Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kaspersky To Demo Attack Code For Intel Chips

Posted by ScuttleMonkey on from the also-releasing-a-paint-by-number dept.

snydeq writes "Kris Kaspersky will demonstrate how attackers can target flaws in Intel microprocessors to remotely attack a computer using JavaScript or TCP/IP packets, regardless of OS. The demo will be presented at the Hack In The Box Security Conference in Kuala Lumpur in October and will show how processor bugs can be exploited using certain instruction sequences and a knowledge of how Java compilers work, allowing an attacker to take control of the compiler. The demonstrated attack will be made against fully patched computers running a range of OSes, including Windows XP, Vista, Windows Server 2003, Windows Server 2008, Linux, and BSD. An attack against a Mac is also a possibility."

52 of 303 comments (clear)

  1. Heh... by pushing-robot · · Score: 5, Funny

    At least I know I'm safe because I run... Oh, crap.

    --
    How can I believe you when you tell me what I don't want to hear?
    1. Re:Heh... by hostyle · · Score: 5, Interesting

      I wonder if running inside a VM could at all mitigate the attack.

      --
      Caesar si viveret, ad remum dareris.
    2. Re:Heh... by mjs_ud · · Score: 3, Funny

      Time to pull the ethernet cable out. Would someone like to send me the slashdot articles via USPS? There aren't any potential problems with that solution are there? Wait...please send anthrax free too.

      --
      return EXIT_SUCCESS;
    3. Re:Heh... by phorm · · Score: 5, Funny

      At least I know I'm safe because I run...

      AMD?

    4. Re:Heh... by at_slashdot · · Score: 4, Interesting

      At least I know I'm safe because I run... Oh, crap.

      I'm sure AMD fans will make a point that they are protected in this case.

      --
      "It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
    5. Re:Heh... by Kamineko · · Score: 4, Funny

      Cut it out! No amount of magic spells are going to mitigate this damage!

    6. Re:Heh... by mweather · · Score: 5, Funny

      Sure, if you run the host computer with an AMD chip. But that would be silly.

    7. Re:Heh... by jimbolauski · · Score: 5, Funny

      My Chinese knockoff fentium processor will be safe.

      --
      Knowledge = Power
      P= W/t
      t=Money
      Money = Work/Knowledge so the less you know the more you make
    8. Re:Heh... by elrous0 · · Score: 4, Funny

      For the first time in a two years, I'm actually glad I went with AMD.

      --
      SJW: Someone who has run out of real oppression, and has to fake it.
    9. Re:Heh... by g0bshiTe · · Score: 4, Insightful

      Possibly, but as an AMD user myself I can't help but wonder if what can be done on Intel with this won't also open Pandora's box on AMD using the same or similar methods.

      --
      I am Bennett Haselton! I am Bennett Haselton!
  2. That's Nothing, This November I'm Going To... by ergo98 · · Score: 5, Funny

    ...demonstrate how you can make a 1GW fusion reactor out of nothing but a sweaty gym sock and the corpse of a field mouse.

    No, seriously. 100%. Cross my heart.

    1. Re:That's Nothing, This November I'm Going To... by Yvan256 · · Score: 3, Funny

      Macgyver is that you?

    2. Re:That's Nothing, This November I'm Going To... by Thelasko · · Score: 5, Funny

      I'd be more impressed if you demonstrated a working 86 Ford Escort.

      --
      One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
    3. Re:That's Nothing, This November I'm Going To... by ergo98 · · Score: 5, Interesting

      Okay, seriously -- based upon nothing but an overly bold claim featuring some massive technical faults, people are actually believing this? My post should be +5 insightful, not funny, because it really isn't intended to be funny.

      Are people perhaps thinking this is Eugene Kaspersky or something? This guy is no relation to him.

      Maybe, just maybe, someone really is going to sit on an epic, world shaking fault until an October security conference, but every bullshit detector is ringing as loudly as it can ring right now.

