Slashdot Mirror
Kaspersky To Demo Attack Code For Intel Chips
snydeq writes "Kris Kaspersky will demonstrate how attackers can target flaws in Intel microprocessors to remotely attack a computer using JavaScript or TCP/IP packets, regardless of OS. The demo will be presented at the Hack In The Box Security Conference in Kuala Lumpur in October and will show how processor bugs can be exploited using certain instruction sequences and a knowledge of how Java compilers work, allowing an attacker to take control of the compiler. The demonstrated attack will be made against fully patched computers running a range of OSes, including Windows XP, Vista, Windows Server 2003, Windows Server 2008, Linux, and BSD. An attack against a Mac is also a possibility."
At least I know I'm safe because I run... Oh, crap.
How can I believe you when you tell me what I don't want to hear?
...demonstrate how you can make a 1GW fusion reactor out of nothing but a sweaty gym sock and the corpse of a field mouse.
No, seriously. 100%. Cross my heart.
It's OK I run hurd.
...hack everywhere
I'm sure Intel will release a patch. ;)
If fate makes you a motorcycle, you become a motorcycle.
So is it Java or Javascript? Either the summary is wrong or this guy doesn't even know the difference between the two.
will show how processor bugs can be exploited using certain instruction sequences and a knowledge of how Java compilers work
Huh? Javascript != Java!!!!
Monstar L
a knowledge of how Java compilers work
Hrm, seems like he's counting on things happening in a certain sequence. So, perhaps a JVM could do more stuff in an unpredictable order? Perhaps using an SSA representation and context switching threads? Yeah, slightly more expensive, but let Firefox turn it on for me when I'm running untrusted code.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
No... wait....
---- Teach Peace. It's Cheaper Than War.
Their new processors can have their microcode updated, and indeed they do update it with BIOS updates. Dunno if people would bother to update their BIOS to patch it, but yes Intel processors can be patched in the field.
no amount of tinfoil can protect me from this exploit. Only one thing left to do...
*unplugs ethernet adapter*
[NO CARRIER]
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
Indeed. And are you going to make patches publicly available for all the hardware and operating systems in the world, too?
1 in 4 Maine children in struggle with hunger.
Don't Intel processors contain a flash area? And, if so, what can it be used for? Can it be used in some way to fix or bypass this?
That's right. Another pro for Sun machines.
I thought it was the year of the Linux desktop
I run Hurd through an emulator on a Plan 9 box. hack that!
That's a lot of work. If you were smart like me, you would have done what I did and saved that time by building an x86 clone in your mom's garage!
... Windows XP, Vista, Windows Server 2003, Windows Server 2008, Linux, and BSD. An attack against a Mac is also a possibility.
Why don't they just say... "any computer that has an Intel chip?".. shock value I guess.
Do we have a list of the processors affected by this? Or is this issue in ALL Intel processors?
And slow windows to a crawl.
I wonder if these exploits can be prevented using a filter in the compiler?
If it's via Java, then it must also depend some on the implementation. I doubt that IBM's java engine uses the same calls to the processor as Sun's, which means that there is further abstraction that the claim has to somehow deal with.
Now, on the opposite side of the argument, there's the issue of what happens if the claim is justified. If this is a remote exploit that is truly OS-independent, then it is a remote exploit that can hit OpenBSD, Trusted Solaris, and other secure OS'. These are OS' used for commercially-sensitive work and classified work. If they are potentially vulnerable to attack, that could seriously impact a lot of organizations that, well, really aren't going to like it. In the event of a conflict flaring up between Intel and the US Marines, we may see them moving the bombing practice areas for their aircraft into the North American mainland after all.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
An attack against a Mac is also a possibility
That's a bit of a conjecture isn't it? Can we at least have a demonstration?
OMFG! From the summary:
Attack Code For Intel Chips ... regardless of OS
The article states the vulnerability is at the CPU level and can be exploited on any OS. Are you claiming Mac OSX isn't an OS?
Not this mac... it's a G5. And my other box is SPARC. =)
----- Serious people have few ideas. People with ideas are never serious. - Paul Valery
They call it a flaw, while I call it a backdoor.
