Academics Publish New Software-Level Protections Against Spectre and Rowhammer Attacks

Catalin Cimpanu, writing for BleepingComputer: Academics from multiple universities have announced fixes for two severe security flaws known as Spectre and Rowhammer. Both these fixes are at the software level, meaning they don't require CPU or RAM vendors to alter products, and could, in theory, be applied as basic software patches.

The first of these new mitigation mechanisms was announced on Thursday, last week. A research team from Dartmouth College in New Hampshire says it created a fix for Spectre Variant 1 (CVE-2017-5753), a vulnerability discovered at the start of the year affecting modern CPUs. Their fix uses ELFbac, an in-house-developed Linux kernel patch that brings access control policies to runtime virtual memory accesses of Linux processes, at the level of ELF binary executables.

[...] The second fix for a major flaw announced last week came on Saturday from the Systems and Network Security Group at VU Amsterdam. Researchers announced a new technique called ZebRAM that they said is a comprehensive software protection against Rowhammer attacks.

Research BS

[x0ra]

Don't publish a freaking paper, send a goddamn diff on the LKML, and we'll be able to comment. This PR-seeking behavior from researcher is pretty deplorable.

Re:Research BS

These are researchers in academia, where you're judged largely on your publications. While releasing a patch to the Linux kernel might be a useful synergistic activity, it simply doesn't have the impact of publications. As a researcher, I like releasing source code and, when feasible, my data sets. However, those simply don't have the same impact as publications. Publishing a paper isn't mutually exclusive from releasing the source code. Don't blame the researchers. Blame the system that disproportionately rewards publications over other contributions.

The one exception here might be if lots of other researchers use your software or data set in their research. In that case, your data or software could get a DOI and be highly cited in its own right. I doubt a patch to the Linux kernel would get cited much if at all, so the publication is probably the one thing that matters in academia.

Re:Research BS

[jiriw]

As if the Linux kernel is the only kernel out there running on Spectre / Rowhammer vulnerable architectures. Beside, how do you know the implementation is needed on the kernel level? Have you read the paper to get to that conclusion? I haven't (yet) but I can easily imagine practical applications are only needed at the application level, for applications that actually could be attack vectors. Why drag down your whole operating system with an all encompassing solution when you only need to be careful with, say, a web browser or what else?

Research papers are to publish research made by researchers. Software developers that think the research is relevant to their project should read the papers and implement the methods in them. That's how the world works. Theoretical computer scientists are in knowledge more like mathematicians than software developers. I know, I've studied computer science at university level for almost a year and then decided I'd be better off studying at the high vocational education level, which is far more practical and better suited to my way of thinking. When I see a piece of pseudo-code I do know how to implement that algorithm in a few dozen programming languages 'though, including ones that use different coding paradigms than used in the pseudo-code... and make it fit in even a larger number of coding frameworks / platforms, if needed. You shouldn't ask a theoretical computer scientist that. They should focus on mathematical proof / code correctness, algorithmic scalability, and theoretical effectiveness calculations.

Re: Research BS

Not everybody is gifted to write low le el C code. Nor willing to put up with the Linux Kernel maintainers' abuse and smart-assery.
Nor is Linux the only important OS in the planeta.
Sometimes it's more important to publish ideas and outline processes that others can follow than producing a single working implementation.

So why should AMD systems slow down to cover Intel

[Joe_Dragon]

So why should AMD systems slow down to cover Intel? or say in a system where I don't need security like this but need speed?

At least with linux I can force it off at the kernel level.

diffs != funding

[WoodstockJeff]

Publicity for an academic paper, on the other hand, can lead to funding.

Re:diffs != funding

[x0ra]

my point exactly, researchers are grant whores, beggars, never wasting an occasion to release a bs paper to get to keep their status, leading to a very low signal-to-noise ratio. (and yes, I did witness this first hands, on top of wasting money on useless crap just to safeguard their fundings... there is a lot of swamp draining needed)

Re:diffs != funding

[DamonHD]

That's a little harsh. If paying the rent requires getting grants, you'll aim to get grants. What do you call what you do to get money? (Plus let's not insult in passing other groups that you clearly consider beneath contempt...)

Re:diffs != funding

[x0ra]

Depends. By your definition, being a criminal to get rent money would be acceptable. There is already a de-facto very limited percentage of actual "research" usable in the industry (I'm fairly sure that kernel gurus would technically destroy this patch pretty quickly), so there is no need to keep the SNR as low as currently done by the paper industry... if they really care about usable solutions, and real life practical results. That being said, the universities are living in a echo chamber...

Re:diffs != funding

can't say i disagree with your perspective -- yet i get a lot out of many papers. would you settle for "academics, by and large, do not know the difference between theory and practice?"

Re: diffs != funding

Sounds like someone has a touch of intellectual jealousy to me.

