OpenBSD Chief De Raadt Says No Easy Fix For New Intel CPU Bug 'TLBleed'

Recompiling is unlikely to be a catch-all solution for a recently unveiled Intel CPU vulnerability known as TLBleed, the details of which were leaked on Friday, the head of the OpenBSD project Theo de Raadt says. iTWire reports: The details of TLBleed, which gets its name from the fact that the flaw targets the translation lookaside buffer, a CPU cache, were leaked to the British tech site, The Register; the side-channel vulnerability can be theoretically exploited to extract encryption keys and private information from programs. Former NSA hacker Jake Williams said on Twitter that a fix would probably need changes to the core operating system and were likely to involve "a ton of work to mitigate (mostly app recompile)." But de Raadt was not so sanguine. "There are people saying you can change the kernel's process scheduler," he told iTWire on Monday. "(It's) not so easy."

He said that Williams was lacking all the details and not thinking it through. "They actually have sufficient detail to think it through: the article says the TLB is shared between hyperthreading CPUs, and it is unsafe to share between two different contexts. Basically you can measure evictions against your own mappings, which indicates the other process is touching memory (you can determine the aliasing factors)." De Raadt said he was still not prepared to say more, saying: "Please wait for the paper [which is due in August]."

Illusion of speparation in VM

[sinij]

If not this one, maybe the next bug of this kind will finally put illusion of VM separation to rest. If you are running something in the cloud, there is no way to secure it. Start bringing important stuff back in-house, and better use dedicated hardware. Yes, these old-fashioned blade servers were in the access-controlled server room for a reason.

Re:Illusion of speparation in VM

Cool fictional story bro.

Re:Illusion of speparation in VM

[iggymanz]

very funny, since that mostly happened in Bush and Obama years

Re:Illusion of speparation in VM

If we'd be willing to deal with choppy timeslicing where you give the whole processing (all cores & GPU) away for a longer timeslice and fully scrub cache state between and swap for a whole new RAM bank, you could probably start to think about making some guarantees.

But damn that throws away so much performance and response speed.

Of course the world will settle somewhere between that extreme and the current state (probably much closer to the current state for a while).

Re: Illusion of speparation in VM

You trying to say they weren't Presidents?

Re:Illusion of speparation in VM

Tell it to Harley Davidson you burrowing sycophant traitor's ass worm iggy.

Re:Illusion of speparation in VM

very funny, since that mostly happened in Bush and Obama years

So did most things in the last 18 years.

Re:Illusion of speparation in VM

If we'd be willing to deal with choppy timeslicing where you give the whole processing (all cores & GPU) away for a longer timeslice and fully scrub cache state between and swap for a whole new RAM bank, you could probably start to think about making some guarantees.

But damn that throws away so much performance and response speed.

Only response speed. Longer slices will increase performance.

Re:Illusion of speparation in VM

[Pseudonym]

Take a cue from the C++ people. VM separation protects you from Murphy, not Machiavelli.

Re: Illusion of speparation in VM

Trump's always been the President. I'm unaware of any Presidents before him. /s

Re:Illusion of speparation in VM

[swb]

Could you do this if you somehow flipped around the CPU trends? What if instead of two-socket servers with 16 cores per socket, we had 8 sockets with 4 cores per socket?

Re:Illusion of speparation in VM

[AmiMoJo]

You have to weigh the possibility of an unpatched cloud server being compromised by a neighbouring VM against the possibility of your own in-house servers being hacked.

Cloud companies so security on a massive scale and all the big guys like Amazon, Microsoft and Google have a track record of keeping their systems up to date and secure. It's no wonder, because they can afford the best security staff and security is a core part of their business.

Your locked server room looks impressive but is reliant on who you can afford to employ to secure it. In fact you really need a team working on security, rather than a single point of failure. And you had better be ready to test and deploy patches fast too.

Also, the VM isolation issue isn't really an issue because you can just pay a bit more to ensure no-one else's VMs are running along side yours. For really secure stuff it's a good idea to encrypt data in RAM too, which AMD supports in hardware to mitigate exactly this kind of attack. Different key for each VM of course.

Re: Illusion of speparation in VM

Your right.

Re:Illusion of speparation in VM

[Noryungi]

Cloud companies so security on a massive scale and all the big guys like Amazon, Microsoft and Google have a track record of keeping their systems up to date and secure. It's no wonder, because they can afford the best security staff and security is a core part of their business.

Well... In that particular case, Amazon, Microsoft and Google are "more" secure because Intel gave them advance warnings and probably some detailed patch and vulnerability information. And Linux got patched really quickly because Google and Amazon have invested massively in that operating system.

The smallest projects, like OpenBSD, were left in the cold to fend off for themselves. Theo and other developpers asked Intel if they could be a part of the embargo. They never received a response.

Re:Illusion of speparation in VM

I just thought, from what I have read, RAM usually is not a vector because it degrades so quickly. But if the switch is quick, like in the cloud, could RAM memory become an attack vector?

Re:Illusion of speparation in VM

[Junta]

They wouldn't need to be separated by a socket.

In this case, as far as I can tell, it's hyper threading, so treating your 16-core cpu as 16 processors is ok (in this specific case) but not as 32 processors.

Of course, they have a lot of sharing within the processor package and it seems plausible for there to be issues like this suggesting more isolation/dedicated resources, but that still can be done in a single processor package too.

Re:Illusion of speparation in VM

I think some ARM CPUs had e.g. 16 cores but these were four island of 4 cores effectively. Not intended as a good feature, but as a cheap way to have a product without complicated (on-die) interconnect.

