Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT Technology

New Spectre 1.1 and Spectre 1.2 CPU Flaws Disclosed (bleepingcomputer.com) 109

Two security researchers have revealed details about two new Spectre-class vulnerabilities, which they've named Spectre 1.1 and Spectre 1.2. From a report: Just like all the previous Meltdown and Spectre CPU bugs variations, these two take advantage of the process of speculative execution -- a feature found in all modern CPUs that has the role of improving performance by computing operations in advance and later discarding unneeded data. According to researchers, a Spectre 1.1 attack uses speculative execution to deliver code that overflows CPU store cache buffers in order to write and run malicious code that retrieves data from previously-secured CPU memory sections. Spectre 1.1 is very similar to the Spectre variant 1 and 4, but the two researchers who discovered the bug say that "currently, no effective static analysis or compiler instrumentation is available to generically detect or mitigate Spectre 1.1." As for Spectre 1.2, researchers say this bug can be exploited to write to CPU memory sectors that are normally protected by read-only flags.
This discussion has been archived. No new comments can be posted.

New Spectre 1.1 and Spectre 1.2 CPU Flaws Disclosed

Comments Filter:
  • by AHuxley ( 892839 ) on Wednesday July 11, 2018 @08:16PM (#56932310) Journal
    as safe as expected anymore. So many thought some designs would be. That their fav brand would be ok.
    Lets create a software layer over the CPU to make it all safe. Get that fast speed way down.
    • a software layer like a VM can make things worse because it creates more "gadgets" that can be exploited, due to the way the flaws work. What they should have really done is simply had a switch in the CPU where the OS can turn off all of this speculative stuff, would have been simple to implement. *facepalm*

      • by AHuxley ( 892839 )
        Someone is actually going to have to design a new CPU then? The quick OS software fix wont work and save existing CPU brands and designs?
        Got some experts ready for years of testing and hard work? Experts who can design an entire new way of thinking about a CPU and can think about past security flaws?
        Make a CPU go faster is not going to be the only skill needed.
        • by Eravnrekaree ( 467752 ) on Wednesday July 11, 2018 @09:45PM (#56932588)

          There have been mitigation being implemented for the bugs to reduce the severity of the problem, so that hopefully will keep current CPUs out of too much trouble. There are too many CPUs around of course to replace them all right away, so the software fixes have to suffice. Eventually new CPU generations will have more fixes built into the CPU. Many spectre variants are a long shot to exploit anyway.

          From what I understand is that the flaws result from being able to tell what another process is doing through how fast some code runs. If another process is running the same code as your process, the behaviour of the other process can be gleaned by watching how fast code runs in your process. The CPU learns by watching code execute what code paths are most likely to be taken. So the learning from watching another process can affect other processes.

          One solution for a CPU fix is to isolate processes so the CPU isolates its learning and predictions to within each process, one process will not affect the performance of other processes. Processes can not benefit from each other, thats the downside, but no more leaking of state between processes.

          It could also be made so the Operating System can configure all of this in more detail about how much should be shared between process, if it all, what kind of optimizations should be done , or none at all, etc, so the user can make their own decisions about security/performance trade offs.

          Perhaps the Operating System could be allowed to turn off hardware based optimizations and control the speculative execution scheduling itself which would make it easier to address bugs and security concerns with software updates.

          It all requires some changes to the CPU, but from what I understand, its not all that of a big deal to add to CPUs.

          • by imgod2u ( 812837 )

            Cross-process isolation can be somewhat simpler. The problem with Spectre specifically is that many programs (your browser opening /. for example) are within the same process running external -- interpreted -- code).

    • by OneHundredAndTen ( 1523865 ) on Thursday July 12, 2018 @08:28AM (#56933896)
      The much-maligned Itanium remains impervious to all these attacks. Just saying.
  • Quick - Panic! (Score:2, Insightful)

    Can we be real for one moment, please?
    In the realm of software vulnerabilities, these are:
    1) Ridiculously difficult to implement. At the end of the day, you are fundamentally tickling the cache and timing the resultant reads to try to determine the content of that cache. Is there ANY reasonable way to "read" the contents of said cache and determine what context a blob of data means?!?
    2)Beyond trial code that is ALL based on the original POC distributed by virus vendors, etc. there is NO known implementa
    • Re:Quick - Panic! (Score:5, Insightful)

      by Anonymous Coward on Wednesday July 11, 2018 @09:19PM (#56932516)

      1) Ridiculously difficult to implement.