Re:diffs != funding

[Aighearach]

You don't seem to comprehend that in this part of the field, academics are professionals doing real work. And grants cause that work to move forwards.

I don't doubt that you "did witness this[] first hands," the question is, do you even comprehend what the "this" in the story is that you're claiming to have seen? I'm assuming from your words that you actually just mean that when you were an assistant coach on the wrassling team in college, and you misdirected funds, you never got caught. If you want it to sound like something different, choose words that communicate it.

Academic security research is nothing at all like academic OS research. See also: GNU Hurd

You don't need to "drain" anything, just stop spewing swamp gas out your mouth.

Re: diffs != funding

They are contributing more than you ever will. You don't get a grant because you're useless and your views don't matter

Re:diffs != funding

Depends. By your definition, being a criminal to get rent money would be acceptable. There is already a de-facto very limited percentage of actual "research" usable in the industry (I'm fairly sure that kernel gurus would technically destroy this patch pretty quickly), so there is no need to keep the SNR as low as currently done by the paper industry... if they really care about usable solutions, and real life practical results. That being said, the universities are living in a echo chamber...

I can't recommend strongly enough that everyone checks out your recent comment history, as it will immediately illuminate everyone as to why you skipped the pertinent question, namely, "What do you call what it is that you do?".

Can never be too safe

Here's my fix for rowhammer and spectre:

/* just make everything alias to the same 8-way associative cache line */
#define SAFE alignas(512)

Unfortunately this might still be vulnerable to TLB attacks, so there's an improved version:

/* put everything on a separate page (increase if you're using huge pages) */
#define SAFE alignas(4096)

Here's how you might use it:

struct SAFE foo { SAFE int n; SAFE foo *ptr; };

You can never be too safe! /s

not buying it

[iggymanz]

Software can be subverted, these flaws have to be addressed in hardware redesign

Re:not buying it

[chispito]

Software can be subverted, these flaws have to be addressed in hardware redesign

Yes, but a hardware revision does nothing for those who cannot or will not refresh their hardware, nor does it do anything for the next hardware based attack that is announced.

Re:not buying it

The Row-Hammer announcement was just a tweet of an upcoming paper. At this point, there is no way to know if it's anything other than BS. Although, I think it should be possible to detect a row hammer attack by using the performance counters without significant performance issues, so I'm hopeful.

The "Spectre Mitigation" is really just a way of locking down memory in libraries and the main executable so that sensitive information is only accessible to the parts of the code that are supposed to be accessing it. While a good idea, it's not much of a mitigation against Spectre and does nothing to prevent Spectre from being used against the kernel or hypervisor to access data.

So in both cases, the researches are just publicity whores, which is understandable since they need to be in order to be successful and continue their work. It's one of the reason's I'm not in academia.

Re:not buying it

addressed in hardware redesign

That part is fantasy. There isn't some holy moment in the future where a new flawless CPU appears. New flaws will emerge with new hardware.

Mitigating this with microcode and OS protection is the unavoidable reality going forward.

Re:not buying it

After Netburst, Inel purposely dropped the 'lock and key' hardware method whereby a thread only gets access to memory assets it has the 'key' for. This gave Intel a massive unfair (and compter science 'illegal') performance advantage over AMD- but also allowed the NSA to use user code to access any asset including Ring Zero on any Intel based PC.

The ONLY software method that makes an Intel PC 'secure' is to only run one thread at a time on the CPU, and do a complete CPU state flush when the multi-tasking swaps the thread. Of course this would make a current high-end Intel CPU run at less than 5% (FIVE percent) of its current max.

AMD's Zen implements 'lock and key' in hardware and is faster per clock than Intel on software optimised for zen (rare- since almost all commercial software is currently optimised for Intel). Zen is mostly the same speed per clock as Intel on Intel friendly code, but Intel currently has a 800MHz advantage over AMD (at best).

Only an ill-informed fool would buy Intel for anything but highend gaming today. Next year AMD's Zen 2 will eliminate even this 'excuse' as AMD literally leaves Intel in the dust.

Intel needs a new architecture to fix its current problems with ALL its current CPU's. Intel has employed the bloke who designed AMD's Zen processor, but Intel cannot get a new architecture out based on his work for at least the next three years.

Re:not buying it

[iggymanz]

Large banks, traders and insurance clearing houses were my clients, they do refresh hardware. If a mom and pop shops don't, or your local governmetn doesn't, that's a small time problem.

Fearmongering about unknown future bugs is pointless.

Re: not buying it

Rowhammer, Meltdown, and Spectre all share the same flaw.

They aren't a way in...they only work on already compromised (in serious ways) systems. Stop the way in and you stop all 3 at once.

Re:not buying it

Correct, and the software mitigation does nothing as it can be bypassed or subverted as well.

