Slashdot Mirror

← Back to Stories (view on slashdot.org)

How a Researcher Hacked His Own Computer and Found One of the Worst CPU Bugs Ever Found (reuters.com)

Posted by BeauHD on from the behind-the-scenes dept.

Reuters tells the story of how Daniel Gruss, a 31-year-old information security researcher and post-doctoral fellow at Austria's Graz Technical University, hacked his own computer and exposed a flaw in most of the Intel chips made in the past two decades. Prior to his discovery, Gruss and his colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor's "kernel" memory, which is meant to be inaccessible to users, was only theoretically possible. From the report: "When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked," Gruss told Reuters in an email interview, describing how he had unlocked personal data that should be secured. Gruss, Lipp and Schwarz, working from their homes on a weekend in early December, messaged each other furiously to verify the result. "We sat for hours in disbelief until we eliminated any possibility that this result was wrong," said Gruss, whose mind kept racing even after powering down his computer, so he barely caught a wink of sleep.

Gruss and his colleagues had just confirmed the existence of what he regards as "one of the worst CPU bugs ever found." The flaw, now named Meltdown, was revealed on Wednesday and affects most processors manufactured by Intel since 1995. Separately, a second defect called Spectre has been found that also exposes core memory in most computers and mobile devices running on chips made by Intel, Advanced Micro Devices (AMD) and ARM Holdings, a unit of Japan's Softbank.

8 of 138 comments (clear)

  1. If only I know who to short ... by 140Mandak262Jamuna · · Score: 2, Insightful

    OK, the bug is big. Impact is going to be big. But who's gonna be punished by the market? Who can I short? Will users of Cloud services demand their processes to be hosted on exclusive servers not shared with others? Would it raise cloud costs? Would they punish Intel?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:If only I know who to short ... by XanC · · Score: 5, Insightful

      Most likely Intel's numbers will go up, at least in the short term, as people buy more CPUs to make up for the performance hit.

    2. Re:If only I know who to short ... by sjames · · Score: 4, Insightful

      Actually, AMD is significantly harder to exploit than Intel. The performance crushing patch simply brings the Intel processor level with AMD.

  2. Woah by Anonymous Coward · · Score: 5, Insightful

    Does EVERYTHING have to be in a bold font?

    Please fix!

  3. Is it just me? or ... by 140Mandak262Jamuna · · Score: 5, Insightful

    Every is seeing too much of bold fonts? Did someone forget a closing bold tag in some style sheet?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  4. Can you trust your software? by Anonymous Coward · · Score: 1, Insightful

    If you're not running malicious programs on your computer, you're not vulnerable to these attacks. It's much tougher to sneak malicious functionality into open source software. If the source code is available, it's far more likely someone would notice the malicious behavior than if the software is closed source. It seems like the processor and other hardware hasn't been explored as an attack surface to nearly the same extent as software. I expect there will be more bugs like these, and it's a matter of time before they're found and exploited. The damage from these vulnerabilities can be mitigated by blocking untrusted code (like a lot of JavaScript that could exploit Spectre-like vulnerabilities) and using open source. I'm far more willing to trust that the open source software running on my Linux system isn't working against me than I am with closed source software.

  5. Re:Intel ME by 110010001000 · · Score: 4, Insightful

    I think people still don't understand: there is no "fix" for Meltdown other than to replace your Intel chip with another one that doesn't have this flaw. The software patches are just mitigation, but they won't fix this issue.

  6. Re:First to market with a fixed CPU gets big rewar by bongey · · Score: 4, Insightful

    Fucking God Dammit shitel shill, the article is using Shitels PR statement as reference, and you keep posting the same FUCKING incorrect information. So fuck off, I will say it again just stop fucking shilling , here is exactly what AMD said https://www.amd.com/en/corpora... , and what Linus Tovalds said about the god dam PR statement you linked to http://www.businessinsider.com...