      It only has to be implemented once and copied. Re: Life.

      2)Beyond trial code that is ALL based on the original POC distributed by virus vendors, etc. there is NO known implementation in the wild.

      Until viruses use it. Viruses were original POC.

      3) This requires the virus to be running ON your fucking computer!! If you are running ANY virus on your computer, you're hosed.

      Re: Javascript

      4) Derived from 3), for the forseeable future ANY virus on your system is about 28Giga-times more likely to be a standard, run-of-the-mill virus.

      And one based on Meltdown and/or Spectre could potentially bypass all security without any possible generic fix. So, obviously it'd be nice to know about it.

      Meantime, everyone is running around wanting to burn their CPUs because they are "vulnerable". FFS!! Does NO ONE have ANY perspective left anymore?!? /rant

      Yes, /rant. Who's going around burning their CPUs? The point is to find out as many of the vulnerabilities now to start introducing fixes in hardware. And knowing there are more varied variants means the fix needs to be more generic. It also means that we have to start honestly considering the possibility that javascript can be an attack vector against CPU bugs, so that's something to mitigate against where reasonable.

      But, yea, let's not point out the potential scope of this or light an impetus to change CPUs to mitigate these risk! We should just not really cover it. Then if/when the attacks do come because people find out how to make them more doable, we're then really boned. I mean, it's not like it takes years for CPU designs to be developed and deployed to replace current CPUs.

      • by Anonymous Coward

        Re: Javascript

        Not just Javascript.... Think Docker, VMware, Azure, AWS....
        Anything running "untrusted" code.

      • by Anonymous Coward

        There's a very simple solution to this: use microcode to add ring0 instruction that disables the cache. Then let the OS expose a way to mark a process as trusted. Any process not explicitly flagged as trusted gets to run without cache, and on top of that, even if the browsers were marked trusted, they'd all still fork themselves and run their JS in un-trusted child processes.

      • It only has to be implemented once and copied. Re: Life.

        Actually no it doesn't. This isn't exploiting specific software, it's exploiting the CPU to read specific registers. The exploits are specific to both timing and system configuration at runtime and you have to have an incredible amount of access to a machine to make a meaningful exploit (reads: maybe you're running a VM owned on someone else's metal, or you've already 0wned the machine).

        Until viruses use it.

        Translation: Everything is safe until it's not. Analysis: An incredibly dumb arguement.

        Re: Javascript

        See 1. There's no generic fly-by im

    • 3) This requires the virus to be running ON your fucking computer!! If you are running ANY virus on your computer, you're hosed.

      You're not thinking about the countless virtual machines running on someone else's hardware (i.e. "The Cloud"). It's not "your" computer that must be compromised. It's the hypervisor that it's running on, or possibly someone else's VM running on the same hypervisor.

      • OK, show me a WORKING implementation where a guest OS can read anything useful out of a hypervisor's cache. Does anyone have ANY idea of how hard it must be to grab a (roughly) 16KB of cache data (presuming that it is 100% accurate, of which I am yet to be convinced) and determine exactly what that chunk represents?
        I'm still calling Shenanigans on this vulnerability being useful in any real context, until/unless someone can demonstrate: reading cache data via this vulnerability and THEN knowing just WTF th
      • So why should *I* run out and get an AMD processor if it's AWS and Azure that's vulnerable?
    • Ridiculously difficult to implement.

      Once.

      At the end of the day, you are fundamentally tickling the cache and timing the resultant reads to try to determine the content of that cache.

      Correct.

      Is there ANY reasonable way to "read" the contents of said cache and determine what context a blob of data means?!?

      By using the value you read to trigger another read somewhere else and tickle even more cache timing. You want to trick the CPU into doing something like;

      var x = big_array[ (*pointer_to_sensitive_byte) * cache_block_size ];

      Then you measure the cache timing of each block of your big_array. And repeat the process for every pointer you want to read.

      Beyond trial code that is ALL based on the original POC distributed by virus vendors, etc. there is NO known implementation in the wild.

      The original Spectre / Meltdown flaws were separately discovered by multiple researchers at the same time. Do you still feel safe?

      This requires the virus to be running ON your fucking computer!! If you are running ANY virus on your computer, you're hosed.

