Researchers Disclose New 'Inverse Spectre Attack'

A new Intel security flaw has been discovered that potentially allows passwords to be stolen. An anonymous reader quotes Digital Journal: As EE News reports, researchers said the new flaw enables an "inverse spectre attack". According to Giorgi Maisuradze and Professor Dr. Christian Rossow a ret2spec (return-to-speculation) vulnerability with the chips allows for would-be attackers to read data without authorization. According to Professor Rossow: "The security gap is caused by CPUs predicting a so-called return address for runtime optimization."

The implications of this are: "If an attacker can manipulate this prediction, he gains control over speculatively executed program code. It can read out data via side channels that should actually be protected from access." This means, in essence, that malicious web pages could interpret the memory of the web browser in order to access and copy critical data. Such data would include stored passwords.
"At least all Intel processors of the past ten years are affected by the vulnerabilities," reports EE News, adding "Similar attack mechanisms could probably also be derived for ARM and AMD processors...."

"Manufacturers were notified of the weaknesses in May 2018 and were granted 90 days to remedy them before the results were published. That deadline has now expired."

Okay thanks

I will worry about it. I promise.

Intel = complete shit

Any clout the brand had has been destroyed in the past year. What shoddy system design.

Re: Intel = complete shit

well at least they hired the blue man group to tell you that ur fucked, but maybe u dont need to be painted blue to shove that fist directly up my asshole?

Re: Fucking great

You may have some anger management issues. Should get that looked into.

Could probably...

How much is intel paying for the AMD FUD this time?

Realistic solution if you have no money?

I can barely afford an old Core2Duo for 50 bucks (case and all). And I have actually for real been a target of my own country. How the hell am I supposed to mitigate all this? I run a well-"secured" Linux with at least daily updates of everything, but what's the point? Sure, a few of those bugs can be worked-around in software. But what does it matter? It takes a single proper one, and I'm done.

I can only console myself with the fact, that if nothing happened until now, then nothing may happen. But I just can't live with that constant insecurity.
I'm at a point where I'm willing to drop all hardware more complex than a pair of pliers. I don't think I can stand such a life though. Not with the illness that made me this poor. Computers are the only thing I'm good at that I have left. I need them, if I ever want to get out of this.

Re: Realistic solution if you have no money?

If you have no money, people stealing your passwords is not really a concern. So you have they going for you, which is nice.

Re: Realistic solution if you have no money?

[Guppy]

Use an old processor without speculative execution features? Some lower end ARMs and Atoms also are immune, I think.

Re:Realistic solution if you have no money?

[drinkypoo]

I can barely afford an old Core2Duo for 50 bucks (case and all).

Should have bought an old Athlon for fifty bucks instead. Lots of us tried to tell you that Intel was unscrupulous. Buying used hardware helps increase the value of new hardware because buyers know that there will be a buyer for their surplus so that they don't have to pay to dispose of it. Even by buying a used Intel system, you helped out Intel. Full disclosure, I bought a fifty dollar C2D as well. I still have it, but I'm not using it. Maybe I'll give it away to someone who doesn't care about security, since I have a couple of old AMD systems as well.

Re: Realistic solution if you have no money?

Age of CPU is a pointless avenue to explore unless you want to go back to 386. However there are lots of little scalar ARM CPUs that have literally no speculation whatsoever but are reasonably modern and can run linux... e.g raspberry Pi, modern scalar CPUs are the only reasonable escape from this and even then you are seriously sacrificing performance (have you tried browsing the web in chrome on a raspberry pi? not fun)

Re: Realistic solution if you have no money?

Surfing the web in lynx works great though!

Re:Realistic solution if you have no money?

The mitigation is the same as it has been since computers were invented -- do not run or allow malicious code to run on your computer.

Re:Realistic solution if you have no money?

[ArylAkamov]

Shit sounds fucked where you are. Meet in person and stockpile hydrogen peroxide and acetone.

Re:Realistic solution if you have no money?