Now, look at a dual Epyc system : two CPU, made of four dies each. So that's eight dies but there's a very good automagic interconnect between them (I don't think that buys you anything over a single CPU?). In fact, two four-core complexes (CCX) on each die so it's even a bit like a 16-CPU system, up to 64 cores (some can be disabled. There's an 8-core Epyc with only one core per CCX running)

I can't say anything about security etc. But making an 8-socket system would be expensive, wasteful. Surely you can customize hypervisor, microcode, firmware, OS, disable hyperthreading/SMT.

Re:Illusion of speparation in VM

[bill_mcgonigle]

VM separation protects you from Murphy, not Machiavelli.

This is the quote of the day.

But now I have to wonder which your .sig is. ;)

Re:Illusion of speparation in VM

I still think hyperthreading could be used : don't share two hardware threads of a same core along VM boundaries, or process boundaries

Re:Illusion of speparation in VM

[quintus_horatius]

You mean the Larken Rose the tax denialist?

Re:Illusion of speparation in VM

[DamnOregonian]

VM separation protects you from Murphy, not Machiavelli.

Brilliant.

Re:Illusion of speparation in VM

The smallest projects, like OpenBSD, were left in the cold to fend off for themselves. Theo and other developpers asked Intel if they could be a part of the embargo. They never received a response.

Maybe because Theo and other developers are selfish, and have abused the embargo in the past?

Re:Illusion of speparation in VM

Bush and Obama did nothing to prevent this. Trump couldn't because he wasn't in office. Listening to the absolute fury of the fly-by-night wholesale job exporters at Trump's new H1B thing has been pretty enlightening though.

Re:Illusion of speparation in VM

Right, that's ALL it offers. And for C++ this is fine- access controls are meant to generate helpful compiler errors so you don't modify something you didn't mean to, but there's no way to really be Machiavelli when it comes to your own code you are compiling anyway.

VM separation, however, is exposed to plenty of Machiavellis. If I rent compute on a cloud, the physical machine I'm on could be hosting anyone else's thing. Amazon can't be sure it isn't renting to Machiavelli, though I'm sure they will try.

The best case for VMs is locally, with your own stuff, for reasons of preventing Murphy. But nothing in C++ was ever based on the idea that you can stop Machiavelli- numerous cloud models are based on EXACTLY that idea. It's a huge industry, and it really does have a lot fewer applications than before when you consider this and other risks.

Re:Illusion of speparation in VM

give the whole processing (all cores & GPU) away for a longer timeslice

Then how do you recall it? If the system's been given away to the client process, it can disable / change the interrupt vectors required by the hypervisor to regain control after the timeslice is used up.

Face it, the GP is right. You can't run shady processes in complete isolation. Eventually they will find a way to break out or at the very least cause trouble. Given this is multimillions in data being handled, it's in the hacker's best interest to find a way, just as much as it is the data's owner to protect it. The smarter move is to never give away the multimillions in data to begin with. At least it is if you care about that investment.

Re: Illusion of speparation in VM

Did you read what you linked to? Theo did the right thing. Release it so it gets patched.

Re:Illusion of speparation in VM

[HiThere]

There's a big question as to whether the cloud servers *CAN* be patched. This latest round of bugs seem to all depend upon hyperthreading implementations in the microcode. Intel's recent history of patching that kind of thing is dubious, to be kind. And actually with a bit of outright malicious thrown in. (Linus was quite upset.)

Personally, I'm dubious about the whole hyperthreading architecture. I think they should go/have gone with lots more simpler processors.

Re: Illusion of speparation in VM

Also, again, read what you linked. The person signed off on the release, AND then changed his mind afterwards. That's not Theo or the team at OpenBSDs fault he changed his mind. They are not mind readers.

Re:Illusion of speparation in VM

[nnull]

Yes, because hiding such a serious vulnerability from the public and keeping systems seriously vulnerable for who knows how long was a better idea.

Re:Illusion of speparation in VM

Sure and now OpenBSD people get what they asked for. And crying, and moaning, and whining about it.

Re: Illusion of speparation in VM

[lsatenstein]

Is the same tlb bleed problem inherent and the AMD ryzen computer chips?

Re:Illusion of speparation in VM

[ebvwfbw]

OMG, Obama's admin pushed like they were pushing a beech ball through a 2" pipe. The told the Military to do it. Still dealing with that crap.

high performance is a securiy flaw

stupid humans are incapable of making better computers, they insist on broken designs and do not have the intelligence to do better

Oh The Simplicity of Contiki!

Time to open a wormhole and revert to older hardware:

https://en.wikipedia.org/wiki/...

Or do THOSE systems have a possible back-door(s) in them?

Re: Oh The Simplicity of Contiki!

[Bing+Tsher+E]

I have often thought that instead of 'throw away and replace,' software should continuously improve. The software that was 'good enough' to run on old Pentium 3 systems back when that was the 'leading edge' hardware should be better, and run even more efficiently today. Because there has been the time to improve it. To improve the libraries it links to. Ultimately for every part of it to be replaced by hand coded assembly language. Think of Wordstar, written in assembly language, that runs usably well on an 8080 processor.

Perhaps the answer for a secure future is to look back in this way. The really important secure things don't necessarily need to run on the latest branch-predictive hardware with all it's vulnerabilities, with the embedded security engines that can't be disabled or even scrutinised, the shared memory messes in unchangable hardware that topics like this explores; all the crap that's been added in the last decade (coincidentally in the era of intrusive DRM and the rise of immense NSA budgets?). Maybe the secure future is something like continually improved, thouroghly audited and pawed through legacy code like OpenBSD. A code base where flaming egos and lastest-greatest-frenzy (looking at you as a good example, now, systemd), and hot dogs who champion the rip-out-and-replace development culture are not allowed.

Maybe something plain and thoroughly explored and highly optimized, and running on last decade's hardware, is the secure answer.

(The above rambles a bit but I'm entering it using a glass keyboard android tablet, so be gentle in your criticism, constructively if you could, please)

Re: Oh The Simplicity of Contiki!