      Javascript, Cloud V

      • You failed, fundamentally, do answer my largest question: Presuming that you can read a blob of data from cache (which, yes, can be done...), show me how you make sense of that data?!?
        Is it code? Is it data? How Da Hell do you know? I've heard Peter on Ars go on and on about how your passwords are leaked. Bullshit! Show me how (other than, say, running 'strings' or 'grep') on a small pile of cache data and make fucking sense out of it!
        Regular viruses KNOW what they want and grab it. This is cache-tickli
        • Re:Quick - Panic! (Score:4, Insightful)

          by complete loony ( 663508 ) <Jeremy.Lakeman@nOSpaM.gmail.com> on Thursday July 12, 2018 @01:36AM (#56933088)

          If I received a dump of memory from a process there's probably a lot I could work out just from a hexdump as well as running strings or grep. I've personally reverse engineered a few proprietary binary file formats by making small changes in an application, then staring at hex dumps of the saved files.

          It's not a huge leap to do the same with the RAM of a target program. Run it in a debugger, make small changes and watch where those changes are written. Once you work out what to look for, then you automate the search in the virus.

        • by imgod2u ( 812837 )

          The Meltdown demos (from the original researcher) was able to read secure passwords stored in the OS that were supposed to be secured. This wasn't some elaborate setup. This was the guy (the researcher's) personal computer that he just happened to run the code on.

    • Most of us run Javascript on our machines all the time, so in that sense, we're vulnerable.

      If you want to see how far exploiters will go to take advantage of these things, check out heap spraying [wikipedia.org]. It took a few years to invent heap spraying, but now it's considered a basic technique. We don't see exploits in the wild yet because it's still new, but soon we will.
    • If you use a browser and visit websites you are running random code you didn't purchase and probably have no idea what it does. The average website these days executes around 30 scripts from at least 8 different sources but possibly as many as 20 different sources. I've seen websites that had as many as 50 scripts running from upwards of 20 different sources.

      There's a reason people use NoScript in Firefox, all those scripts are potential exploits. Even running in a sandbox they are capable of exploiting Sp

    • by imgod2u ( 812837 )

      1) Ridiculously difficult to implement. At the end of the day, you are fundamentally tickling the cache and timing the resultant reads to try to determine the content of that cache. Is there ANY reasonable way to "read" the contents of said cache and determine what context a blob of data means?!?

      Not that difficult. It just takes a long time as you're relying on certain processor timings. And you also have to target it to the specific microarchitecture you want to attack. So in that respect, it's difficult i

  • These flaws are confined to test cases and proofs of concept. I'm going to wait for Spectre 2.0 (or 2.1, for the bugfixes)

  • Hardware is getting quite cheap. How about running sensitive code and untrusted code on separate pieces of silicon? (memory and processor at least) -- Let the untrusted code run fast and efficient on one component (depending on the setup, it could even reasonably be native code), and the secure or sensitive code run on a separate component which is secured against as many side-channel attacks as is practical.

  • Don't see Ultrasparc on list of vulnerable CPU. Of course, I don't see it in any of the three locations of systems I admin either though 8D

    • I thought everyone had got rid of all their SPARCs by now? The sun machines are now antiques, and anyone who gives ORACLE money deserves the fornicating they're getting.

    • It's probably not listed because it's unknown because no one bothered to look due to the size of the market.

    • by psergiu ( 67614 )

      It seems that Oracle fired ALL the Sparc CPU engineers.
      The Sparc CPUs might as well be vulnerable as Oracle has not released ANY statement since the beginning of the Specter/Meltdown fiasco to say whether their CPUs are vulnerable or not.

  • Can we please call these something other than Spectre and Meltdown? We're well on our way to Baskin Robin's 31 flavors of S&M.
    • Meltdown is a specific attack, none of these new ones are Meltdown. Spectre is an entire class of attacks and it's going to have a ton of variants. There was a report about a month in a German magazine that they've already numbered Spectre out to 11 variants and counting that will eventually be divulged.

      There were broad warnings when Spectre was revealed that this would be the exploit that would keep on giving because it used a new line of attack that's been known about for years but was finally shown with

  • watch it on terrarium tv terrarium tv [songwig.com]
  • This hits SPECIFICALLY INTEL CPUs [techpowerup.com] yet is presented as "AMD too".

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...