Attacking Multicore CPUs

Ant writes "The Register reports that the world of current multi-core central processing units (CPUs) just entered is facing a serious threat. A security researcher at Cambridge disclosed a new class of vulnerabilities that takes advantage of concurrency to bypass security protections such as anti-virus software The attack is based on the assumption that the software that interacts with the kernel can be used without interference. The researcher, Robert Watson, showed that a carefully written exploit can attack in the window when this happens, and literally change the "words" that they are exchanging. Even if some of these dark aspects of concurrency were already known, Watson proved that real attacks can be developed, and showed that developers have to fix their code. Fast..."

Fast?

[JordanL]

and showed that developers have to fix their code. Fast...

Ummm... no. In a world where the list of things that most developers need to fix is quite lengthy, some of which renders your average app unusable or even dangerous, fixing an exploit of a hardware configuration which has no proven virii in the wild is not at the top of the list.

Yes, it's important to be proactive. No, such a difficult and obscure attack is not something that is priority one.

Re:Fast?

"No, such a difficult and obscure attack is not something that is priority one"

Thread one sends a command to the OS and knowing that it will take time x to complete

Thread two waits (x-d) before overwriting the buffer used to store the command (after the OS has checked it for validity, but before the OS has actually processed it)

what's obscure about that?

Re:Fast?

Perfect, another moron who thinks idiot is plural.

Re:Fast?

[g0dsp33d]

I agree. If you read the article, you'll notice that such attacks as "This was possible on both uniprocessor systems and multiprocessor systems." Also, it has been known since at least 1998. I'm guessing its not that big of a deal, because exploit code would be difficult, there are easier targets, and lastly because anti-virus software could probably still look for the code(not in real time, but only when its infected on disk or transit).

Re:Fast?

[Sique]

Main problem: the latin virus, meaning 'slime' or 'poison', is a singularitantum. So there is no historical plural for virus. That allows us to just make one up. And we should make it so, that it doesn't interfere with the plural of vir (man).

Re:Fast?

[Foolhardy]

If that's all it is, Windows NT (and its later incarnations like XP and Vista) aren't vulnerable because kernel components facing user mode are always expected to make copies of user arguments before they're validated and used. Since the NT kernel is preemptable this would be a problem even on single CPU machines because the thread handling the syscall could be interrupted by the scheduler to execute another thread while the first was validating the arguments. Only data that is treated opaquely (e.g. a buffer to write to a file) can be accessed directly safely. This has been known and accounted for since NT was originally designed. Of course, that doesn't rule out the possibility of 3rd party developers not following the rules.

From Common Driver Reliability Issues: User-Mode Addresses in Kernel-Mode Code

Be prepared for changes to the contents of user-mode memory at any time; another user-mode thread in the same process might change it. Drivers must not use user-mode buffers as temporary storage, or expect the results of double fetches to yield the same results the second time.

Re:Fast?

[Tim+C]

Correct me if I'm wrong, but that sounds awfully similar to a race condition (it clearly isn't one, but it certainly *looks* like one), which would seem to me to mean that it would have all the same dependencies on the vagaries of system load. I'm not saying that this would be impossible to pull off, just difficult to do so consistently.

Of course, depending on what you're actually trying to achieve, consistency may not be an issue.

Re:Fast?

[JoelKatz]

This has nothing to do with multi-core CPUs. This exact same attack would work on the run-of-the-mill SMP systems that have been around for decades. Multi-core CPUs just make SMP systems more common.

Again?

[DeHackEd]

Looks like a variation (or maybe a dup) of this.

Damn it

[Frogbert]

You see, Its these kind of computing professionals that make me feel like a fraud when people call me a computer genius.

Stop raising the bar you tool!

Neither submitter nor editor RTFA...?

[perrin]

It seems that neither the submitter nor the slashdot editor read the article in question. The attack is not specific to multi-core systems, and it works only against programs that wrap system calls to add additional system protection. So it does not pierce through standard OS security, and you already need to have execution privileges. The writeup is just hype and FUD, IMHO.

Re:Neither submitter nor editor RTFA...?

[Richard+W.M.+Jones]

It's also old news.