I don't think I can stand such a life though. Not with the illness that made me this poor.

Is it the same illness that's causing your unfounded paranoia?

Re:Realistic solution if you have no money?

[AHuxley]

Buy an older computer and find a supported OS for it.

Re: Realistic solution if you have no money?

Spoken like somebody that truly has no idea what these attacks entail. Found the Intel employee!

Re: Realistic solution if you have no money?

That's a dangerously naive attitude.

Even if you have no money, people can still run up massive debts etc. in your name if they can come across enough information.

Re: Realistic solution if you have no money?

It works well enough, if you limit the amount of tabs you keep open and take measures against the worst abuse you subject it to, like using a pi-hole and only run selected java-scripts via noscipt or similar.

IME, the 1GB limit is more of a hassle than the CPU itself.

Re:Realistic solution if you have no money?

[Nite_Hawk]

Terribly sorry to hear about your situation. I hope things improve! FWIW, I think it's helpful to look at these issues (and really the the world in general) as a system of probabilities. Even absent these vulnerabilities your system is quite likely vulnerable to some other attack vector (as is mine, and as is basically every computer on the planet). It's just a question of how difficult is it to exploit and how likely is it that someone is going to do so.

If you are truly worried that your government might abuse a flaw like this against you, probably your first line of defense at the moment is to avoid any kind of remote code execution.

Re:Realistic solution if you have no money?

Define old? Athlon XP has SSE but not SSE2, older Athlon has no SSE whatsoever. Neither can run Firefox, even 52 ESR or tor browser.
Athlon 64 or X2 will do (or 64bit Sempron).
While you're at it, run 32bit linux if you have 3GB RAM or less. Hell you can do this on an Intel as well. Maybe the exploits will target x86-64 anyway. On less than 4GB (and even then) 64bit is a waste of RAM.

Re:Realistic solution if you have no money?

[drinkypoo]

Define old? Athlon XP has SSE but not SSE2, older Athlon has no SSE whatsoever. Neither can run Firefox, even 52 ESR or tor browser.
Athlon 64 or X2 will do (or 64bit Sempron).

Yeah, not that old. My backup system is a Phenom II X6 1045T, my backup to the backup is a Phenom II X3 720BE. IIRC the X6 has 8GB and the X3 has 4. I think I have one more motherboard with a relatively new dual-core, too, but that one might be flaky.

Quick! Everyone panic!

[GerryGilmore]

IMNSHO, the whole realm of Spectre/Meltdown vulnerabilities - while an interesting lab experiment - are complete horseshit. Consider:

1) In order for ANY of these vulnerabilities to be useful, you MUST be running malware on your system. If so, you are already hosed.

2) Given the enormous realms of malware extant than can much more quickly and easily grab your data (Hello, Equifax!), any true hacker would laugh at trying to use these vulnerabilities, because...

3) The idea that malware can tickle the cache millions of times to grab data (presuming it has not already been flushed), interpret said data and then prey that it is something useful, like passwords, when cache is normally filled with instructions more than data...Yes. Complete, organic, 100% Dolphin-free horseshit.

Any of you who are now delaying purchases, etc. while you twist your hanky are doing the rest of us a favor by forcing prices down, so - Keep It Up!!

Re: Quick! Everyone panic!

What about vps servers?

Also, some of these attacks can be done without having to manually run something on your computer.

The other point you're missing is that when the mitigations are implemented it will probably slow down your CPU.

If you wait until new CPUs, you might get the additional security without any additional slowdown.

So you buy your shonky Intel CPUs at the moment. But you're not getting your moneys worth because you're burning CPU cycles on guards against these attacks. Also, less demand won't lower prices anyway if there isn't any shortage.

Re: Quick! Everyone panic!

You, uh, think a phishing site that does not need your credentials for a single site to raid your entire keychain store is no big deal? Huh

Re: Quick! Everyone panic!