Moore's Law: Every 18 months, the speed of hardware doubles.
Gates' Law: Every 18 months, the speed of software halves.

Re:Oh The Simplicity of Contiki!

Or do THOSE systems have a possible back-door(s) in them?

Well, yes.

Without any form of MPU/MMU support you can just access any memory you like.

No need to resort to tricky timing attacks to figure out if another process might be accessing a cryptographic key.
Just dump the process list and get full information on where it was when it got swapped out, not that you need to since you can just read the key directly.

But hey, if you run it on an emulated C64 then any attacker will probably have a hard time breaking out of it.
Even if they get full access to the emulated processor they probably won't get enough cycles per frame to tell anything meaningful about the host system.

Re: Oh The Simplicity of Contiki!

Dude, not even close.

Re: Oh The Simplicity of Contiki!

.PB "WordStar was Great!" .PB

If you've never used early WordStar on CPM, you want get the reference.

Re: Oh The Simplicity of Contiki!

If by "not even close" you mean "hit the nail on the head", then he was not even close. if you're too dumb to figure out why, that's your problem not his.

Re: Oh The Simplicity of Contiki!

That's not what Moore's law is.

Re: Oh The Simplicity of Contiki!

Moore's Law has nothing to do with hardware speed, numbnuts.

PCID should help.

[iive]

PCID should help with this kind of vulnerability too.

When mitigating Meltdown, one way was to separate completely the kernel memory from user process memory, this involved switching the virtual paging memory and this flushed TLB entries.
This causes speed decrease. To mitigate this, (some) CPUs have a feature where it writes the process ID into the TLB entry, so it could remain in the cache, but it would remain inactive while another process is running.
While this sound like the perfect solution, the problem is that the ID field is not big enough and should be switched and recycled.

Intel only

[110010001000]

Is this another Intel only bug, or are other processors affected?

Re: Intel only

[Bing+Tsher+E]

My SparcStation IPC is safe. Uses regular old 30 pin DIMM memory, even.

Re:Intel only

You can count on Intel to bring out another bug (does not matter how critical) that also affects AMD and scream it up the flagpole so people will figure AMD is just as bad as Intel... it's what they do

Re:Intel only

[DamnOregonian]

It's too early to tell. It's possible AMD is affected as well, as this doesn't really sound like a bug by any sort.
It appears to be a new vector for well-known crypto key-derivation side channel timing attacks.
The CPU isn't really leaking anything from the sounds of it, they're just using the fact that the TLB is shared between threads as a way to statistically derive the key schedule of a well known and profiled encryption library.
I'm not familiar with AMDs architecture, so I can't speak as to whether or not their TLB is shared, but I'd guess it was.

The real problem here is a shitty encryption library. Encryption routines that are aware of the existence of side-channel attacks have constant-timing mechanisms built in to prevent exactly this kind of thing, from any vector, because there are probably a near infinite amount of vectors we have yet to even have thought up. It's the nature of having shared resources and multiple processes. Timing is going to change based on what someone else is doing.

Re: Intel only

Should apply to any processor that can run multiple threads with a shared tlb. The original article mentioned amd's smt

Special settings

[duke_cheetah2003]

Like Meltdown and Spectre, this 'exploit' requires a lot of things to be 'just right' for an exploit or data leak to occur.

I'm not saying they're worthless exploits, but again, when I read some of the particulars about the research.. well this popped out:

The team used AI – specifically, a support vector machine classifier – to identify when a program is executing a sensitive operation, such as a cryptographic function, through the TLB latencies, and read out that app's private data as a stream of bits, allowing them to reconstruct things like crypto keys. There are hurdles to overcome, such as address-space layout randomization – however, the team believes these can be defeated in real-world attacks.

So I really don't know a lot about AI implementations, but I'm going to take a liberty and say, that's probably computationally expensive to be doing. That they needed an AI to even get anywhere examples how sensitive this exploit truly is. Expecting to deploy an AI in the wild (malware) and have it grabbing stuff from whatever... it's a pretty big stretch from these laboratory conditions to real-world.

I'm not going to say there's nothing here, but I am going to say: Where's the beef? Cuz it's awfully small with this exploit, there's much easier ways to steal information.

Lastly, it seems isolated to HyperThreading Intel CPUs, from what I read. Yes, it's a big attack surface, but still.. an exploit working in your special setting doesn't really move me much, especially how special these particular set of conditions were.

Re:Special settings

[110010001000]

I don't know about that. Apparently there is a draft paper available. If anyone knows where it can be found, please post.

Re:Special settings

[93+Escort+Wagon]

Theo: Worried
Random Slashdotter: Not so worried

No offense, but I’ll go with the OpenBSD and LibreSSL guy on security matters.

Re:Special settings

[XanC]

Seems like a VPS instance could easily use this to break into its host or to sibling VPSes.

Re:Special settings

[phantomfive]

Like Meltdown and Spectre, this 'exploit' requires a lot of things to be 'just right' for an exploit or data leak to occur.

Look up "heap spraying" to see the kind of extreme techniques that can exist. Although you can't think of something now, people think of bizarre methods.

A typical technique would be to target a particular popular piece of software, like, openSSL, which is used by basically everything. Then use a shotgun approach, and try the exploit on a thousand (or a million) different computers. Even if only 1% of servers are exploitable, then you can grab a lot of private keys. This is the technique hackers use every time a new vulnerability is found (for example) in Wordpress. Just try the exploit on every server on the internet. Most of them will fail, and updated Wordpress instances will fail, but enough will succeed to make it worth while.

Secondly, imagine this is running as Javascript on your computer. Some people never run Javascript, but most of us do. An example hack: listening for the Facebook ID cookie, so you can log in to their account (or the gmail cookie, or whatever).