      October will roll around and some guy will demonstrate some edge condition non-issue and say "Oh, did they misinterpret and overstate? Those bastards!"

    4. Re:That's Nothing, This November I'm Going To... by Anonymous Coward · · Score: 5, Informative

      Err, Kris Kaspersky has a good reputation and does write pretty good books.

    5. Re:That's Nothing, This November I'm Going To... by Ant+P. · · Score: 5, Interesting

      Sounds like they might have found a practical exploit for one of the many bugs in the Core/2 that OpenBSD were throwing a fit about when it was released. Maybe they were right.

    6. Re:That's Nothing, This November I'm Going To... by TheRaven64 · · Score: 4, Informative

      The Core and Core 2 both have serious errata relating to how they handle virtual memory. It is possible to violate page and segment protections using these, although it is not obvious how to do so in a way that does anything other than crashing (i.e. there is a quite difficult possible DoS and may be a very difficult arbitrary privileged code execution hole). This requires running arbitrary (unprivileged) code, but apparently he's found a way of generating the required code in a JVM.

      --
      I am TheRaven on Soylent News
  3. GNU Hurd Wins Again by y86 · · Score: 4, Funny

    It's OK I run hurd.

    1. Re:GNU Hurd Wins Again by jamieswith · · Score: 3, Funny

      Yeah, you have nothing to worry about - not even the virus writers make programs for hurd!

  4. java: write once... by Anonymous Coward · · Score: 3, Funny

    ...hack everywhere

  5. Java or Javascript? by Yvan256 · · Score: 4, Insightful

    ... remotely attack a computer using JavaScript or TCP/IP packets ... can be exploited using certain instruction sequences and a knowledge of how Java compilers work

    So is it Java or Javascript? Either the summary is wrong or this guy doesn't even know the difference between the two.

    1. Re:Java or Javascript? by xzaph · · Score: 3, Funny

      Obviously, it's Javascript implemented in Java.

    2. Re:Java or Javascript? by MindStalker · · Score: 4, Informative

      The official conference website says the same thing
      http://conference.hackinthebox.org/hitbsecconf2008kl/?page_id=214

      Reading the conference website sounds like he is saying the can crash computers through forced tight loops via multiple languages, javascript, java, even TCP/IP

  6. Huh? by antifoidulus · · Score: 3, Insightful

    will show how processor bugs can be exploited using certain instruction sequences and a knowledge of how Java compilers work

    Huh? Javascript != Java!!!!

    --
    Monstar L
  7. They may by Sycraft-fu · · Score: 5, Informative

    Their new processors can have their microcode updated, and indeed they do update it with BIOS updates. Dunno if people would bother to update their BIOS to patch it, but yes Intel processors can be patched in the field.

    1. Re:They may by Gazzonyx · · Score: 4, Informative

      Yeah, most Linux distros have a microcode update service, although it has to be enabled in the kernel at compilation time, IIRC.

      --

      If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.

    2. Re:They may by slimjim8094 · · Score: 4, Insightful

      If this can consistently crash my computer regardless of OS or browser, I'd sure as hell update my BIOS.

      This is a big deal.

      --
      I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    3. Re:They may by peas_n_carrots · · Score: 3, Interesting

      Microcode patches can't fix every type of CPU errata. In some cases a microcode patch might cripple the CPUs performance so badly as to make the fix impractical.

    4. Re:They may by AcidPenguin9873 · · Score: 4, Informative

      Only some things can be fixed via a ucode patch, others cannot. See AMD's TLB errata for an example of something that cannot. Other things can be fixed by disabling a feature, but disabling that feature might cost performance. Once again, see AMD's TLB errata for an example. Still other things can be worked around in the OS, sometimes for negligible performance loss, sometimes not. The Intel F00F bug was a perfect example of something that could be worked around in the OS with no performance loss, and the AMD TLB errata had an OS workaround too which incurred a small (1%?) performance loss. Other things have almost no workaround, and require Intel or AMD to recall silicon and give out new processors. Intel's Pentium FDIV bug was a good example of that. It depends entirely on what piece of the chip is at fault.