They're using their grammar skills there.
Having been involved in compiler work I'm very surprised. I've had to code round some processor faults (and very annoying they are to diagnose too) but I would never have expected that what went out could be subject to attacks like this.
thou discernest my thoughts from afar
... how Java compilers work, allowing an attacker to take control of the compiler ...
Now I know why javac stole my vacation pictures. It was driven by an attacker!
Nope. But I'm saying every OS use the chip differently. For example, Windows apps share the same memory space (well, far pointers do anyhow). So this does affect what a CPU-level attack could do. That and other issues I'm sure.
So, saying a specific CPU attack could also affect another system is speculative. I'm willing to concede there's a risk but simply FUDding the issue around is just not constructive.
You cheat!
But it was implied it was about Mac OS X on Intel Macs.
...unless there is CPU errata that Intel hasn't fixed for years. We've got the chicken-little "the sky is falling" reaction going on here but (unless I'm seriously misguided) Intel fixes their errata.
My personal view is that such malware may only be able to take over a very small percentage of systems out there. The scope may be limited to something as (relatively) rare as an Intel Core 2 CPU within a specific FSB range and specific stepping. Throwing all those factors together, I doubt any such errata would encompass more than 10% of the PCs out there. Considering how many different variations of CPUs are out there--Intel/AMD/Via, Pentium-D/Core 2/Xeon/Pentium-M/Pentium 4, FSB differences, stepping, etc.; such malware might be extremely dangerous for a very small subset of Internet-connected PCs.
Now, if a malware author knows of a CPU bug that Intel/AMD does not know about, then this could be extremely serious, encompassing multiple generations of CPUs...
Windows 3.1x calc: 3.11 - 3.10 = 0.00
While I can imagine a can full of JavaScript, what I don't understand is, what use would have a Java compiler inside such a can.
Yea, well MY other box is in moms basement. It is totally immune to your "real world" problems.
Nope. But I'm saying every OS use the chip differently. For example, Windows apps share the same memory space (well, far pointers do anyhow). So this does affect what a CPU-level attack could do. That and other issues I'm sure.
Win 3.1 called and wants it memory model(s) back. Win32 has a 32-bit flat memory space (or 64-bit on x64), all pointers are the same size, segments do not matter and each process has a local space. Some pages might be shared, of course, but that's done through memory mapping, like in (mostly) any other OS. WinCE has/had some interesting slots, though.
http://conference.hitb.org/hitbsecconf2008kl/?page_id=214 - Remote Code Execution Through Intel CPU Bugs
After I RTFA I found the hitb.org abstract; better than Inforworld, but still not too informative.
and this one ranks among the hallowed few best described as "excuse me, i just crapped my pants"
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
As seen on today's TV schedule for Discovery
Now showing: Intel, when code attacks.
Next show: Lasers.
Next week: Shark week.
Carbon based humanoid in training.
If the fundamental flaw is BOTH the way intel chips execute code and a primitive in Java, that could be dangerous.
I could get all snarky and tell everyone I buy AMD, but I wouldn't be too confident that a similar exploit couldn't exist there either.
This is all possible if...
You need to reliably produce a series of instructions on a typical jvm. This doesn't present a problem as primitive expressions probably get predictable JIT sequences,
The next question is what kind of exploit? Are you running native x86 code? If so, you are still limited by the OS level protection. If you can then create an exploit that elevates your permissions that doubly bad.
One more snarky comment. I don't like JITs. I like my interpreted code interpreted, and I like my binary code native. I prefer something like a PHP model where you put glue in PHP and hard code in a C extension or a service.
> The government just supplies a cheap alternative that people elect to use.
No my statist friend, we don't 'elect' to use the USPS if we can avoid it. But we don't have a choice in some cases because the US Government grants a monopoly on letter delivery. UPS and Fedex can deliver freight and because nobody thought it possible and thus Congress didn't forbid it in time, overnight letters. Notice how totally the private competitors dominate the postal service in those catagories? How many YEARS it took for the postal service to even attempt an overnight delivery service... that still only promises (as in refund you money for being late) 2-3 day delivery between most endpoints.