Re:Special settings

[Tough+Love]

Like Meltdown and Spectre, this 'exploit' requires a lot of things to be 'just right' for an exploit or data leak to occur.

All computer programs require that. It is amazing just how fast and accurately these Meltdown readers can dump out kernel memory. That is just the ones we know of, there are many better ones in the wild, no doubt.

Re:Special settings

I mean, Theo is paranoid as heck, but sure.

It is good that Theo is worried, that means that by the time someone actually figures out a semi-reliable exploit there might be a solution prepared.
The random slashdotter on the other hand? Just a waste of time.

Re:Special settings

[thePsychologist]

Expecting to deploy an AI in the wild (malware) and have it grabbing stuff from whatever... it's a pretty big stretch from these laboratory conditions to real-world.

The thing is, the AI, which is really just a fancy term for a machine-learning classifier in this case, doesn't have to look at all like traditional malware. These types of exploits use information obtained via non-escalated processes and can be as simple as timing info. The AI itself does not even have to run on the cloud - it can simply send the data back to the attacker for analysis.

So while it's true that memory randomization and other countermeasures could foil certain kinds of attacks, the conditions to get an attack up and running are really not that special after all.

Re:Special settings

[AbRASiON]

Why? Generally security guys love raising hypothetical, navel gazing, wank, think-pieces to look clever.

Case in point, the amount of utterly #@$%ing stupid security guys who insist on quadruple random pass on hard disks to wipe, /then shredding them physically/.

In reality there's never been a proven case of restoring data from a hard drive that's been written even just once with 0s.

I'd be comfortable stating on my experience, over 85% of security people I've encountered in the industry to be nothing but a hindrance, who love saying no to things, for the sake of looking important.

Re:Special settings

Yeah, Meltdown really needed a whole lot of special circumstances.. The user had to have a web browser, point it to a malicious website and allow javascripts to be executed. That never happens.

Sleep tight all Intel users, you're no worse off than anyone else. Bloody shill.

Re:Special settings

[religionofpeas]

Same with random key generation. Stupid programs make me sit there and move the mouse randomly for 2 minutes, instead of just taking some bits from /dev/urandom, which is just as good.

Re:Special settings

[currently_awake]

By the time we hear about a new exploit, we assume the NSA has already used it to spy on us.

Re:Special settings

[Ol+Olsoc]

Case in point, the amount of utterly #@$%ing stupid security guys who insist on quadruple random pass on hard disks to wipe, /then shredding them physically/.

I always thought that was sort of a "guy thing". I've had fun drilling holes through hard drives, then crushing them in vices. Even took a few to the rifle range. When in fact, I knew that:

In reality there's never been a proven case of restoring data from a hard drive that's been written even just once with 0s.

Pretty much this. Early on, I asked how exactly data could be retrieved from an overwritten drive, and got a strange "edge of the written area" response. Then I asked why the new data wouldn't write to the "edge of the written area". Didn't get an answer.

I'd be comfortable stating on my experience, over 85% of security people I've encountered in the industry to be nothing but a hindrance, who love saying no to things, for the sake of looking important.

That's a bit harsh. There is an old saying that you can't know what you don't know, and it is pretty difficult for any one of us to know every vulnerability out there. So the security guy or gal tends to get pretty cautious in outlook.

Re:Special settings

[DarkOx]

You have to consider the scope though - Both Random Slashdotter's lack of concern and Theo's worry are justified in my opinion.

Theo: is developing an operating system that is supposed to be essentially the most secure choice. He has a user base that will be deploying it on high value targets. High enough value that a state actor or other well funded well connected group might take interest. Such groups would be capable and willing to develop situationally specific malware + exploit code. If I was using BSD/Intel to run my uranium enrichment process - I'd worry.

On the other hand as far as Random Slashdotter goes - He is probably correct that we won't see this as a metasploit module or meterpreter plug-in anytime soon. Its debatable as to if these exploits could be used in the 'wild' without being highly customized for the target by people who have advanced math/comp sci degrees. In other words even if your bitcoin wallet stored on that VPS is worth few hundred thousand its likely impractical to go after you in this way. So being somewhat dismissive about these attacks as an individual is justified as well.

Re: Special settings

Wrong. Computer forensics specializes in this sort of data recovery. There's a reason why DoD spec is 7 passes over the disk.

Now SSDs are a different matter.

Re:Special settings

The short version?

1. recovering overwritten data is possible and has definitely been done with MFM/RLL drives (old hard drives, floppy disks) and SSD

2. what is less certain is data recovery from modern drives

3. multiple passes (outside of addressing MFM/RLL encoding) is voodoo, just overwrite once with zeros (please don't do this to an SSD: use TRIM or full disk encryption)

4. physical destruction for the win

5. if your adversary can defeat #3 see #4

6. if your adversary can defeat #4 you aren't doing it right

The longer version:

The problem is that you are ignorant (not stupid, just topically ignorant) so you are not so different from the morons who do multiple passes.

First, recovering overwritten data has been done and -- when it was done -- was relatively trivial.

Second, *most* of the "knowledge" about the topic comes from an old usenix paper about *assuring* that overwritten data could not be recovered. The paper was not, itself, concerned with the recovery of data -- only what could be done to *assure* that overwritten data could not be recovered.

So the uninformed "naysayers" point out that Gutmann's paper did not do data recovery. While true, that is rather beside the point because it never set out to do so.

The uninformed "sayers" never understood the paper (which is about MFM/RLL drives which you whippersnappers have probably never seen) and decide that "more is better" and blindly apply the "kitchen sink" methodology and use *every* MFM/RLL pattern to drives where such patterns are inapplicable. They often toss in other nonsense like random data passes.