      If something can be fixed in ucode for a negligible performance loss, or worked around in the OS for a negligible performance loss, that's the best-case scenario for Intel. In that case it's just a matter of getting BIOSes/OSes updated and patches rolled out to OEMs.

  8. That's it... by Thelasko · · Score: 4, Funny

    no amount of tinfoil can protect me from this exploit. Only one thing left to do...

    *unplugs ethernet adapter*
    [NO CARRIER]

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
  9. Publicly available? by AlHunt · · Score: 3, Funny

    "I'm going to show real working code...and make it publicly available," Kaspersky said,

    Indeed. And are you going to make patches publicly available for all the hardware and operating systems in the world, too?

    --
    1 in 4 Maine children in struggle with hunger.
    1. Re:Publicly available? by pclminion · · Score: 3, Informative

      I see, so your argument is that if it can't be fixed by the discoverer, they should keep it obscure. That way, there is no incentive for the vendor to solve the problem since they don't even know about it. Thus, leaving the door open for other nasty people to discover it and exploit it with nobody aware it is even possible. Good plan you got there.

    2. Re:Publicly available? by AlHunt · · Score: 4, Insightful

      >I see, so your argument is that if it can't be fixed by the discoverer,
      > they should keep it obscure.

      Yeah, we could have the oft-heard chicken or egg debate. But we both know where it would end up. One side would say "disclose everything right away" and the other side would say "give the vendors a chance to fix it first". See how much time we just saved?

      --
      1 in 4 Maine children in struggle with hunger.
  10. Plan 9 baby by Bananatree3 · · Score: 3, Funny

    I run Hurd through an emulator on a Plan 9 box. hack that!

  11. Quote by kellyb9 · · Score: 3, Insightful

    ... Windows XP, Vista, Windows Server 2003, Windows Server 2008, Linux, and BSD. An attack against a Mac is also a possibility.

    Why don't they just say... "any computer that has an Intel chip?".. shock value I guess.

  12. Which ones? by Taibhsear · · Score: 5, Interesting

    Do we have a list of the processors affected by this? Or is this issue in ALL Intel processors?

  13. It must depend some on the OS by jd · · Score: 5, Informative
    For starters, OS' running on either virtual or simulated processors rather than physical ones won't necessarily use the physical instructions that have the vulnerabilities, no matter what the physical processor that the OS is technically using. (If I run Linux under ArcEm, and run ArcEm on an Intel processor, unless ArcEm itself uses the broken instructions, I cannot see how an attacker can reach the Intel processor from the Linux environment for the attack to take place. This is important because the composite environment is nothing more than a really heavy, multi-layer OS as far as the applications are concerned, and this attack is supposedly independent of OS.)

    If it's via Java, then it must also depend some on the implementation. I doubt that IBM's java engine uses the same calls to the processor as Sun's, which means that there is further abstraction that the claim has to somehow deal with.

    Now, on the opposite side of the argument, there's the issue of what happens if the claim is justified. If this is a remote exploit that is truly OS-independent, then it is a remote exploit that can hit OpenBSD, Trusted Solaris, and other secure OS'. These are OS' used for commercially-sensitive work and classified work. If they are potentially vulnerable to attack, that could seriously impact a lot of organizations that, well, really aren't going to like it. In the event of a conflict flaring up between Intel and the US Marines, we may see them moving the bombing practice areas for their aircraft into the North American mainland after all.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    1. Re:It must depend some on the OS by the_brobdingnagian · · Score: 5, Informative
      Now that you mention OpenBSD, I recall an email from Theo de Raadt (2007-06-27 17:08:16 - source):

      Note that some errata like AI65, AI79, AI43, AI39, AI90, AI99 scare the hell out of us. Some of these are things that cannot be fixed in running code, and some are things that every operating system will do until about mid-2008, because that is how the MMU has always been managed on all generations of Intel/AMD/whoeverelse hardware. Now Intel is telling people to manage the MMU's TLB flushes in a new and different way. Yet even if we do so, some of the errata listed are unaffected by doing so.
      As I said before, hiding in this list are 20-30 bugs that cannot be worked around by operating systems, and will be potentially exploitable. I would bet a lot of money that at least 2-3 of them are.