Do you really think UPS couldn't eat the postal service's lunch on 1st Class postage if they were allowed to compete? Of course they could, which is why the Postal Workers unions make damned sure Congress never even brings the subject up. They would probably have to adopt the same subsidy tactics as the USPS, i.e. use bulk mailers to subsidize 1st Class postage. But not being a government agency, once they demolished the USPS would restore actual market forces. So you would end up paying a bit more to send a letter AND get a bit more paper spam. But mail would flow quicker and with greater reliability.
Democrat delenda est
That a white hat shows that is possible don't exclude the possibility that black hats already found and are actively exploiting it.
Would be interesting to know the line of processors affected, or a tool that shows that one is vulnerable (ok, maybe is not so great idea, lot of malware disguise themselves as vulnerability checkers). Or if there any practical limitation on what they can do (i.e. if it is very dependant on processor model, jvm used, OS version and so on).
And, of course, what can of protection we have in the worst case (that this start to be widely exploited in the wild). Firewalls dont work here, probably antivirus will be useless too, my best bet is noscript and similar programs.
Sounds just like it to me; and I remember the crap Theo had to put up with for his keen observations.
Democracy Now! - uncensored, anti-establishment news
Most machines have Flash chips, OpenBIOS is an OpenFirmware (IEEE 1275-1994) open source alternative with Forth interpreter built in, FreeBIOS will let you bootstrap an OS kernel like Linux (some forms of Windows are also doable), and even Intel's Tiano (used as the basis for many modern BIOSes) is under the BSD license. The range of supported chips, given the three different systems available to you, is vastly superior to the range you can install any commercial BIOS on. Support for industry standards is also vastly superior to many commercial offerings. I say let the commercial BIOSes rot in the cesspit of their own making, and use the technologies that are already available to you.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Well at least you won't care that your system got rooted...
Big question here. Why the hell are they demoing an exploit which can't be patched? Isn't that kind of...I don't know...nihilistic?
If you quote this signature there'll be 72 copies of Windows ME waiting for you in Heaven.
The only thing I got from that was "slave drone troll" So I'll assume you are speaking in trollish, and a dialect I'm not familar with. At any rate, I was wondering if you would be so kind as to give me your bank account number, as I have a large sum of money that I need to secure for this prince friend of mine...
If malware based on this "attack code" got into the wild, it sounds like one of the attack vectors would be malicious Web sites (which is nothing new). As many security researchers have been recommending for years, turning off JavaScript and other active content by default will greatly reduce the potential for infection, even from many kinds of as-yet undiscovered exploits. A good way to do this with Firefox (without ruining compatibility with trustworthy sites) is to install NoScript, which allows you to whitelist trusted sites while allowing you to block scripts, Java, Flash, Silverlight, other plug-ins, etc. on every other site by default.
Of course, if the flaw lies in the microprocessor, then there are certainly other potential attack vectors than just malicious Web sites.
Someone pointed out that Intel processors are BIOS-upgradeable. What about computers based on EFI instead of BIOS, such as all the Intel-based Macs?
Also, as someone else pointed out, the headline is extremely misleading. The security researcher Kris Kaspersky is not affiliated with Kaspersky Lab or Eugene Kaspersky, but he's apparently the author of a number of books on programming and other computer subjects.
the JoshMeister on Security
... we're reminded of the inherent dangers of a monoculture.
Didn't there used to be an old saying about not putting all your eggs into one basket?
How many more forms of this sage advice can we come up with?
It says something about the collective intelligence of our vaunted "market" economy, no?
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
> Cut it out! No amount of magic spells are going to mitigate this damage!
Yeah, you need a saving throw to do that.
Comment removed based on user account deletion
You obviously don't understand the CPU; every OS does not use the chip differently. A trivial implementation detail such as segmentation-based OS microservices versus a monolith sharing its VMA space with the current userland process is not "using the CPU differently."
Support my political activism on Patreon.
