> On Jan 3, 2018, at 11:59 AM, Eric van Gyzen <vang...@FreeBSD.org> wrote:
>
> On 01/03/2018 14:48, Ronald F. Guilmette wrote:
>>
>> In message <477ab39d-286d-d9a2...@sentex.net>,
>> Mike Tancsa <mi...@sentex.net> wrote:
>>
>>> I am guessing this will impact FreeBSD as well ?
>>>
>>> http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
>>
>> Swell. Just swell.
>>
>> Why couldn't this have been announced the week -before- I bought an Intel
>> processor and motherboard to replace my aging AMD rig, rather than the week
>> -after- I did so?
>>
>> Geeeesssh!
>
> Wait until Tuesday before you explode. Intel are now saying that it's
> not a "bug" in Intel CPUs.
>
> https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
>
> Eric
It looks more like they are playing fast and loose with words. From the article you linked:
Intel believes these exploits do not have the potential to corrupt, modify or delete data.
and
Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect.
They did not say it is *NOT* a bug, just that it is not a bug unique to Intel. I’ve not seen speculation regarding the “bug” being able to corrupt, modify, or delete data, I’ve only seen speculation that the bug allows unprivileged processes to see privileged memory/cache.
Additionally, they indirectly imply that both AMD and ARM chips are affected by the same bug, however this is, at least in AMD’s case, appears to be directly refuted by a patch submitted to the Linux kernel by AMD:
https://lkml.org/lkml/2017/12/27/2 <https://lkml.org/lkml/2017/12/27/2>
AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against. The AMD microarchitecture
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault.
Disable page table isolation by default on AMD processors by not setting
the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
is set.
Since other statements are misleading, it could be that the “workloads” being described could be a hibernated laptop; a halted firewall (where the firewall/routing rules are still running in the kernel); a lightweight user who only uses e-mail and facebook; etc:
Contrary to some reports, any performance impacts are workload-dependent,
and, for the average computer user, should not be significant and will be mitigated
over time.
Finally their belief of being the most secure products in the world and actual reality may differ:
Intel believes its products are the most secure in the world and that, with the support of
its partners, the current solutions to this issue provide the best possible security for its
customers.
I generally read a company’s press releases in response to negative publicity with the assumption that they are not lying, but are obfuscating the truth or dancing around an issue in order to cast themselves in the best possible light. The proof that this tactic works is that Eric interpreted the release to say that there is not a bug in Intel’s hardware instead of Intel is one of many vendors whose product has this bug (though this remains to be seen).
—David M. Syzdek
There are three different issues. One of them (CVE-2017-5754, labeled
“Meltdown”) is easily mitigated and has so far only been shown to affect
Intel processors. The other two (CVE-2017-5753 and CVE-2017-5715,
collectively labeled “Spectre”) affect AMD and ARM processors as well
and have no known workaround.
So far, it has been shown that an unprivileged process can read data
from the kernel (Meltdown) and other processes (Spectre), and that a
privileged process in a VM can read data from the host and presumably
also from other VMs on the same host (Spectre).
DES
--
Dag-Erling Smørgrav - d...@des.no
That right there is enough to pluck things like TLS session keys, GELI
master keys, and anything else on that level out of kernel memory.
Given enough skill, resources, and motivation, it's likely that an
attacker could craft a javascript-based version of the attack, then
every javascript website (aka all of them) is a potential attack vector.
Uh, this has already been demonstrated. According to Google, Chrome 64
(to be released in a few days) includes countermeasures against it. I
don't have any further details.
DES
--
Dag-Erling Smørgrav - d...@des.no
Everybody hated segment-level memory protection, but the i386 also
introduced page-level memory protection, which was widely used and has
since been expanded to provide features that were never available at the
segment level.
> Intel introduced later the rings, everybody ignored.
Not at all. They just don't use all four. Unless you start looking at
hardware virtualization extensions, which introduce additional
protection levels.
> Instead of keeping the things separated - as suggested by Intel's
> design - people used shortcuts whenever possible.
This is irrelevant. We are talking about timing-based side-channel
attacks. The attacker is not able to access protected memory directly,
but is able to deduce its contents by repeatedly performing illegal
memory accesses and then checking how they affect the cache.
DES
--
Dag-Erling Smørgrav - d...@des.no
This does not surprise me at all.