Agreed, and this one in particular requires executing native machine code to manipulate the return address buffer before a function call AND recovering from the consequential CPU confusion caused by returning to some effectively arbitrary location in memory. In fact, itâ(TM)s difficult to imagine how this could be used without already having control over the target machine.

Re:Quick! Everyone panic!

[drinkypoo]

IMNSHO, the whole realm of Spectre/Meltdown vulnerabilities - while an interesting lab experiment - are complete horseshit.

Intel apologists are equally irrational to YHWH apologists.

In order for ANY of these vulnerabilities to be useful, you MUST be running malware on your system. If so, you are already hosed.

Javascript. Malware hidden in software. Virtualization. These are all real-world scenarios which affect basically everyone.

Given the enormous realms of malware extant than can much more quickly and easily grab your data (Hello, Equifax!), any true hacker would laugh at trying to use these vulnerabilities, because...

You're already vulnerable to shooting, so why worry about stabbing?

The idea that malware can tickle the cache millions of times to grab data (presuming it has not already been flushed), interpret said data and then prey that it is something useful, like passwords, when cache is normally filled with instructions more than data...

...has been demonstrated. Millions of times, so what? My computer does millions of things thousands of times per second.

Any of you who are now delaying purchases, etc. while you twist your hanky are doing the rest of us a favor by forcing prices down, so - Keep It Up!!

I'm not delaying purchases. I'm just happy I'm not using Intel, which is not only vulnerable to MELTDOWN, but is more vulnerable to SPECTRE-type attacks than my AMD CPU.

Re:Quick! Everyone panic!

1) In order for ANY of these vulnerabilities to be useful, you MUST be running malware on your system. If so, you are already hosed.

Javascript is sufficient for many of these timing based attacks, even if it slows things down a little more. Proof of principle code already exists and show it can read quite a bit of browser memory in the time a person would reasonably spend on a page. I hope you're running NoScript and none of the sites you grant exceptions to ever get hacked...

Re:Quick! Everyone panic!

It sounds like you haven't read the details of these attack vectors.

1. The family of Spectre vulnerabilities are exploitable from javascript.
2. Yes, there is much malware, that doesn't make Spectre and meltdown attacks any less viable/devastating.
3. Statistical attacks have been used for a long time. Computers are great at performing them, because, yes, they are computers. Side channels don't need much bandwidth to steal critical information, like say, a users password or bank account details.

These attack vectors are serious. I'd encourage you to read the papers, and read up on side-channel attacks.

Re:Quick! Everyone panic!

[GerryGilmore]

"Intel apologists are equally irrational to YHWH apologists."
Considering that these vulnerabilities also (largely) apply to AMD and ARM, your cheap-shot snark is duly noted and ignored for the shit it is.
"Javascript. Malware hidden in software. Virtualization. These are all real-world scenarios which affect basically everyone."
Lots of word salad with no proof. Yawn...
"You're already vulnerable to shooting, so why worry about stabbing?"
That's a really stupid analogy, but let's pursue it for the fuck of it. I can much more easily defend against a stabbing, because they need to be at very close range. (i.e. On your fucking system) whereas a bullet can travel over a mile and kill you. (Equifax vulnerability)
The rest of your statements are equally delusional and devoid of rationality, so....

Re: Quick! Everyone panic!

This is not one of those, in fact trying this one requires executing specific machine instructions usually only written by a linker, and even so it will almost always cause your program to crash immediately and if not then shortly after.

JavaScript does not provide the tools necessary to create an attack using this technique. Itâ(TM)s only useful if you already control of a system and can run native code. So, donâ(TM)t run native programs from untrusted sources.

Re: Quick! Everyone panic!

Except the mechanism involved is very different from the original Spectre. The original was vulnerable to ANY software not just JavaScript. This one requires executing special machine instructions not normally accessible to JavaScript.

Re:Quick! Everyone panic!

[drinkypoo]

Considering that these vulnerabilities also (largely) apply to AMD and ARM, your cheap-shot snark is duly noted and ignored for the shit it is.