This sounds like it's exploiting one of the MMU errata in recent Intel chips, and there are quite significant differences in how operating systems use the MMU. One particular difference is the degree to which they use segmentation. Some use a single segment for everything and just rely on paging, some use a ring-0 segment for the OS to avoid a TLB flush during system calls, some (like OpenBSD) use multiple segments per process to implement better access control than paging allows on (pre-NX) x86. Exploits relating to bugs in segment handling will affect each of these operating systems differently.
I am TheRaven on Soylent News
By the power vested in me by mod points, I hereby declare this the one true name of this exploit. All others are fakes.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
AppleTalk is the way to go... make the switch NOW, before it's too late!!
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
It's another case of "security research by press release, you can have the details in X months. in the mean time, I'll pump the PR wires".
Show us the code, or pipe the fuck down you attention whore.
Do you really think UPS couldn't eat the postal service's lunch on 1st Class postage if they were allowed to compete? Of course they could, which is why the Postal Workers unions make damned sure Congress never even brings the subject up.
Can you actually point to the section of the US code that prohibits a third party from delivering first class style mail? I mean, if a private company wanted to sell a service moving an ounce across 3000 miles for 50 cents, they could. IT's just, you'd have to be able to go to Wall Street and say, "well, once you invest in 100,000 delivery vans and thousands of local offices, then, I can go and compete with the USPS in a market segment that's slowly dying." It just doesn't look a business that has any upside to it.
The other thing, too, is, that, being a quasi government entity, the USPS has to actually deliver to everyone. UPS doesn't. So, yeah, theoretically, if you privatized the mail, you might find out that actually wouldn't get -any- mail at all unless you lived in the more densely populated areas of the country.
In any case, now's exactly the time to be touting the miracles of capitalism, when, the we the taxpayers of the United States might be about to double the debt of the Federal Government winds up having to do an Amtrak on what's left of our mortgage and finance industry. Yeah, talk to me about the miracles of the private sector right when you go look at the price of Bear Sterns, Countrywide, National City Bank, Lehman Bros, and other stocks. Fine bunch of capitalists, they are, all getting bailed out in one way or the other by, wow, of all things, that grossly incompetent government.
This is my sig.
I don't remember any "BR" intsructions for the 6600 - then again my exposure to the CDC 6600 instruction set was from an assembly language class I took just over 35 years ago (man, I'm getting old...). I still have my copy of Grishman handy, and while it had a section on branch instructions, the instructions were referred to as "jumps". I'm not that familiar with the 3000 series instruction set (the 3000's were silicon transistor remakes of the germanium transistor 1604), so there might have been branch instructions for the 3000.
Dunno which CDC processor that might have been. With the various Cyber machines I worked with, one standard way to hang a process was to do an EQ * (branch to self); JP * was equally effective. It didn't hang the machine, just the process, and could easily be killed through NOS. In fact, standard practice was to make subroutine entry points be EQ *, so if you somehow entered the routine before it ever got called the process would hang. I never did that, I used PS, so the process would just halt immediately. All the operators ever did with a hung process was to drop it and cause the same crash dump that the PS did.
The HiTB Security Conference in KL website is at http://conference.hackinthebox.org./ see you chaps in KL !
I'm using browser with disabled scripting ( Java script, Visual Basic Scripts, ActiveX, Siverlight ) and I got infected yesterday while meta moderating. I followed link to gnaa.org or something like that and picked up trojan that copied Internet Explorer cache, history and favorites into the Documents and Settings/
After killing the Explorer.exe I was able to delete some of the files, and the rest was converted into the unusable files by Microsoft scandisk after I reseted my PC.
It seems that some slashdot trolls use 10+ years old bug in windows JPEG decoder used by my internet browser.
I'm using unpatched Windows XP SP2 with most of the Windows services disabled. I'm behind NAT. My PC was infected several times in 3 years, mostly form running the infected files. Story from the headline most likely refers to the Windows XP PC's that have direct internet connection. PC running Windows XP SP2 is quite safe if it is behind the NAT and firewall and if browser has NoScript or similar plug in as You have pointed out.
Someone pointed out that Intel processors are BIOS-upgradeable. What about computers based on EFI instead of BIOS, such as all the Intel-based Macs?
