All Intel Chips Open To New 'Spoiler' Non-Spectre Attack (zdnet.com)

← Back to Stories (view on slashdot.org)

All Intel Chips Open To New 'Spoiler' Non-Spectre Attack (zdnet.com)

Posted by msmash on Tuesday March 5, 2019 @03:25AM from the security-woes dept.

Spoiler is the newest speculative attack affecting Intel's micro-architecture. From a report: Like the Spectre and Meltdown attacks revealed in January 2018, Spoiler also abuses speculative execution in Intel chips to leak secrets. However, it targets a different area of the processor called the Memory Order Buffer, which is used to manage memory operations and is tightly coupled with the cache. Researchers from Worcester Polytechnic Institute, Massachusetts, and the University of Lubeck in north Germany detail the attack in a new paper, 'Spoiler: Speculative load hazards boost Rowhammer and cache attacks'. The paper [PDF] was released this month and spotted by The Register. The researchers explain that Spoiler is not a Spectre attack, so it is not affected by Intel's mitigations for it, which otherwise can prevent other Spectre-like attacks such as SplitSpectre.

10 of 132 comments (clear)

Min score:

Reason:

Sort:

Here we go again! by Anonymous Coward · 2019-03-05 03:29 · Score: 5, Funny

Here we go again! I'm going to go make more popcorn.
Actual Link to Register Article by j_f_chamblee · 2019-03-05 03:30 · Score: 4, Informative

As opposed to spammy, pop-up filled ZDNet article.
https://www.theregister.co.uk/...

--
The first principle is that you must not fool yourself - and you are the easiest person to fool. -Richard Feynman
1. Re:Actual Link to Register Article by TFlan91 · 2019-03-05 03:37 · Score: 5, Informative
  
  And what should've been the summary:
  
  The researchers – Saad Islam, Ahmad Moghimi, Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth and Berk Sunar – have found that "a weakness in the address speculation of Intel’s proprietary implementation of the memory subsystem" reveals memory layout data, making other attacks like Rowhammer much easier to carry out.
  The researchers also examined Arm and AMD processor cores, but found they did not exhibit similar behavior.
  "We have discovered a novel microarchitectural leakage which reveals critical information about physical page mappings to user space processes," the researchers explain.
  "The leakage can be exploited by a limited set of instructions, which is visible in all Intel generations starting from the 1st generation of Intel Core processors, independent of the OS and also works from within virtual machines and sandboxed environments."
  Also, in before f**k JavaScript. The researchers just chose to use this has a means to demonstrate the weakness in Intel processors, not a weakness in JS.
2. Re:Actual Link to Register Article by thereddaikon · 2019-03-05 03:56 · Score: 4, Insightful
  
  Also, in before f**k JavaScript. The researchers just chose to use this has a means to demonstrate the weakness in Intel processors, not a weakness in JS.
  Fair enough, but still fuck javascript.
It's nice to see by mandark1967 · 2019-03-05 03:37 · Score: 5, Funny

Intel's committment to backward compatiblity

--
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
Effective from Javascript by phantomfive · 2019-03-05 03:40 · Score: 4, Insightful

Quoth the article:

The researchers say that Spoiler improves Rowhammer attacks and cache attacks that reverse-engineer virtual-to-physical address mapping. Using Spoiler, they show the leakage can be used to speed up reverse-engineering by a factor of 256. It also can speed up JavaScript attacks in the browser.

It's not clear that this vuln allows you to attack anything by itself, but being able to speed up Rowhammer shows why you need to take vulnerabilities seriously, even if you can't figure out how to exploit them.

--
"First they came for the slanderers and i said nothing."
Re:Back To The Abacus. by Fly+Swatter · 2019-03-05 04:08 · Score: 5, Funny

Pretty sure the Abacus is vulnerable to the table shake attack. Also anyone walking by can see your current value.
Don't issue a CVE by mschaffer · 2019-03-05 04:39 · Score: 4, Funny

Instead of issuing a CVE they should be issuing a "spoiler alert".
Re:Please explain the rowhammer relationship by DamnOregonian · 2019-03-05 05:25 · Score: 5, Informative

It's a good question. I'll answer.
Rowhammer allows you to flip bits in memory with specific relationships to memory you can access.
If one of the bits you're able to flip happens to be bits in a page table, and enough stars line up, allows you to flip access bits on pages you're interested in, the MMU will let you read them as you will. Meltdown addresses this problem by completely swapping out the kernel pagetables between context switches.
However, if even more stars line up, then you can potentially map pages back in.
Leaking information about the page tables does make that a much faster process.
To be clear: Rowhammer is a problem on all CPUs. This accelerates the speed at which Rowhammer can try to brute force a page table entry.
DO NOT MAKE FALSE EQUIVOCATIONS PLEASE. by Anonymous Coward · 2019-03-05 07:31 · Score: 4, Insightful

In a word, wrong. AMD is not cross-process vulnerable without another vuln at RING-0, you can only attack in-process. That makes it much less useful - you need to have an existing hacked process to get THAT PROCESS data.
With intel you can get ANY process data from ANY OTHER PROCESS, even in VM's. It's not comparable. This article is a NEW, additional attack that makes it even more trivially exploited.
FTFY