      And from TFA:

      "It's possible to fix most of the bugs, and Intel provides workarounds to the major BIOS vendors," Kaspersky said, referring to the code that controls the most basic functions of a PC. "However, not every vendor uses it and some bugs have no workarounds."

      Sounds like the the same issues to me.

    2. Re:It must depend some on the OS by grcumb · · Score: 3, Informative

      Now that you mention OpenBSD, I recall an email from Theo de Raadt (2007-06-27 17:08:16 - source):

      As I said before, hiding in this list are 20-30 bugs that cannot be worked around by operating systems, and will be potentially exploitable. I would bet a lot of money that at least 2-3 of them are.

      People have been aware that microprocessor bugs are potentially quite dangerous for some time now. Here's a write-up of Adi Shamir's report to RISKS about using processing bugs to steal private encryption keys.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
  14. Re:Speculative by Anonymous Coward · · Score: 4, Informative

    An attack against a Mac is also a possibility

    That's a bit of a conjecture isn't it? Can we at least have a demonstration?

    OMFG! From the summary:

    Attack Code For Intel Chips ... regardless of OS

  15. Re:Don't worry. . . by ymail.com · · Score: 4, Funny

    If Intel doesn't release that hardware patch, it's time to go play in another Sandbox.

    Or else go back to 1999 where Pentium III machines with Intel's processor ID enabled in CMOS enable shoppers to have an "enhanced online experience" while they run IE 4.01 from Windows machines that aren't behind a firewall ... to safely prove who they are to websites.

  16. you say tomato... by DragonTHC · · Score: 4, Insightful

    They call it a flaw, while I call it a backdoor.

    --
    They're using their grammar skills there.
  17. i've read a number of story summaries in my time by circletimessquare · · Score: 3, Informative

    and this one ranks among the hallowed few best described as "excuse me, i just crapped my pants"

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  18. Discovery channel by Mathness · · Score: 5, Funny

    As seen on today's TV schedule for Discovery

    Now showing: Intel, when code attacks.
    Next show: Lasers.
    Next week: Shark week.

    --
    Carbon based humanoid in training.
  19. Interesting by mlwmohawk · · Score: 3, Insightful

    If the fundamental flaw is BOTH the way intel chips execute code and a primitive in Java, that could be dangerous.

    I could get all snarky and tell everyone I buy AMD, but I wouldn't be too confident that a similar exploit couldn't exist there either.

    This is all possible if...

    You need to reliably produce a series of instructions on a typical jvm. This doesn't present a problem as primitive expressions probably get predictable JIT sequences,

    The next question is what kind of exploit? Are you running native x86 code? If so, you are still limited by the OS level protection. If you can then create an exploit that elevates your permissions that doubly bad.

    One more snarky comment. I don't like JITs. I like my interpreted code interpreted, and I like my binary code native. I prefer something like a PHP model where you put glue in PHP and hard code in a C extension or a service.

  20. Reality check by jmorris42 · · Score: 3, Insightful

    > The government just supplies a cheap alternative that people elect to use.

    No my statist friend, we don't 'elect' to use the USPS if we can avoid it. But we don't have a choice in some cases because the US Government grants a monopoly on letter delivery. UPS and Fedex can deliver freight and because nobody thought it possible and thus Congress didn't forbid it in time, overnight letters. Notice how totally the private competitors dominate the postal service in those catagories? How many YEARS it took for the postal service to even attempt an overnight delivery service... that still only promises (as in refund you money for being late) 2-3 day delivery between most endpoints.