You can speculatively execute code based on the value of a fetched
memory address, which may eventually fault. This can be used to pull
things into cache, which can then be measured.
The attack looks like this:
1) Fetch kernel/other process memory, which eventually faults
2) Do a bit-shift/mask operation to pluck out one bit of the fetched
value. This gets executed speculatively on the fetched value in (1).
3) Execute fetches of two different addresses depending on some bit in
the fetched value in (1) (say, 0x100000 for 0 vs 0x200000 for 1). This
also gets executed speculatively despite the fact that (1) ends up faulting.
4) Recover from fault in (1)
5) Measure performance of accesses to the two addresses to determine
which one is cached.
The really terrible thing about this is that it suggests a *class* of
attacks: side-channels based on CPU implementations, of which this is
the first (and most obvious) one to be discovered. I suspect this is
going to be dogging us for years to come.
That breaks the entire way that page faults and virtual memory works,
though. You could block meltdown, I suppose, by making the entire
kernel address space absolutely forbidden under penalty of an
uncatchable signal.
This won't stop spectre (same attack against another process' pages), or
a similar attack within the same address space (say, to break out of
some kind of intra-process isolation).
On Thu, 04 Jan 2018 16:01:51 +0100
Dag-Erling Smørgrav <d...@des.no> wrote:
> Erich Dollansky <freebsd....@sumeritec.com> writes:
> > Intel used segments to separate things everybody hated.
>
> Everybody hated segment-level memory protection, but the i386 also
good that hate is meanwhile illegal.
> introduced page-level memory protection, which was widely used and has
> since been expanded to provide features that were never available at
> the segment level.
Yes, but instead of combining both, the segment registers were set to
point to the same memory locations disabling the additional protection
given by the segments.
>
> > Intel introduced later the rings, everybody ignored.
>
> Not at all. They just don't use all four. Unless you start looking
> at hardware virtualization extensions, which introduce additional
> protection levels.
It was just abusing them to replace the supervisor flag other
processors have or have had.
>
> > Instead of keeping the things separated - as suggested by Intel's
> > design - people used shortcuts whenever possible.
>
> This is irrelevant. We are talking about timing-based side-channel
> attacks. The attacker is not able to access protected memory
> directly, but is able to deduce its contents by repeatedly performing
> illegal memory accesses and then checking how they affect the cache.
Directly yes, not if the kernel memory would be always in a different
segment. It would land then in cache only when memory near segment
bounds are accessed. Which could be easily avoided.
Anyway, we cannot turn the clock back now. I just wanted to mention
that Intel has had different thoughts those days. I am not even sure if
Intel engineers remember this.
Erich
Are you familiar with the expression “not even wrong”?
DES
--
Dag-Erling Smørgrav - d...@des.no
On 05.01.2018 11:07, Jules Gilbert via freebsd-security wrote:
> Sorry guys, you just convinced me that no one, not the NSA, not the FSB, no one!, has in the past, or will in the future be able to exploit this to actually do something not nice.
> I'm not saying that the hardware shouldn't be fixed, I am saying that we don't need to worry about this.
we should indeed worry about this. This could be just the tip of the
iceberg. Think about Rowhammer. This was a bug which affected RAM. In
the beginning it was just some basic computer science research which was
hard to trigger. After some month people found ways to exploit Rowhammer
via JavaScript so that every person using a browser was a possible target.
The same could happen with this stuff, people are already working on this.
Best,
Karsten
> In the early days of DOS their was a hardware bug in nearly all floppy controllers, it wasn't even discovered until (I think,) 1985 or so. The thing is..., no one reported unusual problems.
> So what is this, really?, it's a market exploit opportunity for AMD.
On Friday, January 5, 2018, 9:48:50 AM EST, Dag-Erling Smørgrav <d...@des.no> wrote:
Jules Gilbert <repeatable_...@yahoo.com> writes:
> Sorry guys, you just convinced me that no one, not the NSA, not the
> FSB, no one!, has in the past, or will in the future be able to
> exploit this to actually do something not nice.
The technique has already been proven by multiple independent parties to
work quite well, allowing an attacker to read kernel memory at speeds of
up to 500 kB/s. But I guess you know better...
DES
--
Dag-Erling Smørgrav - d...@des.no