So those people are fucked by their own choice or "their inability to upgrade situation"

Re: not buying it

Wrong, they are different flaws, exploits have been shown working in browser javascript.

Re: not buying it

browser javascript

Missed the point completely.

Every software weenie's wet dream:

Yes, let's take us some juicy hardware problems and fix'em in software!

Well, that's not an especially good idea, even if you can successfully do it.

At the same time, msmash is still high on bleepingcomputer. Rehab is calling, dear. And get us some real links while at it.

Re:Every software weenie's wet dream:

[HiThere]

It's not a good forwards-looking option, but with all the vulnerable computers already out there, it's an excellent interim step. And its going to take a long time for all those computers to get replaced. IIRC, there are still a few i486-s still running. I know of an i386 that was running until about 3 years ago...it was even running MSWindows 95a.

Re:Every software weenie's wet dream:

[Waffle+Iron]

Yes, let's take us some juicy hardware problems and fix'em in software!

Well, that's not an especially good idea, even if you can successfully do it.

OK, I'm personally going to need several new replacement CPUs once the hardware fixes have been implemented. Will you buy them for me?

Re:Every software weenie's wet dream:

You should keep those 486s running, then -- they're not vulnerable to any of this.

Re:Every software weenie's wet dream:

Me? How about intel?

I still have a via c7 for a workhorse, and security isn't a primary concern. Money is.

Re:Every software weenie's wet dream:

[HiThere]

Someone else is/was running the i486's. The i386 was only for the purpose of running MSWind95, and when the need for it went away, so did the machine. (Well, actually hardware problems rather forced the issue...but if I'd had to keep it running I would have.)

That said, neither is a really good choice on a modern machine. Easier would be the keep it running isolated from the web, which the i386 definitely needed anyway (and that was easy, because it was running MSWind 95a...no included internet connection). For the i486 you'd be running an unsupported OS, so you had BETTER be keeping it isolated from the web. And if you're going to do that anyway, you might as well use a modern processor, unless you've got a good reason not to. (I had this timing dependent software that wasn't upgraded and where MSWind 97 munged the timing.)

Re:So why should AMD systems slow down to cover In

Because people get paid by/are afraid of Intel and completely lack any kind of moral fiber. Lots of people working on Linux for instance are employed directly or indirectly by Intel. No wonder AMD had to fight pretty hard to put a stop on the original plan to "secure" all x86 CPU's against Meltdown - which, as far as x86 goes, is an Intel exclusive.

Re:So why should AMD systems slow down to cover In

[HiThere]

This is Spectre 1, not Meltdown. I believe it also affects AMD. IIRC, it was also expected to be quite difficult to implement, though I didn't hear any follow-up about that.

I also didn't hear that Rowhammer was specific to Intel. Do you have reason to believe differently?

FWIW, and IIUC, while Linux allows you to disable the protection against Spectre (or was it Meltdown), the kernel automatically optimizes it away if the processor is not vulnerable. (IIUC, the original patch submitted by Intel didn't do that, but AMD submitted a revised patch.)

Are any of these vulnerabilities actually in use?

[Fly+Swatter]

Yes I realize someone could figure out a mass application exploit at any time now, but are there any actual active threats out there besides the mental scare tactics currently imparted by all the news outlets?

Re: Are any of these vulnerabilities actually in u

Found the Intel shill! Seriously, though - there is no reason to believe they are not in active use. The time between a vulnerability being publicised and seen being exploited as part of a professional criminal exploit in the wild is generally under two weeks. After all, you don't leave your car unlocked because nobody has stolen it yet.

Intel sponsored BS

After the moderate success of the Pentium 3, when AMD and Intel were pretty level, Intel went NETBURST.

Netburst was an ultra long pipeline design chasing 10GHz. It was the biggest disaster in x86 architecture to date. As it became clear to Intel that AMD would trivially defeat netburst with its own x64 design, Intel infamously went back to the Pentium 3, updated the architecture, and made Core 1/Core 2 which eventually became todays vastly improved core architecture.

Intel used AMD patents for the core 2, while AMD (in an act of unthinkably stupidity) used Intel Netburst patents to design AMD's own disaster, Bulldozer. The two companies have a cross patent sharing agreement.

Now how does this fit into the 'spectre' etc current dister for all Intel parts on sale today (but not AMD's incredible Zen)? Well it turns out that when Intel driopped Netburst, and built core 1/core 2 on the back of the Pentium 3, to give themselves a FAKE NEWS perfromance boost, they dropped all hardware privilege testing of memory access.

An analogy. When a modern multi-threading program accesses memory, it should work like a key opening a chest. Without the right key, you cannot look in the chest. But the very handling of 'keys' and the time it takes to unlock the 'chest' and look inside has an impact on performance. It turns out that after Netburst, as all modern processors went multi-core (then simulatneous mutli thread per core) Intel never implemented the lck and chest approach that is essential to secure processing.

