You seem to be a bit confused as you missed the point entirely. The point is that if there is a monoculture then a single virus can infect and disrupt the entire market. On the other hand, if there isn't a monoculture, even if a virus spreads violently and wreaks havoc through one OS it will only affect that one OS's market share, leaving all the others unaffected. That would mean, in the 4 OS scenario, that a violent outbreak of some malware would only affect 25% of the entire computing universe.

The point is not that 25% is not a big enough number. The point is that having 25% of something being affected is a whole lot better than 100%.

But hey, don't let your anti-linux blind hatred stop you. Go ahead and rant as much as you wish.

Re:The example they give is wrong

[A+beautiful+mind]

Currently in this monopoly culture, the platform (systems a virus can infect) is around 35-40% at best. There are patched systems, way too old operating systems and incompatibilities between different versions of windows, so that even if Microsoft has an OS monopoly on the desktop PCs, it still does not translate into totally monolithic platforms a virus can spread from. (Paradoxically if everyone would run a subscription based OS with updates aka windows live it would make the security situation in IT much much worse. Possibly a doomsday kind of scenario for IT.)

If an OS has 25% marketshare, it would translate to less than 10% of effective platform because of the incompatibilites between old and new versions, sane default settings and because at least some people patch their systems. As far as I know you only need to go below 10% or so to make it infeasible for a virus to spread. The virus would have to be very good at propagating in order to be able to spread at all. Think of the 10% as the number of pcs you could infect in theory, but of course if we for example talk about propagation by worm style or by spam, the real percentage is much lower since there are additional boundaries to pass, like spamfilters, even simple NAT home routers, etc. There are simply too many systems inbetween that the virus would waste time on trying to infect, so finding vulnerable systems is hard.

Thinking about 25% in this sense suddently makes more sense doesn't it?

Re:The example they give is wrong

[tgd]

Nice try, but just FYI I ran Linux as my primary OS for over ten years until I switched to OSX, and still have a half dozen server boxes and three desktops with it here. There's one and only one Windows box in my house and thats my girlfriends' Dell which she has because a Mac was too expensive.

Finding blind fan-boi-ism and ignorant arguments annoying doesn't make someone a Linux hater.

Re:So what?

[headkase]

You're ignoring the installed base of the OS. When Linux is as popular as Windows then the people writing malicious software will target it as well. They're doing it to make-money/steal-information off of you, Windows is the target now because it offers the highest return on investment. Once the Linux platform is widely popular then security tools will become relatively more necessary for it too.

Re:So what?

[Warbothong]

I remember watching an episode of the BBC's (very Microsoft dominated (as in, something major happens with Linux or Ubuntu or whatever, nothing. Some low-down Microsoft employee makes a comment about something he thinks might possibly someday become slightly relevant to some tiny niche and they spend 10 minutes on it)) Click program ( http://www.bbcworld.com/click ) and they had some "experts" (read: marketing guys) saying what the benefits of dual-core CPUs could be. All they could come up with was "You can use one core to do all of your normal activities, and use the other core to run antivirus and antispyware and firewall software constantly".

I almost cried.

Re:i wouldnt worry too much

[0racle]

It's called a race condition and can/has affect every OS that has SMP capability.

Re:So what?

[TheRaven64]

When Linux is as popular as Windows then the people writing malicious software will target it as well. And that's why the sensible people will also use Macs, BSD, Haiku, ReactOS, etc. A monoculture is easier to attack than a heterogeneous computing environment.

News flash!

[achurch]

In a multitasking system, you can read and write the same memory space at the same time! . . . Oh, I guess it's not news after all.

Seriously, this is just Yet Another Race Condition. As long as you follow the rules of multithreaded programming (which for syscall wrappers means copying your arguments, since you can't negotiate mutexes with the caller), this is a non-issue.

Neeext!

Re:Robert Watson is a god.

Slava Pestov

That guy is a joke... I'm sorry dude but this guy is nowhere near the level of Watson. The numerous logical fallacies he consisently makes in his various IRC and forums posts are quite saddening. I'm sorry but some guy that says that "Latex [wrong spelling by him] and Docbook [other wrong spelling] are equivalent" is nothing but a clueless fool. That Slave is a joke... He's some FP zealot clueless when it comes to OOP/OOD/OOA (go to comp.object Slava and post there for a good laugh about your IQ level). JEdit has no place in my world where I use IntelliJ IDEA (commercial) and... Emacs (eat that Slava FP zealot ;)

So, yup, he happens to know Java programming and FP... But he's a complete idiot out of his field and I've proved him wrong on countless occasion on various IRC forums. He's actually so pathetic that he'll leave the chatroom once you prove him by logical reasonning that he's a big-mouthed fool.

But we live in a world of mediocrity where mediocre people admire mediocre people and mediocre programs made by these mediocre people.

Slava is a fake, just as Joel.

Reading your silly post I actually think the real name of the silly anonymous coward is actually "Slava Pestov".

Oh and btw the leaders of "multicore/multiprocessor revolution" [sic] are actually hardware engineers... Slava's random fartings are nothing compared to this.

Re:Sidebar re Virii

[Protoslo]

Although it is a good guess, sadly your assumption that virus is in the fourth declension is also totally wrong. Perversely enough, it is neuter in the second even with the '-us' suffix, so the plural is actually 'vira.'

As for 'virii,' well, my mind drew a blank, but William Whittaker's Words claims that virii is the genetive singular of 'virium,' (verdancy), the noun form of 'vireo.' As for whether that form was ever actually used, though...the perseus project server appears to be melting down, or I would check.