    Do you really think UPS couldn't eat the postal service's lunch on 1st Class postage if they were allowed to compete? Of course they could, which is why the Postal Workers unions make damned sure Congress never even brings the subject up. They would probably have to adopt the same subsidy tactics as the USPS, i.e. use bulk mailers to subsidize 1st Class postage. But not being a government agency, once they demolished the USPS would restore actual market forces. So you would end up paying a bit more to send a letter AND get a bit more paper spam. But mail would flow quicker and with greater reliability.

    --
    Democrat delenda est
    1. Re:Reality check by jonbryce · · Score: 4, Insightful

      You might think that would happen, but if the British experience of removing the monopoly is anything to go by, your postal service will get worse.

      We've always had overnight delivery, but then, Britain is a much smaller country.

      The private operators are only interested in business mail. DX will do deliveries for small companies. The rest of them are only interested in bulk mail, such as bank statements and utility bills. For the rest of us, Royal Mail are now charging more, because they get less of the bulk mail to subsidise personal mail, and they are becoming much less reliable at delivering it.

    2. Re:Reality check by Paradise+Pete · · Score: 5, Insightful
      Do you really think UPS couldn't eat the postal service's lunch on 1st Class postage if they were allowed to compete?

      .

      I don't know. To me it's pretty darn amazing that for 42 cents I can drop an envelop in a slot and a few days later it is hand-delivered to someone on the other side of the country. If that service didn't exist and you asked me to guess what it would cost, 42 cents would not be the answer.

    3. Re:Reality check by mOdQuArK! · · Score: 5, Insightful

      Actually, the main "valid" reason for the government providing letter service is to provide services to those geographic areas where the "free market" would flat out decide that it wasn't worth servicing those areas. If this wasn't a requirement of the USPS, they could easily drop all their rural routes & compete with any of the normal package carriers.

      Of course, whether or not we should be inefficiently supporting those remote rural areas is a whole 'nother area of debate. I'm sure there's a lot of small town supporters that would scream bloody murder if you argue that those small towns should be allowed to disappear by cutting off any form of government infrastructure subsidy for those locations.

  21. Re:Im sure his Anti Virus will stop it :) by Clandestine_Blaze · · Score: 4, Informative

    Im sure his Anti Virus will stop it :)

    I initially made that mistake too, but Kris Kaspersky != Eugene Kaspersky

    Kris is a security researcher and author.
    Eugene is the guy behind Kaspersky Lab.

    I wish the article had made the distinction, since some people are more familiar with Kaspersky the anti-virus creator and not the author.

    Though this does remind me of the urban legend that anti-virus companies are behind all of the anti-viruses:
    http://xkcd.com/250/

    --
    Best "String" Ever!
  22. Disable scripting/plug-ins by default/use NoScript by the+JoshMeister · · Score: 4, Interesting

    If malware based on this "attack code" got into the wild, it sounds like one of the attack vectors would be malicious Web sites (which is nothing new). As many security researchers have been recommending for years, turning off JavaScript and other active content by default will greatly reduce the potential for infection, even from many kinds of as-yet undiscovered exploits. A good way to do this with Firefox (without ruining compatibility with trustworthy sites) is to install NoScript, which allows you to whitelist trusted sites while allowing you to block scripts, Java, Flash, Silverlight, other plug-ins, etc. on every other site by default.

    Of course, if the flaw lies in the microprocessor, then there are certainly other potential attack vectors than just malicious Web sites.

    Someone pointed out that Intel processors are BIOS-upgradeable. What about computers based on EFI instead of BIOS, such as all the Intel-based Macs?

    Also, as someone else pointed out, the headline is extremely misleading. The security researcher Kris Kaspersky is not affiliated with Kaspersky Lab or Eugene Kaspersky, but he's apparently the author of a number of books on programming and other computer subjects.

    --
    the JoshMeister on Security
  23. Comment removed by account_deleted · · Score: 5, Interesting

    Comment removed based on user account deletion