There are two issues that confound efforts to recover overwritten data on "modern" drives: encoding and data density.

Briefly, although it may be convenient to think that writing 0x01 results in fifteen zero bits and a single one bit being written to the media -- this is simply not the case. And there are, necessarily, non-data bits written on a magnetic disk. In the Good Old Days the drive could be "low level formatted" (another concept largely misunderstood nowadays, but fortunately for everyone's sanity the drives handle all of this internally now). To read overwritten data requires understanding the encoding used by that drive and, in a post-MFM/RLL world it really isn't that simple.

Secondly, the higher data density increases the required resolution. This raises the bar, but does not prohibit the possibility of data recovery. One of the more infamous "naysayer" projects was to use an electron tunneling microscope to examine the disk surface. When they found no evidence of the magnetic fields they called it "case closed". Utter physics fail, despite one being a PhD physicist. His problem? not understanding what he was investigating, nor how he was investigating it.

Another project I've heard of (by "naysayers", no less) allegedly could recover a small fraction of overwritten bits using the drives own electronics. But without knowing their methodology it is hard to evaluate. I mostly found it amusing that they said, "we could only recover about 1% of overwritten bits so it isn't possible to recover overwritten data."

And, all of this is out the window with SSD. Not that data recovery is out (it is definitely *possible* to recover "overwritten data" from an SSD, but that is a very different topic and this is already a long post).

For summary, see the top...

Re: Special settings

[dgatwood]

There's a reason why DoD spec is 7 passes over the disk.

The reason is that it might have been possible, back when track width was much wider and head positioning accuracy was much lower.

Re:Special settings

[blind+biker]

True for Spectre (which is practically useless for exploits) but not true for Meltdown which is eminently exploitable - a Meltdown exploit does not need to know the precise location of data in kernelspace in order to access it from userspace. Javascirpt can do it.

Re:Special settings

[DamnOregonian]

Regardless, Random Slashdotter is correct.
I'm not Theo, but I do have published kernel-level exploits for Linux/Android in the NVD, so I'm not speaking completely out of my ass. A lot of these recent CPU architecture attacks are pretty weaksauce. They certainly are real fuckups in the concept of process isolation, but the paranoid people like to act like inferring random memory a few bits at a time is going to yield you useful information.

I've done a lot of work breaking into kernels, and getting access to their memory was never the hard part. Navigating it was. And that was at full line speed.

Re:Special settings

Hyperthreading should be considered harmful from a security perspective from this point forward. It's costly to disable it, so consider well when you allow it and when you disallow it.

Re: Special settings

Wait for the paper in August. POC coming.

Re: Special settings

There is no reliable way to ensure that at the time of writing 0s that all data on the drive is currently addressable due to sector remapping. Secure wipe allegedly addresses this but implementation is generally poor and particularly hopeless with ssds. Perhaps you should consider whether your security guys know something you don't?

I am an old nobody

[oldgraybeard]

but the fact that the vendors put a secret OS with an api within the cpu below the bois/command set? Who thought that was a good idea. And who did not see the problems and issues.
I know, I know nothing, I wrote z80 assembly as an intro. I am missing the entire point of what the wise individuals are doing..

Just my 2 cents ;)

Re: I am an old nobody

[Bing+Tsher+E]

Minix won't run on a Z80. It will run on an 8088 though.

Tanenbaum, were you right?

Re:I am an old nobody

[thegarbz]

Who thought that was a good idea.

Users who were requesting these features by voting with their wallet through vendors that provided them external to the CPU.

Re:I am an old nobody

[grep+-v+'.*'+*]

I know, I know nothing, I wrote z80 assembly as an intro.

I learned on an MITS Altair-8800 computer that my roommate had in college. We played one dimensional, straight-line Pong, and had to flip the front-panel switches to reload the program after shutting it off. (5.1 Audio? Mouse? CRT? Printer? Floppy? Keyboard? Paper-tape? You must be joking.)

After graduation, I ended up at his computer shop running CDOS, a CP/M improvement from Cromemco with hardware. They eventually upgraded from 8080 to a Z-80. Really neat, with those 2nd set of registers. We wrote COBOL and Fortran accounting software using embeeded software overlays and 8" floppies and 5-10M hard drives. (150K? 5 Meg? Is that right?? We only had 64K of RAM though, MAX) for companies.

Hey, did you ever see that Zilog Z-80 paperback book (6"x8"? Weird size.) describing how all of the operations worked in pseudo-code? It was wonderful.

I still have a Z-80 fold-out instruction card. Also an IBM 360 one, much longer. Not much useful now, but extremely useful at the time.

Also, decades ago now, IBM produced (as an experiment, not a retail product) a mainframe computer-on-a-chip, but supposedly the firmware was changeable to directly run binary code from IBM 360, PDP, Amdahl, and maybe 3 other CPUs. A decade or more later you've got (we had internal Compaq In-Site cards) things which directly control the computer remotely, even when "it's off". I understand the new corporate ones have it all built on the motherboard. Still need power to the PS though, but you could insert floppy images and flash firmware while sitting at your desk. Neat-O!

I used to understand how things worked, down to the bare metal. (Could program PICs and INT handlers and all that. You too, I'm sure. Remember 16550 UART serial chips with 14-byte internal cache? ) I fiddled with AI a bit in college in the late 70s. It was bloomin' math magic then, I could run the simple operations by hand or look at the intermediate data structures. But it was all just random junk -- except it would actually come out with working answers. I can't imagine and don't understand what they're doing now -- and really, I don't actually think they do either.

Re: I am an old nobody

Well, the 8088 is pretty much an 8086, so it is not that surprising.
It just means that it runs on x86 without using any of the wonky instructions.

I guess the big step is getting away from the the 64k memory limitation.

