Academics Publish New Software-Level Protections Against Spectre and Rowhammer Attacks

Catalin Cimpanu, writing for BleepingComputer: Academics from multiple universities have announced fixes for two severe security flaws known as Spectre and Rowhammer. Both these fixes are at the software level, meaning they don't require CPU or RAM vendors to alter products, and could, in theory, be applied as basic software patches.

The first of these new mitigation mechanisms was announced on Thursday, last week. A research team from Dartmouth College in New Hampshire says it created a fix for Spectre Variant 1 (CVE-2017-5753), a vulnerability discovered at the start of the year affecting modern CPUs. Their fix uses ELFbac, an in-house-developed Linux kernel patch that brings access control policies to runtime virtual memory accesses of Linux processes, at the level of ELF binary executables.

[...] The second fix for a major flaw announced last week came on Saturday from the Systems and Network Security Group at VU Amsterdam. Researchers announced a new technique called ZebRAM that they said is a comprehensive software protection against Rowhammer attacks.

Research BS

[x0ra]

Don't publish a freaking paper, send a goddamn diff on the LKML, and we'll be able to comment. This PR-seeking behavior from researcher is pretty deplorable.

Re:Research BS

These are researchers in academia, where you're judged largely on your publications. While releasing a patch to the Linux kernel might be a useful synergistic activity, it simply doesn't have the impact of publications. As a researcher, I like releasing source code and, when feasible, my data sets. However, those simply don't have the same impact as publications. Publishing a paper isn't mutually exclusive from releasing the source code. Don't blame the researchers. Blame the system that disproportionately rewards publications over other contributions.

The one exception here might be if lots of other researchers use your software or data set in their research. In that case, your data or software could get a DOI and be highly cited in its own right. I doubt a patch to the Linux kernel would get cited much if at all, so the publication is probably the one thing that matters in academia.

Re:Research BS

[jiriw]

As if the Linux kernel is the only kernel out there running on Spectre / Rowhammer vulnerable architectures. Beside, how do you know the implementation is needed on the kernel level? Have you read the paper to get to that conclusion? I haven't (yet) but I can easily imagine practical applications are only needed at the application level, for applications that actually could be attack vectors. Why drag down your whole operating system with an all encompassing solution when you only need to be careful with, say, a web browser or what else?

Research papers are to publish research made by researchers. Software developers that think the research is relevant to their project should read the papers and implement the methods in them. That's how the world works. Theoretical computer scientists are in knowledge more like mathematicians than software developers. I know, I've studied computer science at university level for almost a year and then decided I'd be better off studying at the high vocational education level, which is far more practical and better suited to my way of thinking. When I see a piece of pseudo-code I do know how to implement that algorithm in a few dozen programming languages 'though, including ones that use different coding paradigms than used in the pseudo-code... and make it fit in even a larger number of coding frameworks / platforms, if needed. You shouldn't ask a theoretical computer scientist that. They should focus on mathematical proof / code correctness, algorithmic scalability, and theoretical effectiveness calculations.

So why should AMD systems slow down to cover Intel

[Joe_Dragon]

So why should AMD systems slow down to cover Intel? or say in a system where I don't need security like this but need speed?

At least with linux I can force it off at the kernel level.

diffs != funding

[WoodstockJeff]

Publicity for an academic paper, on the other hand, can lead to funding.

Re:diffs != funding

[x0ra]

my point exactly, researchers are grant whores, beggars, never wasting an occasion to release a bs paper to get to keep their status, leading to a very low signal-to-noise ratio. (and yes, I did witness this first hands, on top of wasting money on useless crap just to safeguard their fundings... there is a lot of swamp draining needed)

Re:diffs != funding

[DamonHD]

That's a little harsh. If paying the rent requires getting grants, you'll aim to get grants. What do you call what you do to get money? (Plus let's not insult in passing other groups that you clearly consider beneath contempt...)