Mitigation is cheaper on AMD, because they at least tried to do the right thing. And they only tend to be a problem for 64-bit ARM. The biggest failures here are Intel and IBM.

Lots of word salad with no proof. Yawn...

There's no proof that those are real-world scenarios?

I can much more easily defend against a stabbing, because they need to be at very close range. (i.e. On your fucking system) whereas a bullet can travel over a mile and kill you.

Javascript is on your system. Malware hidden in applications is real, and on people's systems.

The rest of your statements are equally delusional and devoid of rationality, so...

...they're totally rational and you couldn't find any good arguments against them, either, so you just gave up. Noted.

Re:Quick! Everyone panic!

The question at the heart of the "so what?" argument is whether or not the person understands that the "brain" that is at the core of any microprocessor just does whatever its instructions tell it. If it gets an instruction to take the contents of register A and add the contents of register B, (perform binary addition) and store them back in A, that's what it will do. The security applied by the operating system involves basically making sure that the software the user is trying to make it run is to make sure that no instruction it would or could attempt to perform can tamper with or access anything it's not supposed to, i.e., anything outside its sandbox. IF, however, a way exists in which a programmer who is very clever can figure out how to make it do something the OS's designers (and the user) don't intend for it to do anyway, because the people who designed the OS didn't think of it as a possible attack vector, or for whatever reason, it ends up being possible to compromise the system and possibly cause arbitrary code execution, which the OS designers and user would not want.

Even if it requires extreme cleverness on the part of the attacker(s), the status of the OS as "secure" is lost if it is even POSSIBLE to compromise the system. In other words, for the system to be completely and THEORETICALLY secure, there would have to exist no possible way to make it do anything the designers didn't intend. Basically, it would have to be a lump of rock, or perhaps a single SPST switch, because anything more complex than that ends up having exponentially more ways in which something could go wrong. Making a REASONABLY secure system then, becomes the art of minimizing the number of ways in which a system could be compromised, and mitigating the impact OF a compromise when one happens.

As a user of such a system, I'm glad to know when someone found a way to break the design-security and make it do something it wasn't supposed to, not because I enjoy panicking, but because without looking into such announcements, I have NO WAY OF KNOWING how serious the problem is. Even if it's way beyond my understanding or expertise, without people popping in and reading the article, or at least the summary, there's really no way to know how concerned we should be. So the sarcastic, "Quick! Everyone panic!" reflects perhaps that the poster maybe doesn't use his or her computer for anything important, but maybe other people do. Suppose the vulnerability were one that only mattered if you drink coffee while using the computer. It doesn't worry YOU because you don't drink coffee. Tastes terrible, why would anyone, right? Well, some people DO, and they'd like to know if there's some good reason they should NOT do so.

Just like when there's a data breach, you could say "Quick! Everyone Panic" because you don't have an account with that company. But maybe other people DO. Maybe the release of the information could be disastrous for people who have or had accounts there.

Getting back to the point though, the trouble is that we're talking about computers here, and all it would take is that one very clever hacker, or programmer, to figure out how to use that exploit for something, and get your computer to run the code, such as by posting it to a website you might browse, or sending it in an e-mail. "That's okay, I don't open attachments..." you might say. But what if the attacker figured out how to make your e-mail program's (or browser's) anti-spam algorithm break in just by sending malformed headers or something?

Remember that thing where the right sequence of Asian language characters texted to an iPhone would brick it or something? Could be something like that.

Now. maybe you're not worried because you don't HAVE anything sensitive on your computer, (i.e., your name, address, date of birth, credit card information, etc.,) but suppose while you're scoffing "quick, everyone panic!" the attacker gains access to your system, and rather than extracting anything, or telling your hard drive to encryp

Re:Quick! Everyone panic!

These attacks are not viable. If you can run "arbitrary code" on a computer there are far easier ways to compromise the system.

Re:Quick! Everyone panic!

[ArylAkamov]

One damn good post.