Re: I am an old nobody

I seem to remember the Z80,000 (thousand) or somesuch had this limitation removed - doesn't seem as widespread as the z80 though

I'm just a 6502 and ARM guy.

Re: I am an old nobody

Small but interesting detail: the guy quoted in the Register article, Ben Gras, was one of the main programmers for Andy Tanenbaum. He was working to get a BSD-like environment around the Minix kernel.

Re:I am an old nobody

[Type44Q]

Who thought that was a good idea.

That would've been the intelligence services; the CIA makes sure it has plenty of control over tech companies.

Re: I am an old nobody

I didn't know there was a Z80000 :). So, it's about a 32bit version of the Z8000 which was 16bit.
Both seem pretty unrelated to the Z80. Much like a Motorola 68000 isn't a better 6800.

Re:I am an old nobody

[Megol]

There are good reasons for adding another "secret" (not relevant) OS with a separate processor to a computer. How it was done can be discussed.

Re:I am an old nobody

NSA were requesting these features, because "national security..., national security..., national security...!" and lastly "think of the children!"

FTFY

Re:I am an old nobody

Users who were unknowingly requesting these features by voting with their wallet

FTFY.

Not everyone knew backdoors were being placed into those machines. It's not like they said "Security Nightmare Inside! Sends everything to government spying agencies!" on the box or advertising material. Hell it didn't even say the cover reason on there: "Contains builtin enterprise management support. Management software not included. See your service agreement for details."

Also, "voting with their wallet" is a broken meme at this point. Marketing departments don't care one bit if you buy the product or not. If it's not selling well enough, they blame it on piracy, the most recent natural disaster in Asia disrupting production, or a competing product. Even if they do have to acknowledge a boycott, a change in the revolving guard will happen then it's back to business as usual. That's also assuming that a boycott even happens to begin with. As most places don't have real competition for products and services, due to all of the buyouts, mergers, IP agreements, and backroom deals. So getting things done whilst a boycott is on going, is either reduced to walk there yourself, or don't do it period. For many, the latter is not an option. The corporations have every excuse possible to use when dealing with bad "voters", both literally and figuratively, and if all else fails, they have plenty of golden parachutes to glide safely to their next screwing of the general public.

We the general public have lost power. Quit assuming people want anything based on what they buy, because chances are they either don't know, or have no real choice as an alternative.

Re:I am an old nobody

[oldgraybeard]

a kindred spirit ;)

was taught FORTRAN at a tiny rural high school in 73-74 because we had a fresh out of collage physics teacher who got an 029 punch card machine from his school U of Wis, River Falls and taught 5 of us after school. As I recall we each had blue and red paperback books.
Was crazy we would sit for hours writing out code on these pads of coding sheets. the sit for hours at the punch card machine, one line of code per card. The send them off to UW River Falls. in a week to 10 days we would get back our card deck, with a computer printout wrapped around them held by a rubber band ;) we would open them up read the printout and AGH! syntax error ;). lol or it ran ;)

"that Zilog Z-80 paperback book (6"x8"? Weird size.)" I think i have the book your taking about very well worn down at my office ;)

CDOS, CP/M, MP/M, Cromemco, Turbo Dos! cbasic, S100 equipment, 8" floppy drives, 16" shuggart? hard disk drives, S100 master processor, Slaves, 64k Static ram Memory card for the master processor, I/O and SMD hardrive controller cards. the I/O cards were a hoot, you got sample I/O drivers and had to write your own from those ;). My S100 home computer sat in the living room of my bungalow I was renting at the time. 4 desks/terminals and 2 computer racks i bought at corp recovery.

I was working at Control Data Corp. as an electronics tech in one of their semiconductor fabs.
I have booted an older CDC main frame we used to run one of our production test lines.from paper tape, to read the card decks, to create a bootable mag tape, on a phone booth(funny today few understand that reference) sized mag tape drive (had 4 on this system) and a drum printer barely smaller than a VW ;) Crazy fun old days ;)

Now have 30+ years working as a self employed contract programmer. Just taught myself Apples Swift language and rolled out my first in-house iPad app for a client. Just 50 devices scattered throughout the US, managed with an MDM service.
Tech is still a hoot ;)

Re: I am an old nobody

[Bing+Tsher+E]

In modern usage, x86 means something pretty different from an 8086 processor. The 8086 was basically an expanded version of an old 8 bit processor. Lots more memory space, segmented addressing, etc. But no protected mode.

Oh noes, hackers are involved!

We're all doomed now!

How does IBM do it?

[ArchieBunker]

How does IBM do hardware partitioning with their POWER chips? I had a box that was partitioned off with PowerVM and decided to run Linux on bare metal. Linux only saw the tiny RAM an CPU slice that PowerVM ran inside. Not until I cleared the hardware with the service processor did Linux see the rest of the resources.

Re:How does IBM do it?

[drinkypoo]

"How does IBM do hardware partitioning with their POWER chips?"

Poorly. POWER is vulnerable to both MELTDOWN and SPECTRE.

We have 64 bits virtual.

[tlambert]

We have 64 bits virtual.

Just don't put processes in intersecting address spaces; we already slide them arounbd with ASLR; adding negaffinity is not that hard a modification.

No TLB intersections, no issues.

Yes, performance will be reduced due to not having any page sharing whatsoever.

Alternate fix: stop using hypervisors.

Re:We have 64 bits virtual.

[TheRaven64]

We have 64 bits virtual.

No we don't. We have 48-59 bits, depending on the particular microarchitecture. You can exhaust 48 bits pretty quickly if each process wants 32 bits of address space and many things want more because they like to have big gaps to make memory safety bugs more likely to crash.

Design for security

[info6568]

There are so many attack vectors and options, and so much research from a lot of fronts. Soon or later another serious problem will arise because the modern CPUs are just too complex to be 100% safe for everything.