Re:diffs != funding

[x0ra]

Depends. By your definition, being a criminal to get rent money would be acceptable. There is already a de-facto very limited percentage of actual "research" usable in the industry (I'm fairly sure that kernel gurus would technically destroy this patch pretty quickly), so there is no need to keep the SNR as low as currently done by the paper industry... if they really care about usable solutions, and real life practical results. That being said, the universities are living in a echo chamber...

Re:diffs != funding

[Aighearach]

You don't seem to comprehend that in this part of the field, academics are professionals doing real work. And grants cause that work to move forwards.

I don't doubt that you "did witness this[] first hands," the question is, do you even comprehend what the "this" in the story is that you're claiming to have seen? I'm assuming from your words that you actually just mean that when you were an assistant coach on the wrassling team in college, and you misdirected funds, you never got caught. If you want it to sound like something different, choose words that communicate it.

Academic security research is nothing at all like academic OS research. See also: GNU Hurd

You don't need to "drain" anything, just stop spewing swamp gas out your mouth.

not buying it

[iggymanz]

Software can be subverted, these flaws have to be addressed in hardware redesign

Re:not buying it

[chispito]

Software can be subverted, these flaws have to be addressed in hardware redesign

Yes, but a hardware revision does nothing for those who cannot or will not refresh their hardware, nor does it do anything for the next hardware based attack that is announced.

Re:not buying it

[iggymanz]

Large banks, traders and insurance clearing houses were my clients, they do refresh hardware. If a mom and pop shops don't, or your local governmetn doesn't, that's a small time problem.

Fearmongering about unknown future bugs is pointless.

Re: not buying it

Rowhammer, Meltdown, and Spectre all share the same flaw.

They aren't a way in...they only work on already compromised (in serious ways) systems. Stop the way in and you stop all 3 at once.

Re:So why should AMD systems slow down to cover In

[HiThere]

This is Spectre 1, not Meltdown. I believe it also affects AMD. IIRC, it was also expected to be quite difficult to implement, though I didn't hear any follow-up about that.

I also didn't hear that Rowhammer was specific to Intel. Do you have reason to believe differently?

FWIW, and IIUC, while Linux allows you to disable the protection against Spectre (or was it Meltdown), the kernel automatically optimizes it away if the processor is not vulnerable. (IIUC, the original patch submitted by Intel didn't do that, but AMD submitted a revised patch.)

Re:Every software weenie's wet dream:

[HiThere]

It's not a good forwards-looking option, but with all the vulnerable computers already out there, it's an excellent interim step. And its going to take a long time for all those computers to get replaced. IIRC, there are still a few i486-s still running. I know of an i386 that was running until about 3 years ago...it was even running MSWindows 95a.

Re:Every software weenie's wet dream:

[Waffle+Iron]

Yes, let's take us some juicy hardware problems and fix'em in software!

Well, that's not an especially good idea, even if you can successfully do it.

OK, I'm personally going to need several new replacement CPUs once the hardware fixes have been implemented. Will you buy them for me?

Are any of these vulnerabilities actually in use?

[Fly+Swatter]

Yes I realize someone could figure out a mass application exploit at any time now, but are there any actual active threats out there besides the mental scare tactics currently imparted by all the news outlets?

Re: Are any of these vulnerabilities actually in u

Found the Intel shill! Seriously, though - there is no reason to believe they are not in active use. The time between a vulnerability being publicised and seen being exploited as part of a professional criminal exploit in the wild is generally under two weeks. After all, you don't leave your car unlocked because nobody has stolen it yet.

Intel sponsored BS

After the moderate success of the Pentium 3, when AMD and Intel were pretty level, Intel went NETBURST.

Netburst was an ultra long pipeline design chasing 10GHz. It was the biggest disaster in x86 architecture to date. As it became clear to Intel that AMD would trivially defeat netburst with its own x64 design, Intel infamously went back to the Pentium 3, updated the architecture, and made Core 1/Core 2 which eventually became todays vastly improved core architecture.

