Slashdot Mirror
Malware Exploiting Spectre, Meltdown CPU Flaws Emerges (securityweek.com)
wiredmikey quotes SecurityWeek: Researchers have discovered more than 130 malware samples designed to exploit the recently disclosed Spectre and Meltdown CPU vulnerabilities. While a majority of the samples appear to be in the testing phase, we could soon start seeing attacks... On Wednesday, antivirus testing firm AV-TEST told SecurityWeek that it has obtained 139 samples from various sources, including researchers, testers and antivirus companies... Fortinet, which also analyzed many of the samples, confirmed that a majority of them were based on available proof of concept code. Andreas Marx, CEO of AV-TEST, believes different groups are working on the PoC exploits to determine if they can be used for some purpose. "Most likely, malicious purposes at some point," he said.
If a researcher, tester, AV company sends some PoC code opening calc.exe, then this is not malware! To be malware, some code has to be actually malicious, doing evil things like encrypting harddisks for ransom, sending spam, mining coins, etc.. Simply trying out a bug in existing software to get a better understanding or to write AV detection routines is not malware!
Except maybe code from AV companies. That is probably always malware, no matter the intent or what it actually does
Did you really expect this massive, gaping security hole, that got a metric fuckton of media coverage, to go unexploited?
Spectre is harder to exploit you're correct. Meltdown however is way more dangerous and not hard at all to implement. Heres some PoC links for you to look through.
https://github.com/paboldin/me...
https://github.com/gkaindl/mel...
https://github.com/IAIK/meltdo...
https://github.com/RealJTG/Mel...
That was from a 5 second google search. I have only tested the top one myself but I know it works.
Well now well see just how good my AV is..I didn't patch im on win 7 ultimate upgrade from Vista full. It would be a HUGE PITA to recover lol but i refuse to go win 10. im not paying for an OS that forces ads on me or controls what i choose to install on MY hardware..you get the point...
Jack of all trades,master of none
That was from a 5 second google search. I have only tested the top one myself but I know it works.
Thanks and sorry for having been so lazy myself. Anyway, I also looked at the first one and it seems to deliver (didn't run it, just read the docs and saw the video) pretty much the same than what I have seen in some other places: memory dumps (from in principle protected locations). This is kind of demonstrating what the bug is about, but not the real exploit I meant. What I meant with real exploit was an application which might actually be used to perform whatever potentially-dangerous action on my computer. Having access to protected memory isn't ideal, true; but how could all that be easily use to accomplish whatever goal? How could you convert those memory locations into ways to trick whatever software to behave against my intent? Having just a memory dump isn't too useful by itself.
Then, I took a look at the fourth one (with 482 stars!) which is a simple C file, with no instructions that, when executed, prints an a array of strings which might a song or something?! The readme says that it can read password from Chrome?! (by assuming that all the hidden fields are stored in the same way and in the same place in all the OSs, it might make sense but not in any other scenario. And why just Chrome?!). In any case, that code is just running the loop with the song, nothing else(!!).
Then, I looked at the second one which is also a C file but much more complex than the aforementioned sample. This time I cannot know immediately what it does, so I run it and it printed out something about it working and what seems memory locations. Again, no instructions no explanation and, at first sight, no idea how this is supposed to be reading passwords from anywhere. I think that I have now more doubts than before your post (thanks again, anyway)! If reading passwords from a browser is so easy why aren't they including a clear code/application with clear instructions? Or even worse: why all of them are saying that everything works fine, that it is very scary when their codes don't seem to be doing anything? Perhaps I am a bit tired now and am I missing something or what?
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
Get all passwords and documents you care about off the pc so there is nothing for spectre to read. The spectre attacks are not detectable so antivirus programs likely will not detect them. Running a secure Linux rather than Windows still might be the best hope, but not for attacks taking place through the browser. Perhaps have an "empty" machine with just a browser for internet connectivity and browsing/surfing.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
The first part of your comment I agree with, but Intel probably *can't* provide compatible fixed versions of their CPUs except by disabling speculative execution, which would slow things down considerably, so just about nobody would want them. (And they could probably do that with a downloadable microcode update.)
The unfortunate thing about this current set of news is that it's not just Meltdown that's being targeted, but also Spectre. If that can be successfully exploited, then it's a much more serious problem, as it affects nearly everything more powerful than a Raspberry Pi.
I think we've pushed this "anyone can grow up to be president" thing too far.
thousands of people around the world working hard on proving you wrong as we speak
I have so many enemies? Because of something I said? I can change if they want! LOL. Yes, I get your point.
If I could do it myself I would not be publishing my results here for you.
I understand that this is the case with these things (researchers + public work way behind the malicious activity), but there has been so much publicity this time! And, after looking at some of the codes posted in a comment above, my doubts are even stronger. Anyway, it was just out of curiosity as far as I don't consider myself or my computers a target of this kind of things (poor + cautious).
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
Except AMD is far less vulnerable than Intel.