However, the solution seems to be simple. Don't put all the eggs in the same basket.

Use several independent computers. The ones could be exposed to environments where those exploits could be possible, must lack hyperthreading, branch prediction all these fancy speed things. But the ones are behind in really secured areas with enough control and a small quantity of well behaved and controlled software, could use those resources.

The issue here is to design for security and forget the sellers fairy tales about how good are their products.

That doesn't matter

Support vector machine is a machine learning (now re-buzzed "AI") thing. There's a machine learning MOOC out there that uses SVMs to classify images of hand-drawn numbers into actual numbers. Picture in, digit out. Of course it was a toy problem, but while the matrix math was computationally expensive for my poor old single core box, it is not so much for modern many core CPUs, and it makes pretty good GPGU fodder too. More importantly: The big computational cost is in the training, afterward it's fairly smooth sailing.

So no, the computational cost for at leas that part isn't that big. And since the cache sneak-a-peek trick can be done (as it previously was) from javascript without much problem at all, that's not very computationally expensive either. In fact, I don't think of this as surprising, but merely a demonstration that the previously opened can of cache peeking worms hasn't been emptied yet. And likely won't be for a goodly while.

The Death of OpenBSD

I went out to *BSD's grave on Decoration Day. The old forgotten cemetery is by the dark woods beyond the edge of town. There within olfactory distance of the municipal treatment plant you will find *BSD's final resting place.

*BSD's tombstone was shrouded by thick mosses and knots of noxious ivy. I gently pulled aside the tangled twists of thorns, and cleaned the decaying marker the best I could. My melancholy thoughts pondered that this indeed was *BSD's figurative charnel house of which so many have plaintively spoken.

Nothing is so pitiful as an untended grave, a loved one now forgotten. The short sad life of this doomed and fated OS make s us realize that there but for the grace of God go all of us.

I planted some wilting marigolds which I had found discarded behind Bud's Garden Center. By some miracle perhaps they will take root and bring a modicum of cheer to BSD's God forsaken plot. My fervent hope is that the torpid colored boy who carelessly mows the cemetery doesn't slice them down, inadvertently mirroring *BSD's own doomed encounter with death's irresistible scythe.

Funny how things work out. Linux, that brilliant novam stellam, now runs the Internet and the world's fastest computers, while *BSD lies moldering within its forgotten crypt. Let the barren silence of *BSD's tomb be a mute reminder that hubris and braggadocio were no defense on that woeful day when the Angel of Death's bleak umbra was cast upon *BSD.

Re:The Death of OpenBSD

Il est mort, très mort.

Re:The Death of OpenBSD

[AnthonywC]

I know you are trolling but even as a huge fan of Linux, one should know that network kernel codes are known to be better in the BSD world and the latter also have a much stronger focus on security. It is no secret that a lot of system vendor OS are based off on BSD (and no doubt that their licensing also plays a huge part).

Re:The Death of OpenBSD

one should know that network kernel codes are known to be better in the BSD world and the latter also have a much stronger focus on security

Well, it is Theo that has a focus on security, which means that it is mainly OpenBSD that gets the benefit of that focus.

I still prefer NetBSD. They don't do the whole "Less than 1% of the users are using this so we are going to remove it."
If you have old hardware that you want to run something on then NetBSD is your best bet if you don't want to settle for a 10 year old version of one of the other flavors.

Re:The Death of OpenBSD

I went out to *BSD's grave on Decoration Day.

Confirmation from Netcraft or it didn't happen.

Cost of using AI ML models is very low

[SuperKendall]

So I really don't know a lot about AI implementations, but I'm going to take a liberty and say, that's probably computationally expensive to be doing.

No, the expensive part is training a model, actually using a trained model to evaluate inputs to check a result just a bit of vector math to flow inputs through a number of very cheap computational nodes that spit out a result... That's why mobile devices can easily do all kinds of image classification now with trained models, even for live video feeds.

Re:Cost of using AI ML models is very low

[thegarbz]

You are misapplying theory here. Look at the mobile case again, image classification can easily be applied cross platforms because the things they are classifying don't change. Just because you have and Android vs an iPhone doesn't make that coffee cup look any different.

However in this case the model that needs to be built is the one based on the computer memory. Each target needs its own model which is precisely why the Spectre and Meltdown attacks are essentially irrelevant outside of very specific scenarios. You need to either have a LOT of inside knowledge, a LOT of unrestricted access to a machine, or a user who will miss malware intensively working for a long time to model the target machine in order to extract desired information.

The only class of systems really affected by this are systems with insider access (employees accessing servers with the ability to execute code), or VMs which by their nature need to give someone the ability to execute code. For mum and dad or even the enterprising geek and his laptop full of secret stuff these exploits are quite irrelevant in the real world.

Re:Cost of using AI ML models is very low

https://www.youtube.com/watch?v=G8-3G_cep4M

Re:Cost of using AI ML models is very low

[duke_cheetah2003]

No, the expensive part is training a model,

The timings you get from training are only useful if the target machine is IDENTICAL to the training machine. One thing, one little thing to skew the timing just slightly, and it's all over, back to square one.

So again...where's the beef?

I don't think these are bugs

I don't think these security issues are accidental.

Re:Bet He Didn't Go Into the Mob Racket

With the August release date, it will probably be a presentation at defcon

Maybe you could show up and get de Raat to spill da beans to ya

The problem is the douchebag humans

[presidenteloco]

who waste their life coming up with ways to fuck up other peoples' day by hacking their computer.

Pondscum basically. Or pathogenic bacteria. Take your pick. But such is life I guess.

Re:The problem is the douchebag humans

[BlueStrat]

[The problem is the douchebag humans]

who waste their life coming up with ways to fuck up other peoples' day by hacking their computer.