Intel used AMD patents for the core 2, while AMD (in an act of unthinkably stupidity) used Intel Netburst patents to design AMD's own disaster, Bulldozer. The two companies have a cross patent sharing agreement.

Now how does this fit into the 'spectre' etc current dister for all Intel parts on sale today (but not AMD's incredible Zen)? Well it turns out that when Intel driopped Netburst, and built core 1/core 2 on the back of the Pentium 3, to give themselves a FAKE NEWS perfromance boost, they dropped all hardware privilege testing of memory access.

An analogy. When a modern multi-threading program accesses memory, it should work like a key opening a chest. Without the right key, you cannot look in the chest. But the very handling of 'keys' and the time it takes to unlock the 'chest' and look inside has an impact on performance. It turns out that after Netburst, as all modern processors went multi-core (then simulatneous mutli thread per core) Intel never implemented the lck and chest approach that is essential to secure processing.

AMD did. The bulldozer underperformed against the intel equivalents cos AMD had the lock and chest and Intel did not. Intel's performance advantage, in other words, comes from pure hardware cheating. Put the hardware lock and key back in, and Intel would fall way behind AMD's current ZEN design (and zen is already faster on instructions per clock when code is optimised for both Intel and AMD- which sadly rarely happens with commercial code, which is optimised for Intel only).

So for all the years Intel cheated and had dangerous and incorrect processing design, how did they get away with it? By conspiting with Microsoft to use atrocious 'code memory domain' methods. This is a software technique that forms trust based seperation of assets owned by threads. But low level black-hat code can always subvert this OS fantasy, and use the lack of proper memory hardware on Intel CPUs to allow one thread to read the assets of another.

Also, the Intel cheat met the needs of the NSA, CIA, GCHQ etc in making every PC insecure.

How do you fix any of Intel's current CPU's? By running only ONE thread at a time on the chip, and doing a complete state flush when a new thread is given its time slice. A current 4 core 8 thread Intel i7 would fall to less than 5% of its current max performance if an ordinary OS were forced to do this- which in reality is the ONLY secure fix for Intel parts.

TLDR- Intel x86 CPU's post netburst (all the 'good' chips from the last 10+ years) are faulty by design, where the purposeful memory architecture fault gives Intel a massive unfair thread memory speed advantage, and allows the NSA to use user level code to interogate even Ring Zero assets on any Intel CPU.

Intel needs an entire new architecture to 'fix' the fault (won't happen for at least three years), and even then Intel will then lag far below current AMD CPU designs.

Re: You sound public school dropout

[x0ra]

if only I could have enjoyed witnessing the spending of close to EUR50k of useless spending for no other sake than spending money to justify the next funding cycle...

Cool!

[Misagon]

What ELFbac is doing is to partition the memory space into regions with different protection depending on which region the access is coming from.
You could say that it is like automated partitioning of a program into multiple processes communicating via shared memory.

The cool feature here is that the access control matrix is derived from the existing link information in the binary itself (ELF format), which means that no code rewrite is necessary.

I'm not sure how it would stop Spectre though, especially on Intel which runs code speculatively before access control. I'm looking forward to reading the paper (especially since I'm already drawing ideas from it to another project ...)

Re:Every software weenie's wet dream:

[HiThere]

Someone else is/was running the i486's. The i386 was only for the purpose of running MSWind95, and when the need for it went away, so did the machine. (Well, actually hardware problems rather forced the issue...but if I'd had to keep it running I would have.)

That said, neither is a really good choice on a modern machine. Easier would be the keep it running isolated from the web, which the i386 definitely needed anyway (and that was easy, because it was running MSWind 95a...no included internet connection). For the i486 you'd be running an unsupported OS, so you had BETTER be keeping it isolated from the web. And if you're going to do that anyway, you might as well use a modern processor, unless you've got a good reason not to. (I had this timing dependent software that wasn't upgraded and where MSWind 97 munged the timing.)