Re: Quick! Everyone panic!

Native code not required, can be exploited in JavaScript.

Re:Quick! Everyone panic!

[GerryGilmore]

"Mitigation is cheaper on AMD, because they at least tried to do the right thing. And they only tend to be a problem for 64-bit ARM. The biggest failures here are Intel and IBM."
OK, so everyone replace all of your Intel, 32-bit ARM and IBM CPUs immediately, because...

"There's no proof that those are real-world scenarios?"
Nope, none outside of lab conditions. Show me otherwise....I'm waiting....

"Javascript is on your system. Malware hidden in applications is real, and on people's systems."
Wait a minute! The fact that Javascript exists on your system means you're fucked?!? And, OMG!!, *malware is real*?? Say it ain't so!!! WTF have I been saying about general, widespread malware while you're obsessing about the most-fucking-difficult-exploit-known-to-man???

"...they're totally rational and you couldn't find any good arguments against them, either, so you just gave up. Noted."
As just noted, not rational at all, but thanks for playing!

Re: Quick! Everyone panic!

Spectre class exploits are alive and in the wild. Here is a list of virus sigs back from January, when only local attacks were known. Since then we've had Netspectre, which enables the spectre attack remotely without any attack code run on the target whatsoever.

Re: Quick! Everyone panic!

They need to make a new Slashdot strapline. After "news for nerds", the modern equivalent seems to be " trolls, shills, wanabees and retards" Timing attacks do no require arbitrary code execution, only existing code execution with a code section known to contain the correct (very common) code construction (for punny reasons called a "gadget"). Now shoo, Intel shill, in any other industry there would have been a mass recall, but Intel have no shame.

Re: Quick! Everyone panic!

Found the Intel employee. It's been shown those attack work with JavaScript as JavaScript has highly accurate timing. It's been shown that even with less accurate timing as has been implemented in some browsers already it can still be exploited

Re: Quick! Everyone panic!

How about you put your money where your mouth is. Post a link to a webpage which has some js that can grab information from another open tab. Then show me one that can grab data from another application.

Re: Quick! Everyone panic!

Or those vulns have been known for a while in some specific place (defense, intelligence...) and are there by design on the CPUs.

Re:Quick! Everyone panic!

[raind]

There's no "security" anymore, if there was anyway.

Re:Quick! Everyone panic!

You can be owned by inverse spectre by just visiting a web page. You should learn more about computers, the internet, and security before everyone starts thinking you're a fucking tool.

Re: Quick! Everyone panic!

It usually takes a week or two after information from researchers goes public before some blackhat comes up with a working exploit based on it. In other words, give it a few days. I've provided evidence of exploits based on prior variants in the wild, which has not been refuted; I've shown what I set out to. Apparently those are "not practical or possible" according to the technically lacking ostrich crew either.

Re: Quick! Everyone panic!

I'm pretty sure Netspectre required RMDA.

Re:Quick! Everyone panic!

[thegarbz]

Javascript. Malware hidden in software. Virtualization. These are all real-world scenarios which affect basically everyone.

No they aren't. The ability to read a memory location through speculation is irrelevant unless you have hours to exfiltrate memory from a system and even longer to analyse it. In order to make use of these vulnerabilities someone needs to have intimiate knowledge of the system they are currently on.

Drive by malware utilising spectre is not a real-world scenario.

If you offer someone server time on the cloud, be worried. If you're a government agencency with hostile state actors embedded and attempting to elevate their rights, be worried. If you're a user surfing the internet then calm the fuck down.

Re:Quick! Everyone panic!

[thegarbz]

Javascript is on your system. Malware hidden in applications is real, and on people's systems.

The capabilities of the attack vector are important. Reading memory is not an issue for drive by malware.

Don't run untrusted software, mkay?

Yeah, the cloud is fucked and web sites that don't work without Javascript need to stop embedding third party scripts, at the very least until CPUs stop leaking predicted execution results.