The BIOS upgrade works around bugs in CPU and chipset, it does not fix the CPU or the chipset. I doubt that Apple needs to update EFI as it was the first one to officially point out bugs in Intel CPU.
Some Intel CPU's allow microcode update. As far as I know Microsoft and Apple inclided microcode update in one of the patches.
Apple fan boys, gotta love em....
This guy and the poster....
GASP... Even a Mac could be at risk....
OH NOOOOO !! Mac's might be susceptible to an exploit!! Surely this is impossible ?!
This sort of bravado and complacency that seems to be rife amongst the Mac community must be, for your average black hat, like waving a red flag to a bull.
I'm OK - I run ARM Linux :)
"It doesn't cost enough, and it makes too much sense."
Not sure why this is being modded down, its a legitimate question.
As it stands teh attack seems to depend on Sun's java compiler acting to produce very specific instructions. It's a reasonable assumption that Apple's version of Java could work slightly differently.
The summary says javascript flaw, then it says java.
??
Isn't that the usual approach when other brands are equally vulerable?
Or is the Mac no longer the big prize it once was?
-- Boycott Shell
Intel chips open to hacks , four minutes to own a Windows machines connected to the Internet, the DNS system wide open to exploits, spam/viruses and phishing running rampant. Like what have these innovators being doing for the past decade.
'This is like deja vu all over again, Yogi'
davecb5620@gmail.com
Am I the only one that happened to read the /. write up on the Stealths being upgraded to Pentiums immediately before reading this article?
Now, of course, they shouldn't be using javascript (or java?) on Stealths, nor are the Stealth's chips likely to have the same bugs.
But it was kinda of a double-take inducing sequence of articles...
OK so he gets control of the Java compiler. What then? He is running as a normal user in a normal user account and he still has a long ways to go to take over a Linux or BSD machine.
If you want to run code as the user then it's simpler to just trick him. Write a trojan. "click here for free porn" should work well enough.
...that couldn't already be done through an OS vulnerability? First, for any code to even touch the CPU, it has to be executed. Is there another way to inject code into the CPU that I'm missing? And if the worst it can do is crash the computer, then won't people eventually learn not to [run that program/visit that web site]? The fact that it may be able to crash Windows, Linux and Mac computers that open the same program or web site isn't that exciting to me. And I can't see any way an attacker could leverage a CPU flaw into root access on every OS. Root access is an OS thing, not a CPU thing. Right?
I'm on AMD at home, but I bet a fair number of sites I use do run on Intel systems. If they go down, it'll be rather annoying.
Anyway, I wouldn't be surprised if PowerPC, AMD etc have exploitable errata too. But if you were going to pick a CPU to exploit, you might as well try Intel first.
If this were real, USAF would have hired him, hushed it up, and waited until a good time to start crashing machines overseas. The Great Firewall isn't really a firewall, and if TCP packets can be sent to crash any Intel machine, then it'd be darn effective.
It seems so much like snake oil that it better not be true. I am glad that I have AMD in half my machines though, just in case.
Incorrect conjugation of to have.
Yes, I wear the elite SS Grammar Nazi badge.
I did mean my comment as a joke though. Btw. grammar nazis (almost wrote 'nazi grammars':) are appreciated by non-native english users (like myself), who are naturally good in writing in their native language (like myself), but lazy* to properly learn the other language.
*Actually not lazy, but one cannot properly learn a language without using it, preferably in one of their own domains.
And don't forget these folks... :-)
Living not far from the country where this conference will take place, I wanted to attend and apply for a pass. But to my great diception, the ticket is about 4000 ringits, or 900 euros, or 1200 USD. This is simply ridiculous! I will not go, unless I can convince my employer to send me there. And I was very surprised to see that Microsoft is one of the sponsors.
I'm a native English speaker, but the grammar nazism comes from learning Spanish. If you told a native English speaker that they did not properly conjugate a verb, they'd look at you and go "Huh?"
As for my Spanish, my writing is rather accurate, but I speak "Spanglish" because my mouth is ahead of my brain. Still think in English!