dbeachy1
O-F Administrator
- Joined
- Jan 14, 2008
- Messages
- 9,266
- Reaction score
- 1,737
- Points
- 203
- Location
- VA
- Website
- alteaaerospace.com
- Preferred Pronouns
- he/him
News Serious security flaw in Intel processors
- Thread starter jedidia
- Start date
Face
Well-known member
For those interested, this here is a windows build of the Spectre example code: https://snoopie.at/face/beta/Spectre.exe . I've added inputs to enter address and length of dump. Default is the location of the secret string like shown in the video above (the content is a different one, though).
Artlav
Aperiodic traveller
- Joined
- Jan 7, 2008
- Messages
- 5,814
- Reaction score
- 869
- Points
- 203
- Location
- Earth
- Website
- orbides.org
- Preferred Pronouns
- she/her
Face, given the context of this thread, do you really expect anyone to run an unknown executable on their Windows machines? 
Anyway, i tried it under Wine (after taking a look with IDA - as expected, there is no funny business in there) with patched kernel, and it appears to work just fine.
Anyway, i tried it under Wine (after taking a look with IDA - as expected, there is no funny business in there) with patched kernel, and it appears to work just fine.
dbeachy1
O-F Administrator
- Joined
- Jan 14, 2008
- Messages
- 9,266
- Reaction score
- 1,737
- Points
- 203
- Location
- VA
- Website
- alteaaerospace.com
- Preferred Pronouns
- he/him
Hey, since Face compiled it, I trust him.
Face
Well-known member
Lucy
in the sky, with diamonds.
- Joined
- Aug 9, 2009
- Messages
- 7,110
- Reaction score
- 1,303
- Points
- 203
- Location
- 10.0.0.1
- Website
- www.orbiter-radio.co.uk
- Preferred Pronouns
- she/her
Well, I'm afraid you are wrong... there is funny business in there.
Unless I missed something, the funny business is the whole point. :lol::lol:
Artlav
Aperiodic traveller
- Joined
- Jan 7, 2008
- Messages
- 5,814
- Reaction score
- 869
- Points
- 203
- Location
- Earth
- Website
- orbides.org
- Preferred Pronouns
- she/her
Nah, the whole business is not funny, it's plain beautiful.
Seriously, that's the first exploit i can think of that i would characterize as "beautiful". It requires deep knowledge of processor internals and creativity to come up with the way to actually capture the leaked information.
Quick_Nick
Passed the Turing Test
After I ran your program, Windows Defender flagged another executable in the same directory as WannaCrypt. :blink:
Face
Well-known member
That Spectre example from the paper uses a buffer overflow technique to read out arbitrary memory addresses in its own virtual memory space with that page cache method. I don't know what effect reading some ranges might have, so it could well be that AV gets irritated.
What ranges did you dump?
RisingFury
OBSP developer
So antivirus software might not be as entirely useless as previously claimed.
MeDiCS
Donator
- Joined
- Sep 22, 2008
- Messages
- 602
- Reaction score
- 2
- Points
- 0
Where? I don't see a buffer overflow in the paper's sample.
Not entirely, just mostly useless. It should ID previously known and unobfuscated malware, Spectre or not. Machine code for extracting stuff from the cache may be pretty idiosyncratic, so there might exist some detection opportunities there as well.
Face
Well-known member
In the victim function. Of course the classical overflow is prohibited by a conditional jump, but that's the whole point of the exploit. The victim function gets used to train the branch predictor into thinking the x value is always in the range. Then it attacks it by means of giving the malicious x value that is overflowing the buffer. The predictor loads the array addressing part of the victim function into the pipeline, causing pages to get cached. Of course the results are scrubbed due to the x value being out of range, but the read value already can be determined by measuring which page is in cache now.
MeDiCS
Donator
- Joined
- Sep 22, 2008
- Messages
- 602
- Reaction score
- 2
- Points
- 0
Ah, I see. No AV is able to find that out though, so it shouldn't be triggering anything even if speculative execution tries to read from invalid memory.
RisingFury
OBSP developer
Wouldn't an antivirus software be able to detect a file with Spectre attack, once the file becomes known to the company?
I mean, the attack doesn't spread through the entire internet instantly. It takes days in fastest cases. But that's long enough for antivirus definitions to become updated. Yes, it then becomes a game of cat and mouse as hackers change the file and antivirus companies update definitions, but still, AV software should provide some protection as long as you don't stumble onto the attack early on.
But what about JavaScript? Is there an "antivirus for JavaScript"?