She wrote upon it

[TeknoHog]

return to Spectre
address stack blown
go side channel
no safe zone

THis goes back

[jmccue]

Well all of this goes back to what I have said to everyone I know, "Do nothing important in a WEB Browser". Which I get "It is safe and easy I do it all the time.

At least paying for a stamp to mail in a bill payment buys you protection that is lacking in WEB based tools. If your mail is tampered with, it is a crime. Granted the Gov my take a peek, but better than someone trying to drain your accounts.

The way things are going lynx is looking pretty good :)

Re:THis goes back

Lynx is a web browser. Lynx is not necessarily safer.

Re:THis goes back

[drinkypoo]

Granted the Gov my take a peek, but better than someone trying to drain your accounts.

The CA FTB decided I owed them money (I didn't) and drained my bank account. I filed for the back taxes and naturally I haven't heard from them since. They stole my money and I will never see it again. Assuming the government isn't going to steal from you is ridiculous.

Re:THis goes back

[HiThere]

Well, it may not necessarily be safer, but I believe that at least it blocks attacks depending on Javascript.

Re:THis goes back

[Nivag064]

What is the CA FTB?

Caribbean Associated Flying Transport Board???

litterally spectre

The return instruction is just an indirect branch that jumps to the link register that also manipulates the stack pointer, so it seems pretty unsurprising it has the same speculative behavior.
How is this the reverse of spectre? It's the exact same, just a different instruction.

Re: litterally spectre

Setting up the return address requires bypassing JavaScripts, or linkers, function call
code to insert any address. Even if you can do that, the program will return to some
location that may not even contain machine instructions and even if it does the code at that location will be processing, from its perspective, garbage on the stack. This exploit is at best an academic curiosity.

Re: litterally spectre

And even worse, how can they call this inverse spectre?
Spectre is speculative execution changing the contents of the cache which can then be used as a side channel.
The inverse would be changing the contents of the cache to change the behavior of speculative execution.

Russians

Is this how Guccifer got into Hillary's email server?

Re:Russians

It's not even how Putin fucked Trump in front of his imported spy wife.

WE ARE ALL FUCKED! THANKS INTEL (NOT!)

This is what happens when a CPU company has had a monopoly for decades. How to fix this? BUY AMD! Is your only option. Feel safe. BE SAFE!

It's too late

[AndyKron]

Maybe it's too late. There was a chance back with the DOS, but not now. Computers are great but people are shit

CA FTB

I know you were making a joke, but California Franchise Tax Board ;)

Not concerned

Maybe its just me, but you can only cry wolf so often and if nothing happens it just stops being important.

That's what I thought too but no. That's all wrong

[raymorris]

I thought the same thing, more or less, based on my understanding of basically how the low-level attack works. As it turns out, I was wrong. They have figured out how to use a "no big deal" issue to build an important and powerful attack around it. I got lost in the details and "couldn't see the forest for the trees", so to speak.

Others have pointed out "maleware running" could be JavaScript. Not even that is necessary, though - even sending specially crafted TCP packets to the target can do the trick! Google Netspectre for details.

It's NOT just "hope something useful is in the cache" as I'd thought. The attacker can read chosen memory addresses, insome cases before ASR is applied.

This is a much bigger issue than I thought, and bigger than you thought, because of what people have been able to build on top of the essential vulnerability.

Not new

Sorry to disappoint you all, but this is not new, this is already discovered:

https://arxiv.org/pdf/1807.07940.pdf

Re:That's what I thought too but no. That's all wr

Just set the "Execute Payload with NT AUTHORITY\SYSTEM" flag in the IP header ...

Why Keep PW in Web Browser?