The SELinux guys debunked it over a month ago.

Rich.

Re:Neither submitter nor editor RTFA...?

He didn't debunk it; he agreed that system call wrappers have all kind of problems and described Watson's work as a "good paper". He then pointed out that SELinux doesn't use system call wrappers, so it doesn't have these problems. That doesn't mean the problems aren't real elsewhere.

But I agree it's old news. It was old news ten years ago. Security has to be in the kernel. Period.

The example they give is wrong

[A+beautiful+mind]

to bypass security protections such as anti-virus software

Anti-virus software isn't by any means "security protection", especially the type that works on a heuristical basis. They are simply long lists of known to be disadvantageous programs and a daemon that tries to match the list to data on the system.

Sure, they might offer some kind of bandaid for systems operated by people who do not have the necessary knowledge to operate a computer, but it is first and foremost a security theater and it does more harm than good by providing a false sense of security.

There are two solutions to the problem by the way. The former is educate the users and the latter is to switch to linux. No, seriously. The important part isn't linux, but switching away from a monoculture preferably to a desktop environment that is ruled by at least 3-4 systems that are different from each other and they are interoperating in well defined ways with each other. That way, you can get the platform (the systems it can possibly infect) down for a virus to a threshold where the percentage is simply too low for it to be able to spread.

Re:The example they give is wrong

[tgd]

There's a billion PCs in the world -- if you think four OS's sharing 25% of that market makes it too small to be of interest to criminals, you're nuts.

Monoculture is not the problem, although its a convenient flag to fly when "free as in beer" and "windows sux0rs" runs out.

Re:The example they give is wrong

[A+beautiful+mind]

Currently in this monopoly culture, the platform (systems a virus can infect) is around 35-40% at best. There are patched systems, way too old operating systems and incompatibilities between different versions of windows, so that even if Microsoft has an OS monopoly on the desktop PCs, it still does not translate into totally monolithic platforms a virus can spread from. (Paradoxically if everyone would run a subscription based OS with updates aka windows live it would make the security situation in IT much much worse. Possibly a doomsday kind of scenario for IT.)

If an OS has 25% marketshare, it would translate to less than 10% of effective platform because of the incompatibilites between old and new versions, sane default settings and because at least some people patch their systems. As far as I know you only need to go below 10% or so to make it infeasible for a virus to spread. The virus would have to be very good at propagating in order to be able to spread at all. Think of the 10% as the number of pcs you could infect in theory, but of course if we for example talk about propagation by worm style or by spam, the real percentage is much lower since there are additional boundaries to pass, like spamfilters, even simple NAT home routers, etc. There are simply too many systems inbetween that the virus would waste time on trying to infect, so finding vulnerable systems is hard.

Thinking about 25% in this sense suddently makes more sense doesn't it?

Re:i wouldnt worry too much

[TomV]

would only work on windows boxes anyway

Now, I know nobody likes to be caught Reading The Fine Article, but it's maybe worth pointing out that according to The Fine Article, the exploit was demoed on Linux, FreeBSD, NetBSD, and OpenBSD. No mention of any other specific OS, though Watson did say "They should apply equally well on other operating systems".

Re:So what?

[Warbothong]

I remember watching an episode of the BBC's (very Microsoft dominated (as in, something major happens with Linux or Ubuntu or whatever, nothing. Some low-down Microsoft employee makes a comment about something he thinks might possibly someday become slightly relevant to some tiny niche and they spend 10 minutes on it)) Click program ( http://www.bbcworld.com/click ) and they had some "experts" (read: marketing guys) saying what the benefits of dual-core CPUs could be. All they could come up with was "You can use one core to do all of your normal activities, and use the other core to run antivirus and antispyware and firewall software constantly".

I almost cried.

Er, that's an OLD attack

[davecb]

It works on any multiprocessor, including an
IBM 360/168 mainframe, where I first encountered it.

--dave

Re:i wouldnt worry too much

[0racle]

It's called a race condition and can/has affect every OS that has SMP capability.

Re:So what?

