Slashdot Mirror

← Back to Stories (view on slashdot.org)

How a Researcher Hacked His Own Computer and Found One of the Worst CPU Bugs Ever Found (reuters.com)

Posted by BeauHD on from the behind-the-scenes dept.

Reuters tells the story of how Daniel Gruss, a 31-year-old information security researcher and post-doctoral fellow at Austria's Graz Technical University, hacked his own computer and exposed a flaw in most of the Intel chips made in the past two decades. Prior to his discovery, Gruss and his colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor's "kernel" memory, which is meant to be inaccessible to users, was only theoretically possible. From the report: "When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked," Gruss told Reuters in an email interview, describing how he had unlocked personal data that should be secured. Gruss, Lipp and Schwarz, working from their homes on a weekend in early December, messaged each other furiously to verify the result. "We sat for hours in disbelief until we eliminated any possibility that this result was wrong," said Gruss, whose mind kept racing even after powering down his computer, so he barely caught a wink of sleep.

Gruss and his colleagues had just confirmed the existence of what he regards as "one of the worst CPU bugs ever found." The flaw, now named Meltdown, was revealed on Wednesday and affects most processors manufactured by Intel since 1995. Separately, a second defect called Spectre has been found that also exposes core memory in most computers and mobile devices running on chips made by Intel, Advanced Micro Devices (AMD) and ARM Holdings, a unit of Japan's Softbank.

24 of 138 comments (clear)

  1. If only I know who to short ... by 140Mandak262Jamuna · · Score: 2, Insightful

    OK, the bug is big. Impact is going to be big. But who's gonna be punished by the market? Who can I short? Will users of Cloud services demand their processes to be hosted on exclusive servers not shared with others? Would it raise cloud costs? Would they punish Intel?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:If only I know who to short ... by XanC · · Score: 5, Insightful

      Most likely Intel's numbers will go up, at least in the short term, as people buy more CPUs to make up for the performance hit.

    2. Re:If only I know who to short ... by bobbied · · Score: 2

      We don't know that AMD doesn't have it's own issues which are just as bad...

      However, AMD Kind of has Intel on the ropes in the performance space with that Rizen line. Intel's answer has been to drop more cores into the unit and then having to force them to lower clock rates due to heat. Intel is still turning huge profits, but AMD has started to recapture market share....

      SO.... I point all this out to say the following. AMD now has a huge hole in Intel's armor to drive their marketing trucks though and I sure expect them to try, in so far as their marketing budgets allow. I expect AMD to exploit this unforced error by Intel.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    3. Re:If only I know who to short ... by AvitarX · · Score: 2

      AMD seems way better off.

      AMD was closing performance gap, now Intel just lost about 5-10% (workload dependant estimated mitigation costs of meltdown on a CPU with PCID) performance. This puts AMD at a tie in some areas (cost equivalent single thread) where it was slightly behind, and further grows its multi thread advantage.

      Both CPUS are in theory vulnerable to spectre, which will likely be mitigated in software by application and be equally damaging to all.

      At least that's how I've read it. Mitigation of meltdown is Intel specific and very expensive, mitigation of Spectre is ??? Haven't really seen anything on that, it's a much narrower vulnerability though, because meltdown allows reading if all memory, and spectre is limited to an applications memory.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    4. Re:If only I know who to short ... by bongey · · Score: 2

      Funny Microsoft knew about this months ago and bought a bunch of AMD processors for their Azure cloud specifically for data intensive loads. Exactly the type of tasks which is slowed down by this Intel bug.

    5. Re:If only I know who to short ... by sjames · · Score: 4, Insightful

      Actually, AMD is significantly harder to exploit than Intel. The performance crushing patch simply brings the Intel processor level with AMD.

    6. Re:If only I know who to short ... by sjames · · Score: 2

      That would be exactly opposite of the right strategy. As bad as information leaks between processes can be, it's worse when those other processes are owned by a different entity. Who would you rather be potentially able to read your banking details, a family member or some random guy whose name you don't know who could be living anywhere in the world?

    7. Re:If only I know who to short ... by TheRaven64 · · Score: 2

      You're assuming that the attacker has no control over their placement. The only person who is going to see leaks from these vulnerabilities is someone who is actively running the exploit (you don't just get someone else's memory in your address space, you have to scan it one bit at a time). If I wanted to exploit this, I'd spin up a bunch of VMs in Amazon, Google, and Microsoft's clouds and start scanning. I would not be actively targeting your company, but if I saw anything confidential and valuable then I'd be able to tie it back to your company and either sell it to someone who wanted to take advantage of it or use it directly. I'm not planning on doing this, but the people who are will probably be in Russia, China, North Korea, or other places where it's really hard to get any legal recourse.

      In contrast, if someone within your own company is attempting to access data that they shouldn't, then you can terminate their employment and you may even be able to prosecute them.

      --
      I am TheRaven on Soylent News
    8. Re:If only I know who to short ... by sjames · · Score: 2

      No, I was considering that. If My company uses a public cloud, one of those bad actirs MIGHT end up running in another VM on the same machine my VM is running on. If instead, I run on a server I actually own and use exclusively, even if I run several VMs, I can KNOW that the bad guy is NOT also running a VM on that server. At worst, another department in the same company might have a VM on the same hardware with me.

      So if security is a concern at all, avoiding outsourcing VMs to the cloud is the right strategy.

  2. Woah by Anonymous Coward · · Score: 5, Insightful

    Does EVERYTHING have to be in a bold font?

    Please fix!

  3. Is it just me? or ... by 140Mandak262Jamuna · · Score: 5, Insightful

    Every is seeing too much of bold fonts? Did someone forget a closing bold tag in some style sheet?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Is it just me? or ... by DontBeAMoran · · Score: 2

      I'm seeing all text in bold too. We can't ask too much of a nerd website if they can't even handle UTF-8 correctly.