Why keep anything security-related in a browser? Passwords go into a local, separate (not on the web) password manager, and are copied via the clipboard when needed (automatically clearing the clipboard in 10 sec or so). You can probably guess what I use from that description.

by the time researchers find all the flaws in CPUs

[FudRucker]

the only safe computers will be the ones completely disconnected from the internet, kept locked in a secure room where only authorized personnel are allowed to enter, i think its time for a completely new architecture built with security in mind from the ground up and the same goes for the software, no back doors, no remote code allowed to execute unless it is sandboxed and unable to touch the system

Re: Fucking great

The only recourse is to disable speculative execution and hyper-threading. The flaw isn't a bug. The flaw is a fundamental philosophy in the paradigm of how to execute data. Or else it wouldn't effect AMD and ARM based CPUs.

This will never get patched. More flavors of it will just get discovered. The REAL FIX will be in entirely new CPU architecture with security setting the fundamental state of computer science in how data gets processed. That, and along with new OS kernels to match will take at least 5 more years.

Re:Fucking great

[AHuxley]

Back to a notebook next to the computer with everything written out. Type in everyday as needed due to that CPU.

90 Days for Your New Chip

[mentil]

Manufacturers were notified of the weaknesses in May 2018 and were granted 90 days to remedy them before the results were published.

90 days may be the standard for Responsible Disclosure, but that's only reasonable for issuing a software patch. Intel doesn't issue new silicon to everyone affected within 90 days, it can take over a year before the next chips are available, and those might've had their design locked down well beyond that.

Re:90 Days for Your New Chip

[Carewolf]

Manufacturers were notified of the weaknesses in May 2018 and were granted 90 days to remedy them before the results were published.

90 days may be the standard for Responsible Disclosure, but that's only reasonable for issuing a software patch. Intel doesn't issue new silicon to everyone affected within 90 days, it can take over a year before the next chips are available, and those might've had their design locked down well beyond that.

Then the only reasonable thing is to tell everyone right away

Re:That's what I thought too but no. That's all wr

[GerryGilmore]

Well, when google is your technical authority, it's understandable that you'd be dead wrong...."even sending specially crafted TCP packets to the target can do the trick! Google Netspectre for details."

IF you actually READ TFA, you'll see that it REQUIRES a "gadget" (read: malware code) running on your fucking machine!! (I swear, the tech level on /. has descended to fucking Alex Jones level of paranoia - facts be damned!!) FFS!!

Re:by the time researchers find all the flaws in C

After hearing about meltdown and spectre I spent time reading the details about Intel's microarchitectural security issues. They are so bad I find it difficult to believe nobody at Intel noticed the security implications of the performance hacks. AMD did a much better job at least with regards to meltdown (It's not vulnerable).

Gadgets are vulnerable OS components

[raymorris]

The term "gadget", in this context, means vulnerable code, preferably OS code, an especially kernel code. That's pre-existing code, part of the OS, that's vulnerable.

For Netspectre, an interesting gadget is a network card driver that is vulnerable.

Gadget does NOT mean malware.

Re:Gadgets are vulnerable OS components

[GerryGilmore]

"For Netspectre, an interesting gadget is a network card driver that is vulnerable."
OK, show me one. Or, to be more exact (and I have written device drivers,BTW) show me a vulnerability worth its name that relies on ONE specific flaw in ONE specific NIC device driver, given the wide range of NIC drivers.
Sheesh! The lengths you guys will go to to defend the indefensible. (Indefensible, in this case, that the whole realm of SM panic is manifested by this weakest of arguments....)

Re: Gadgets are vulnerable OS components

Here's one in netlink that was patched just 8 days ago. Code constructs that have the potential to generate gadgets are incredibly common, now shoo Intel shill, your company has no shame and produces shoddy junk.

sphincter

Anyone else read that as inverse sphincter attack?

Re:sphincter

Goatse approves of this hack
=Eo3=

nazis would have known better

simple, don't trust jewputers

you forgot the ending...

[Gravis+Zero]

Burma-Shave

Re: Fucking great

Only we don't know whether AMD or ARM are affected. That's pure *ahem* speculation at this point.

We OTOH, are equally free to speculate why they were included at this point since there apparently is no evidence that they indeed are vulnerable.