Pondscum basically. Or pathogenic bacteria. Take your pick. But such is life I guess.

There will always be a criminal element in any free and open society. That's really just human nature.

No, the real problem here are governments that insist people not be *too* secure in their data, communications, and with whom they associate (there is no freedom of association if all your associations are tracked, stored, and analyzed).

Strat

Re:The problem is the douchebag humans

Better these exploits are found out and fixed. In this case, they were found out by white hat hackers who warned everybody. In a world of 7 billion people you can't expect everyone to be good.

Re:The problem is the douchebag humans

[The problem is the douchebag humans]

who waste their life coming up with ways to fuck up other peoples' day by hacking their computer.

Pondscum basically. Or pathogenic bacteria. Take your pick. But such is life I guess.

There will always be a criminal element in any free and open society. That's really just human nature.

No, the real problem here are governments that insist people not be *too* secure in their data, communications, and with whom they associate (there is no freedom of association if all your associations are tracked, stored, and analyzed).

Strat

If we can figure this all out, then so can any AI, and we already know that they do not have humans best interest at heart. Secure it now, before the AI's use it against us.

Hm

[skovnymfe]

Am I to understand that every single performance enchancement made by Intel in the last 20 (?) years is flawed and prone to disaster-bugs?

Re:Hm

That seems to be the case, but the wrong question. Intel had bright people - they must have raised the issue and been overridden - CIO wanting fastest CPU out there, not technical buzzing noises. So, who knew what and when?

Re:Hm

[EndlessNameless]

AMD CPUs have many of the same features---TLBs, speculative execution, hyperthreading---without sharing all of the same vulnerabilities. There is enough overlap to suggest there are some unavoidable risks with performance-enhancing features.

It appears Intel was particularly blind to those risks, but bear in mind that some of those vulnerabilities are present on AMD as well.

Since Intel alone was called out on this, I assume AMD's hyperthreading design is safe---for now. Since both hyperthreading designs show similar performance gains, I'm not sure Intel got a performance boost from this defect at all.

Perhaps they saved a few transistors or were able to clock higher, though, so it's not entirely clear there was no benefit.

Re:Hm

I think that simply, the Intel CPUs are in 90%+ servers and 90%+ laptops so there's overwhelming access to them and large consequences if flaws are found.

Re:Hm

[DamnOregonian]

One would *hope* that AMD's HT design is safe, as they had ample time to learn from the first time Intel made this fuck-up, long before AMD had a HT core, back in 2005 with the P4.

Re:Hm

[TheRaven64]

Pretty much all CPU vendors were vulnerable to Spectre. Intel helpfully patented the technique that led to Meltdown, so the only non-Intel chip that was vulnerable was a very recent ARM core (released just after the patent expired, such bad timing!). Some of the more recent vulnerabilities rely on particular microarchitectural choices, so are probably limited to Intel. I suspect that other out-of-order cores will have some similar issues, but Intel is in most machines in all of the big cloud data centres so it's the highest-value target.

No, models very general

[SuperKendall]

Each target needs its own model

Each processor, yes. Each target? No.

The behavior of memory and processor caches seems like it would be pretty much the same on any system, in terms of determining a pattern. There are only a few crypto libraries that everyone uses so it's not a vast difference to train a model that handles all commonly used crypto libraries along with common server processors and servers.

The real fix nobody really wants

The real fix would affect speed too much which many users would probably find a way to defeat anyway. Unfortunately Intel and even ARM and AMD made some choices in architecture for their CPU's that provided these security issues. Whether they all knew about them at the time is debatable. Going forward I think we will see Intel and to some extent ARM and AMD revert chip design back to a safer architecture.

one wipe is good enough

Wrong. Computer forensics specializes in this sort of data recovery. There's a reason why DoD spec is 7 passes over the disk.

Now SSDs are a different matter.

The DoD spec has been superseded by NIST SP-800-88 (Rev 1), Section 2.4:

For storage devices containing magnetic media, a single overwrite pass with a fixed pattern such as binary zeros typically hinders recovery of data even if state of the art laboratory techniques are applied to attempt to retrieve the data.

* https://doi.org/10.6028/NIST.SP.800-88r1 (PDF)

Using the ATA Sanitize Device /SECURE ERASE UNIT feature set, or SCSI SANITIZE, are sufficient unless you're talking about TOP SECRET labelled stuff. That's if you want to re-use the drive: if not, just sending it through a degausser and fry the thing.

Re: In a world..

You certainly cant trust the 2 billion Chinese.

Re: Spotted the stooge!

Tell us about those NSA chips on harddrive controllers.. go on..

So what?

[duke_cheetah2003]

It's an exploit that can potentially steal bits from another VM or process.

That much is clear. What they're not telling you, is how the hell you get from stealing bit streams and exporting them to the outside world. Also they don't tell you how you go about actually capturing bits you might actually be interested in capturing.

OK, so case 1, you rent a VM from a random provider and start fishing around to try and find out what is sharing the bare metal with you. So what? What are the chances of you landing on a bare metal that has ANYTHING useful running along side your maliciousness?

So case 2, you inject this into an actual webserver of interest, by another exploit of some kind. Assuming this alone didn't set off a ton of alarms for a system admin to come look at, you still have to defeat whatever firewalling is present on your target and have THAT not set off a ton of alarms for a system admin to come look at.

Case 3, the end user. The most worthless of all targets, whacha gunna steal? A credit card? Someone's bank account credentials? There's much easier ways to go about this. And more rewarding targets. Bank fraud and computer crimes you'll be charged with are not worth one fuck's bank or credit card. Hell you can just buy that kind of thing on the dark web anyway and charge up some random fuck's credit card.

Bottom line, interesting exploit you have there. Wish it was actually useful in the real-world, but it's not, nor will it ever be. Sorry.