[TheRaven64]

When Linux is as popular as Windows then the people writing malicious software will target it as well. And that's why the sensible people will also use Macs, BSD, Haiku, ReactOS, etc. A monoculture is easier to attack than a heterogeneous computing environment.

Re:Sidebar re Virii

[Nazlfrag]

quote>The proper latin plural for virus is, if memory serves, virus.

I'm a viroligist, you insensitive clod, and besides the obvious plural for virii is viruseses. Duh.

Re:So what?

[prator]

Congratulations! This is the first time I've ever seen someone use nested parentheses in non-code. You win a set of extra parentheses keys (because (as I've noticed) you seem to use them a lot).

News flash!

[achurch]

In a multitasking system, you can read and write the same memory space at the same time! . . . Oh, I guess it's not news after all.

Seriously, this is just Yet Another Race Condition. As long as you follow the rules of multithreaded programming (which for syscall wrappers means copying your arguments, since you can't negotiate mutexes with the caller), this is a non-issue.

Neeext!

Re:i wouldnt worry too much

[sjames]

It's not even restricted to SMP. Some of the more clever hacks will work on a uniprocessor system by retrying until a context switch happens at just the right instant (or wrong instant depending on your perspective). They may stack the deck in their favor by arranging for a function call to cause a page fault. It's certainly easier to exploit with multiple processors.

The one certainty is that this form of attack is nothing like new.

Of course, many syscall wrappers can be bypassed by coding a syscall directly in assembly language rather than calling a library function.

The crux of the problem for ptrace based systems is that some syscall parameters are stored in user memory. Consider the open call in an environment using ptrace for security. I write a multi-threaded app and create a buffer holding the filename. I set it to "/some/path/thats/ok" and call open. The ptrace process is notified of the call, accesses the filename parameter in my thread's memory and decides it's OK, so it calls ptrace to allow the syscall to happen (rather than nullifying or killing my process).

IF my second thread can change the filename buffer to "/some/path/I/shouldnt/be/allowed" between the moment that the tracer decides it's OK and the moment it calls ptrace to allow it , the kernel will open the file for me and I have bypassed security.

On a uni-processor system, I might have to make a great many attempts, but with persistance, eventually my second thread might get scheduled at just the right moment to make the change. If I succeed once, the billion failed attempts won't matter.

The central problem in this instance is that ptrace was intended to be a debugging interface and not a security measure.

Solving that problem could get quite complex. If the security measure must also validate data written (which could potentially be several GB), the kernel would have to make sure that no thread in any process that has access to the memory the syscall covers can be scheduled AND that no other ptrace parent of those threads can be scheduled. It can do that by walking process structs under a lock (expensive) or temporarily marking the affected pages R/O and blocking on a fault (also expensive on most archetectures). Even if such a measure is taken, it shouldn't apply to a normal ptrace since it would significantly change the behaviour of a program being debugged.

The difficulties above are why all files that can be accessed by a system that can access classified data must also be treated as classified no matter what they are. Otherwise a badguy might manage to stuff a blob of top secret data into an unclassified file for later retrieval. Just imagine the nightmare of attempting to track classification level page by page and proving it can't do the wrong thing.

It's related to the reason that no DRM scheme can ever provide absolute protection against a sufficiently determined copier.

If the security is limited to parameters that have a more sane maximum size (such as a filename where MAXPATHLEN is a set value), the kernel could copy the parameter first and provide it to the tracer process using a different syscall.

From a more theoretical POV, any OS kernel that unwisely relies on a parameter in userspace not changing between the time it validates access and the time it fulfills the request can even have it's internal access controls violated or end up getting crashed on an SMP system. That's one reason why modifying a kernel meant only for uniprocessor systems to support SMP is VERY non-trivial.

Re:Sidebar re Virii

[Protoslo]

Although it is a good guess, sadly your assumption that virus is in the fourth declension is also totally wrong. Perversely enough, it is neuter in the second even with the '-us' suffix, so the plural is actually 'vira.'

As for 'virii,' well, my mind drew a blank, but William Whittaker's Words claims that virii is the genetive singular of 'virium,' (verdancy), the noun form of 'vireo.' As for whether that form was ever actually used, though...the perseus project server appears to be melting down, or I would check.