I mean, the attack doesn't spread through the entire internet instantly. It takes days in fastest cases. But that's long enough for antivirus definitions to become updated. Yes, it then becomes a game of cat and mouse as hackers change the file and antivirus companies update definitions, but still, AV software should provide some protection as long as you don't stumble onto the attack early on.
But what about JavaScript? Is there an "antivirus for JavaScript"?
MeDiCS
Donator
- Joined
- Sep 22, 2008
- Messages
- 602
- Reaction score
- 2
- Points
- 0
Yes and no. There are many ways to carry out the attack, and there are many actual legitimate uses of the functionality used in any one Spectre implementation.
Think of a malware that excludes all images you save in your My Documents folder. No part of that malware's code is inherently malicious (it does what any program could do normally), and it's, generally, hard for a computer to understand what any one program does (google "formal verification" and "halting problem" to get an idea of how hard it can be for a program to understand another one). You can, however, try to ID this malware so that, in the future, the same executable can be prevented to run.
But even IDing advanced malware is way harder than it looks. For example, https://en.wikipedia.org/wiki/Polymorphic_code.
There are extensions that block specific bad JS scripts, for example: https://chrome.google.com/webstore/...s-on-t/gojamcfopckidlocpkbelmpjcgmbgjcl?hl=en. There are Spectre-specific countermeasures being embedded in browsers, so you probably don't need to install anything.
dbeachy1
O-F Administrator
- Joined
- Jan 14, 2008
- Messages
- 9,266
- Reaction score
- 1,737
- Points
- 203
- Location
- VA
- Website
- alteaaerospace.com
- Preferred Pronouns
- he/him
This thread shows the performance impact of the Meltdown patch on a single Fortnight MMO server. Server #1 was patched; servers 2 & 3 were not:
You can see that the CPU load more than doubled due to the patch.
To reiterate, the above performance impact was due to the Meltdown patch (KPTI, or "Kernel Page Table Isolation" patch), which is not necessary on AMD CPUs. Intel'spropaganda PR machine has been doing a good job at conflating Meltdown (more serious and is only on Intel CPUs) and SPECTRE (applies to virtually all modern CPUs but is much harder to exploit and can't be patched via the OS) into a "single issue" to make it look like the KPTI patch will affect AMD performance, too, but the Meltdown (KPTI) patch does not need to be applied to AMD CPUs (see this Linux commit from AMD). So while the performance impact to consumer PCs running Intel CPUs may be minor, the performance impact to servers running Intel CPUs is another matter. 
You can see that the CPU load more than doubled due to the patch.
To reiterate, the above performance impact was due to the Meltdown patch (KPTI, or "Kernel Page Table Isolation" patch), which is not necessary on AMD CPUs. Intel's
Linguofreak
Well-known member
It's being a bit soft on Intel to say that SPECTRE "can't be patched by the OS" as if Meltdown *can*. Yeah, it's trivially true that KPTI is a kernel patch that mitigates meltdown, but it basically achieves that by emulating the defective CPU feature in software, which causes a significant performance hit in real-world workloads (as your graph demonstrates), and your trampoline code is still vulnerable to it (hopefully the trampoline that unmaps/remaps the kernel doesn't deal with any security-critical data, but one of the biggest things that makes security bugs happen is that people underestimate what can be read out of a given chunk of innocuous-looking data).
Quick_Nick
Passed the Turing Test
I did the default range, but typed it in (instead of 0s).
The flagged file was flstudio_12.5.1.5.exe, an installer for FL Studio 12. I have only ever run it once, some months ago, without any hint of malware. Granted, I never did check the checksum. This was just sitting in my Downloads folder. No clue if something could have come along and genuinely injected something into the file, but Windows Defender never gave an alert until just after running your Spectre.exe.
I'm wondering why an OS (or 3rd party antimalware program) can't just flag and/or kill processes that excessively try to read protected memory. The OS has that sort of info, doesn't it? Sure, you want to allow a few bits/bytes every so often due to innocent software bugs, but at least you would stop an attacker from systematically reading your memory at max rate.
Last edited:
Artlav
Aperiodic traveller
- Joined
- Jan 7, 2008
- Messages
- 5,814
- Reaction score
- 869
- Points
- 203
- Location
- Earth
- Website
- orbides.org
- Preferred Pronouns
- she/her
Nope. The beauty of it is that there is nothing detectable going on - it will appear simply as a process that is getting an awful lot of exceptions, which is not by itself suspicious.
You can add some heuristics to the exception handling (i.e. a series of exceptions that are all for addresses in sequence), but once added they will be instantly worked around.
Quick_Nick
Passed the Turing Test
I don't really know what Windows' patch was meant to do, nor the inner workings of your Spectre.exe, but your program still shows me the 'secret' even with KB4056892 now on my PC.