You download and execute code every time you open your web browser.
Take any of the PoCs outputting memory. Set that start address to the base address of your target application (how to get this depends on the OS. In Linux you can look in /proc) or the kernel. Run the PoC, pipe the output through strings. Data will show up.
Let's see if I understand you correctly. Consider the following C code:
//the value of char1, a. //memory address where char1 is stored. //same value than char1, a. //same memory address than the one of char1.
char char1 = 'a';
printf("%c", char1);
printf("%p", &char1);
char* char2 = &char1;
printf("%c", *char2);
printf("%p", char2);
You can play around with the memory locations of all the variables (+ get their values) as much as you want within the same application. Now, if I print the value of the aforementioned memory location to a file and, while that program is still running, I execute a second program which reads that file and tries to get the value associated to that memory location, an error will happen because that memory address will not make any sense for that second program. But, due to this bug, there are cases where that situation can occur (reading certain memory location from a different application and getting the value stored there by that original application). Some of the listed codes generate a set of memory addresses with that "feature" which consequently can be read from any other application?! If I understand it correctly, it wouldn't be straightforward at all and would imply a ton of assumptions (why a variable is stored in exactly the same memory location? Why the given program, out of the tons of different possibilities, would be relying on exactly the approach allowing that? Is the type of that memory allocation always char? etc.); what makes the referred lack of instructions even weirder! Anyway, I might give it a shot in the afternoon and write here my impressions. Thanks for the explanation.
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
Another issue I didn't mention but which you correctly pointed out: the memory location has to be added to the base address of the given application, what represents an additional difficulty (+ finding out said base address). Easy? No instructions? Weirder and weirder! Anyway, I will give it a try in some hours and share my impressions.
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
because the password is stored in some easily guessable memory location
Not just easily guessable, exactly the same every time!!! What sounds quite weird! At least, by looking at what these codes are supposed to be doing, they are generating memory locations regardless of anything else including Chrome!! The underlying idea is that Chrome stores all the passwords (and only the passwords!) in the same memory locations (which might change from computer to computer or even after restarting it, but which are the same for all the running applications)!!! Lots of very weird assumptions, but well... these might be extremely faulty codes, not saying that this is a basic requirement for the referred bug (no idea though).
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
Comment removed based on user account deletion
AMD considers their CPUs potentially vulnerable to Spectre Variant 2 - "Branch Target Injection". (The one were one attacker application is able to do it bidding into a completely different and innocent target application)
Some more recent AMD processors do indirect branch prediction.
But the way they do this indirect branch prediction is completely different.
Currently the Google demo code against Intel Xeon doesn't work (well, obviously).
Nobody has managed to write a successful exploit of that variant.
AMD engineer believe that it's a terribly difficult task that might not be doable.
So they might indeed end up being more or less Intel-specific-ish.
Sèectre variant 1 - "boundary check bypass" is the one affecting every CPU that those speculative execution and is basically "speculative execution working as it should/as documented, but now somebody has found a way to use it as a side-channel attack to have a software see its own data".
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Educated bad guys know and have known for decades...
(published 1995) - https://www.google.com/url?sa=...
The only change now is that the script kiddies know. And it's not Intel, Spectre (the bug that's exploitable with Javascript in the browser) is a speculative execution problem that virtually all modern CPU's have. You're thinking Meltdown (which IS Intel specific as far as we know)
This has been weird... I have posted right now a reasonably big reply with conclusions after some tests/research which hasn't been stored. A bit tired I guess. I am not willing to re-write everything. The short summary is that I wasn't able to find a way for a process, supposed to only access a given address space (its regions are defined in /proc/PID/maps; this is the most similar thing I could find to your "base address"), to do anything with the memory allocated by another one. Regardless of the fact that certain highly sensitive, OS-accessible memory isn't properly managed, the question of how to access that memory remains. Even under ideal conditions (admin privileges, perfect information about the memory addresses and data types), a process running on the give OS can only access memory locations within its assigned range.
How can this be overcome? How can all these memory-dumps become useful? How could that famous-but-not-found-so-far app able to read passwords from Chrome be built? Even by having all the information regarding the memory location of the given strings, how could them be read by a random process? I think that this are all the main ideas which I wrote in that longer-&-now-lost post. If I misunderstood any bit or anyone knows about a ready-to-use sample delivering a tangible result, please let me know.
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
My network connection is usually down. I couldn't be downloading code every time my browser opens if I wanted to, you insensitive clod! :)
Nonaggression works!
It sounds like AMD should come out of this quite well.
At least much better than the giant pile of mess that is Intel.
That's why some experts are pissed at Intel trying to muddy things and pretend all CPUs are equal.
(Nope. All CPU are equal in *Spectre v1* only.
Intel's peculiar way to optimize at the cost of everything else including safety and sanity stands out a lot in Spectre v2 and Meltdown).
I can't decide whether variant 1 sounds "possibly dangerous" or not. I suppose it depends on how applications segment their data.
Yup.