AMD did. The bulldozer underperformed against the intel equivalents cos AMD had the lock and chest and Intel did not. Intel's performance advantage, in other words, comes from pure hardware cheating. Put the hardware lock and key back in, and Intel would fall way behind AMD's current ZEN design (and zen is already faster on instructions per clock when code is optimised for both Intel and AMD- which sadly rarely happens with commercial code, which is optimised for Intel only).

So for all the years Intel cheated and had dangerous and incorrect processing design, how did they get away with it? By conspiting with Microsoft to use atrocious 'code memory domain' methods. This is a software technique that forms trust based seperation of assets owned by threads. But low level black-hat code can always subvert this OS fantasy, and use the lack of proper memory hardware on Intel CPUs to allow one thread to read the assets of another.

Also, the Intel cheat met the needs of the NSA, CIA, GCHQ etc in making every PC insecure.

How do you fix any of Intel's current CPU's? By running only ONE thread at a time on the chip, and doing a complete state flush when a new thread is given its time slice. A current 4 core 8 thread Intel i7 would fall to less than 5% of its current max performance if an ordinary OS were forced to do this- which in reality is the ONLY secure fix for Intel parts.

TLDR- Intel x86 CPU's post netburst (all the 'good' chips from the last 10+ years) are faulty by design, where the purposeful memory architecture fault gives Intel a massive unfair thread memory speed advantage, and allows the NSA to use user level code to interogate even Ring Zero assets on any Intel CPU.

Intel needs an entire new architecture to 'fix' the fault (won't happen for at least three years), and even then Intel will then lag far below current AMD CPU designs.

Re: Intel sponsored BS

But I love my Bulldozer CPU. It was $60 and runs games on HD Ultra settings easily...it's easy to get a $300 GPU when the CPU is only $60.

Re:Intel sponsored BS

Or you could just go to ARM who aren't as large and cumbersome as Intel and will probably already have this fixed. .... and benefit from a decent processor design, and not 10 years of polishing the x86 turd with all it's wonderful "ism's"

TOTALLY Safe Random Code

The same assholez who sunk us in this muck are now suddenly here to save us? Fuck that.

INTEL OWES US MONEY.

Re: You sound public school dropout

Tell us where the Professor touched you.

Re: You sound public school dropout

[x0ra]

if only I could have enjoyed witnessing the spending of close to EUR50k of useless spending for no other sake than spending money to justify the next funding cycle...

Re: Are any of these vulnerabilities actually in

"Seriously, though - there is no reason to believe they are not in active use. "

How about the fact that these are post exploit payloads that won't get you into anything. And they aren't useful unless you broke into a virtual machine. So you can spy on the other VMs on that system. Well you could have just pivoted and owned every virtual instance...

Rowhammer?

I thought rowhammer was a done deal solved by "scrambler" features of memory controllers?

What we're seeing now is just the tip of a very very large iceburg requiring fundamental design changes involving the rolling back of years of clever performance enhancing shortcuts.

Introducing software patches is counterproductive at this point in time. If you care about security the ONLY viable option right now is metal.

Cool!

[Misagon]

What ELFbac is doing is to partition the memory space into regions with different protection depending on which region the access is coming from.
You could say that it is like automated partitioning of a program into multiple processes communicating via shared memory.

The cool feature here is that the access control matrix is derived from the existing link information in the binary itself (ELF format), which means that no code rewrite is necessary.

I'm not sure how it would stop Spectre though, especially on Intel which runs code speculatively before access control. I'm looking forward to reading the paper (especially since I'm already drawing ideas from it to another project ...)

Re: Are any of these vulnerabilities actually in

There are working examples in browser javascript. That's hardly "post exploit payload" I also congratulate you on your exceptionally narrow world view in that the only way you can see this exploit being used is in crossing container memory boundaries.

Rowhammer Mitigation

If you make sure you have quality RAM ICs (Samsung at the moment), do not drop your RAM voltage too low and do not reduce the access latency too low then you can make rowhammer attacks near impossible, if not impossible. You will also reduce bit flips to between zero and a few per year for your workstation. I read 5 or so research papers on ECC vs non-ECC and that's a summary of what I was able to learn.

If you have a GPU with ECC then the recommendation is to turn off ECC. The GPU will be faster and more reliable for scientific simulations, with ECC off. Bit flips and errors caused by the memory controller with ECC on are more frequent then bit flips caused by cosmic rays. If you are in space or at an extremely high altitude then cosmic rays are a problem.

Not Surprised

In fact I have posted here on Slashdot that an API at the OS level can fix all this CPU bug, that's when this Spectre and Meltdown were exaggerated on almost all tech sites. Any hardware bugs can be fixed by software, and vice versa. Software bugs can also be bypassed by modifying hardware too.
Computer Science fundamentals 101