      --
      #DeleteFacebook
  4. Re:It happens to be a slow news week by toonces33 · · Score: 2

    I can't help but wonder if this is only because they haven't found much in the kernel address space. If on could find hashed passwords for local accounts, it might cause people to reconsider..

  5. AMD bug only affects THE SAME PROCESS, unlike Inte by Anonymous Coward · · Score: 2, Informative

    Intel PR monkeys are trying to take AMD down with them, let's make this clear:

    For the 3 bugs, the biggest one only affect Intel CPUs, for bug 2 and 3:

    AMD bug only affects THE SAME PROCESS, unlike Intel, which allows exploits to cross processes:

    https://googleprojectzero.blog...

    As shown, AMD was only vulnerable to "the ability to read data inside mis-speculated execution within the same process, without crossing any privilege boundaries."

  6. Re:It happens to be a slow news week by 110010001000 · · Score: 2

    I always wonder why people lie about this. The CVSS is not a 1.5. Your link even proves you wrong. How is it overblown? This is a huge issue.

  7. Three independent teams found bug at same time by JoeyRox · · Score: 5, Interesting

    FTA: The key players were independent researcher Paul Kocher and the team at a company called Cyberus Technology, said Gruss, while Jann Horn at Google Project Zero (GOOGL.O) came to similar conclusions independently.

    Which begs the question - how long has the NSA known about this too?

    1. Re:Three independent teams found bug at same time by Anonymous Coward · · Score: 2, Informative

      I encountered an only slightly older blog post where somebody demonstrates that speculative execution causes cache line reads. He claims no security hole and that the negative result is interesting because of how close he got. On reading it I had enough to develop the rest.

      Anders Fogh deserves the real credit. https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/

    2. Re:Three independent teams found bug at same time by thomst · · Score: 2

      https://slashdot.org/~110010001000 protested:

      It isn't possible all these people independently "discovered" a 20 year old flaw at the same time. Think about it. Google supposedly discovered it six months ago. I don't believe it.

      Apparently you haven't heard of steam engine time. If Newton and Liebnitz could (more or less) simultaneously, independently invent "the calculus", why can't three disparate security research teams (more or less) simultaneously, independently discover the same security bug?

      Note, as another example from a third field, that both Jennifer Doudna's and Zhang Feng's teams (more or less) simultaneously, independently discovered the CRISPR gene-splicing technique, just a few years ago. This kind of thing happens more frequently than you appear to believe is possible.

      Paranoia is its own punishment ...

      --
      Check out my novel.
  8. Re:Intel ME by 110010001000 · · Score: 4, Insightful

    I think people still don't understand: there is no "fix" for Meltdown other than to replace your Intel chip with another one that doesn't have this flaw. The software patches are just mitigation, but they won't fix this issue.

  9. Re:It happens to be a slow news week by r1348 · · Score: 2

    The link you provided reports the following CVSS metrics:
    Base 4.4 AV:L/AC:M/Au:S/C:C/I:N/A:N
    Temporal 3.4 E:POC/RL:OF/RC:C
    Environmental 5.1 CDP:ND/TD:H/CR:H/IR:ND/AR:ND

    Where did you read 1.5?

  10. Bet the NSA is pissed this went public by gurps_npc · · Score: 2

    How much you want to bet that this was one of their dirty tricks...

    --
    excitingthingstodo.blogspot.com
  11. Re:First to market with a fixed CPU gets big rewar by bongey · · Score: 4, Insightful

    Fucking God Dammit shitel shill, the article is using Shitels PR statement as reference, and you keep posting the same FUCKING incorrect information. So fuck off, I will say it again just stop fucking shilling , here is exactly what AMD said https://www.amd.com/en/corpora... , and what Linus Tovalds said about the god dam PR statement you linked to http://www.businessinsider.com...

  12. Re: AMD bug only affects THE SAME PROCESS, unlike by limaxray · · Score: 2, Interesting

    That's not at all true. Spectre can most certainly access memory from other processes, including on AMD.

    What they are referring to is Meltdown, which is specifically a privilege escalation exploit that allows a user process to access kernel memory from within it's own virtual memory space. Spectre, on the other hand, tricks another process to leak it's protected memory.

    Even then, the Spectre paper specifically mentions how it may be possible to use it to access privileged memory by targeting an interrupt or syscall.

    And AMD may very well turn out to be vulnerable to Meltdown too. While the researchers weren't able to get their PoC working on AMD CPUs, they did show that they *do* out of order execute instructions following an illegal memory access and discuss the problem may just be a matter of optimizing the side channel method they used.

    Honestly I think AMD is being very dishonest in their announcement, beyond just the Meltdown handwaving. They claim the Spectre bounds check bypass has been fixed with software, but I haven't heard of a good software solution to this, much less have I seen an actual patch. Then they claim the Spectre branch target injection isn't an issue, but my understanding is this is just a matter of figuring out how to better mistrain AMDs branch prediction, as was done with Intel's.

    These vulns are much more difficult to develop than your typical software vulns, and the researchers have barely even scratched the surface. There's sure to be much more to come and AMDs claims to be largely immune are horribly irresponsible. Until they disclose their actual reasoning behind their claims, I'm going to assume they're full of shit and just as vulnerable as everyone else.

  13. Re: AMD bug only affects THE SAME PROCESS, unlike by aod7br7932 · · Score: 4, Informative

    AMD is NOT vulnerable to Meltdown. AMD already responded that their permission bits are checked BEFORE issuing instructions so kernel memory isn't readable, even speculatively.