There's a reason why web browsers have moved (Chrome) or are moving (the whole reason to switch Firefox from XUL to WebExtensions is to enable Electrolysis by default) to multi-proc models. Eventually none of the critical data (e.g.: Password Manager extensions) and externally provided arbitrary code (Javascript on websites) will be living in the same process.
And there's a reason why the JITting of eBPF isn't enabled in the Linux kernel by default.
But I'm really skeptical about speculative execution in hyperthreads in any case.
Hyperthreading and speculative execution are completely orthogonal to each other.
They are two completely different strategies in answering the problem of how to keep the pipeline fed, each time it stalls (e.g.: while waiting for something to be fetched from the memory, or some long computation to finish).
You don't know what you should do next : ...so you make your best guess, and try to do it anyway. If your guess turns out right, you're gaining some execution speed. ...but there are N other task currently wait for which you DO know what to do next. Do them instead.
- Speculative execution :
- Hyperthread:
Speculative execution comes at lots of complexity (in order to be able to invalidate wrong turns) with devil lurking in the implementations details (side-channels, security checks done too late).
Hyperthreading is much closer to normal execution and simply require doubling some already existing facilities in order to enable the CPU tracking N tasks.
OTOH, given the way applications are currently written, I can see why they did it, I just think it's a poor local optimum.
Hyperthreading is the *better* solution... except that, for it to work, it requires to have N other tasks in the wait.
Hyperthreading works better in heavily multi-tasking use cases. So you'll find it on servers (typical server-only CPUs like the UltraSparc Niagaras had 8 threads per CPU core) and on GPUs (as anyone used to CUDA knows, the basic strategy is keeping as fucking many threads in flight as possible).
It works on task which are heavily parallel (tons of servers and daemons, or tons of pixels, etc.)
But it doesn't help on task that as mostly single threaded so it doesn't look nice on lots of benchmarks (e.g.: older games, lots of compression tasks).
In other words, Multithreading won't make your Windows go faster (Even more so as Windows has traditionally lagged behind the starte of the art process schedulers).
"Local optimum" as you say.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
JS running in your browser *would* be sandboxed... if the CPU didn't let memory leak between every single user process, as well as the kernel. Which, Golly Gee, is the entire problem here.
I do run NoScript, which will probably stop some drive-by attacks. But there are also sites that I need to actually work as intended - for example, the sites where I've been applying for jobs lately. The choice I'm left with becomes conducting an audit of a third-party's web infrastructure and JS for each job I apply to, or not applying for any jobs.
And so it appears you lack even a cursory understanding of the bug, or my security practices, but feel confident enough to tell me I'm talking out of my ass. Dunnig-Kreuger in effect, or just another of the shill army? "Sad!"
Clarification just in case: regardless of the tremendously low quality (+ dishonesty; please, refer to the aforementioned repository including a doing-nothing simple file with 400+ stars in GitHub!!) of some of the available codes, the whole meltdown premise seems very difficult (if possible at all) to be exploited as far as one thing is knowing certain memory addresses and a completely different story is being able to actually retrieve information which is stored there. In any case, note that most of my experience is focused on the algorithm-developing side of things by eminently relying on managed languages. I have some low-levelish experience (in C), but knowing how everything is working at the memory-level is certainly not my strongest suit. Perhaps I missed something. As said, more than happy to get any kind of feedback or tangible references (= pretty much the opposite to a video showing random numbers, incredible claims without code/programs to support them or similar faith-based resources).
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
That's what PoCs are, Proof of Concepts.
(Sorry about the delay in replying. I saw your post right now by pure accident. Bear in mind that one of the drawbacks of posting anonymously here is that I don't get any warning when you reply to one of my posts).
So, you are saying that proving a concept is "developing" a piece of software not doing anything at all to prove the given concept? You are saying that writing a simple loop reading/displaying the words included in a simple array (a song or a poem or just a random nonsense), making ridiculously inaccurate claims in the readme file and getting over 400 stars is proving something? Perhaps you are right. It definitively proves something: the huge amount of dishonesty and/or lack of knowledge and/or gullibility and/or fanaticism that you can easily find in (certain areas of) internet.
If the idea you want to prove is that it is possible to know certain memory addresses which, in theory, shouldn't be known by that user/process, you would have to perform some actions to accomplish that goal (why these specific addresses should be hidden? Under which conditions you can know about them and how that access could be avoided?, etc.), via comments, different I/O scenarios or similar. This would have been an acceptably good PoC, but still not what I was looking for. If you want to deliver what I think that is the basic requirement to consider this a serious problem, you would have to work a bit more. Additionally to the aforementioned proof that the given memory addresses shouldn't be known, you would have to also prove that you can access the contents stored in said addresses. Or more graphically: after proving that the address 0x000whatever shouldn't be known by the given user/application, you would have to be able to prove that program2 can retrieve from that memory address the character 'a' that program1 stored there (= code actually performing the advertised real-time reading of Chrome passwords).
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.