The risk is obviously there, but I'm withholding judgment until there are more facts. It's not like there hasn't been attempts before to "fix" everyone else with the same performance degrading patches that are needed for Intel, whether they were vulnerable or not.

Re:WE ARE ALL FUCKED! THANKS INTEL (NOT!)

I guarantee you that this exact same thing will be in AMD chips, and possibly ARM and other chips with speculative execution.

Re: by the time researchers find all the flaws in

Men in Black will never allow that.

Atom 330 or Cortex-A53

See subject, there are in-order CPUs and those are not subject to the flaws.
Other old Atoms are immune too (called something silly like Cherry View, older than Bay Trail), but have PowerVR graphics which mean you'd probably be lucky if you get raw 2D graphics working in linux.
Worst though is these systems typically have 1GB RAM, max is 2GB RAM max.
Desktop systems exist but most are old netbooks - netbook with broken screen or keyboard will work.

As a further post says there's rapsberry pi but the 1GB RAM limit is even worse than 2GB!
Some netbooks have both VGA and HDMI, which can't be said of a raspy.

Here are a couple of example gadgets. Bounds check

[raymorris]

Here a couple of examples of Spectre gadgets. Suppose we have this code making sure the input doesn't try to access beyond the end of an array:

if (x array1_size)
      y = array2[array1[x] * 4096];

Or maybe this code you might find in a firewall such as iptables. It checks to make sure the protocol of the packet is either TCP, udp, icmp, or another valid protocol:

if (packet.ethertype = maxtype) {
        CurrentProt = EtherTypes[packet.ethertype];
}

Can you spot the problem?

99.99999% of the time, a received packet will have a valid protocol type. The CPU "learns" that the condition is almost always true, so will speculatively set the value of CurrentProt, then undo that if the condition ends up being false. Suppose there are 100 valid protocols the code handles. The attacker sends a frame with the EtherType (protocol) set to 40,101. The CPU speculatively loads whatever data is 40,001 bytes past the EtherTypes variable. The attacker has loaded the contents of whatever memory address they choose.

How frequently do you see a gadget such as bounds checks? Well, almost ALL well-written code will include these patterns, and therefore be vulnerable.

Here's something that will annoy the heck out of a few people here -
ALL code written in Rust which uses an array is guaranteed to have bounds checks, and therefore be vulnerable.

Nobody uses Intel gigabit NIC, right?

[raymorris]

Here's the code for the driver uses with Intel network gigabit network cards. Hardly anyone ever uses that, right? Only people with Intel motherboards or Intel network cards, and other companies network cards that use the Intel chip.

https://github.com/torvalds/li...

I see a couple hundred if statements in there. Maybe 20% of those will serve as a gadget. I bet you can find three or four bounds checks. In my other reply I showed you how to use a bounds check as a Spectre gadget.

Stallman the Seer?

[gerald.edward.butler]

Richard Stallman clearly predicted this: https://en.wikipedia.org/wiki/...

Re: Here are a couple of example gadgets. Bounds c

I don't deny the attacks are possible, but they really are not very feasible outside of a carefully coordinated attack on a specific target.
It's not like some gaping hole where you could use a drive by site to drop rootkit on millions of passing systems.
And even a targeted attack is unreliable outside of carefully controlled lab environments, especially the network based one.

The current network based has an important limit

[raymorris]

The current network based variant has an important limitation in regards exfiltration rate. Based on past vulnerabilities and exploits, we can guesstimate that new developments might make it roughly 10X faster. That makes it even more interesting to use against chosen HTTPS sites to retrieve the private key.

The JavaScript based ones aren't currently the easiest way to build a botnet, but deploying such JavaScript on a site frequented by Lockheed Martin employees, or bank employees, could be really interesting.

This is relevant to bitcoin

Bitcoin fanboys: It is an unalterable ledger, safe for ever
Rest of the computer industry: uh, what about bugs ?

Rip it out

Rip this fucking unit out of the CPU and be done with it.