How a Researcher Hacked His Own Computer and Found One of the Worst CPU Bugs Ever Found

Reuters tells the story of how Daniel Gruss, a 31-year-old information security researcher and post-doctoral fellow at Austria's Graz Technical University, hacked his own computer and exposed a flaw in most of the Intel chips made in the past two decades. Prior to his discovery, Gruss and his colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor's "kernel" memory, which is meant to be inaccessible to users, was only theoretically possible. From the report: "When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked," Gruss told Reuters in an email interview, describing how he had unlocked personal data that should be secured. Gruss, Lipp and Schwarz, working from their homes on a weekend in early December, messaged each other furiously to verify the result. "We sat for hours in disbelief until we eliminated any possibility that this result was wrong," said Gruss, whose mind kept racing even after powering down his computer, so he barely caught a wink of sleep.

Gruss and his colleagues had just confirmed the existence of what he regards as "one of the worst CPU bugs ever found." The flaw, now named Meltdown, was revealed on Wednesday and affects most processors manufactured by Intel since 1995. Separately, a second defect called Spectre has been found that also exposes core memory in most computers and mobile devices running on chips made by Intel, Advanced Micro Devices (AMD) and ARM Holdings, a unit of Japan's Softbank.

Three independent teams found bug at same time

[JoeyRox]

FTA: The key players were independent researcher Paul Kocher and the team at a company called Cyberus Technology, said Gruss, while Jann Horn at Google Project Zero (GOOGL.O) came to similar conclusions independently.

Which begs the question - how long has the NSA known about this too?

Re: AMD bug only affects THE SAME PROCESS, unlike

[limaxray]

That's not at all true. Spectre can most certainly access memory from other processes, including on AMD.

What they are referring to is Meltdown, which is specifically a privilege escalation exploit that allows a user process to access kernel memory from within it's own virtual memory space. Spectre, on the other hand, tricks another process to leak it's protected memory.

Even then, the Spectre paper specifically mentions how it may be possible to use it to access privileged memory by targeting an interrupt or syscall.

And AMD may very well turn out to be vulnerable to Meltdown too. While the researchers weren't able to get their PoC working on AMD CPUs, they did show that they *do* out of order execute instructions following an illegal memory access and discuss the problem may just be a matter of optimizing the side channel method they used.

Honestly I think AMD is being very dishonest in their announcement, beyond just the Meltdown handwaving. They claim the Spectre bounds check bypass has been fixed with software, but I haven't heard of a good software solution to this, much less have I seen an actual patch. Then they claim the Spectre branch target injection isn't an issue, but my understanding is this is just a matter of figuring out how to better mistrain AMDs branch prediction, as was done with Intel's.

These vulns are much more difficult to develop than your typical software vulns, and the researchers have barely even scratched the surface. There's sure to be much more to come and AMDs claims to be largely immune are horribly irresponsible. Until they disclose their actual reasoning behind their claims, I'm going to assume they're full of shit and just as vulnerable as everyone else.