security NVIDIA and Princeton University collaborated to make a working proof of concept tool that exploits Spectre and Meltdown

[captain_to_fire]

Sources: The Register, arxiv.org

1802.03802.pdf

 

Quote

MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols

 

ABSTRACT

The recent Meltdown and Spectre attacks highlightthe importance of automated verification techniques for identifying hardware security vulnerabilities. We have developed a tool for automatically synthesizing micro architecture-specific programs capable of producing any user-specified hardware execution pattern of interest. Our tool takes two inputs: (i) a formal description of a microarchitecture in a domain-specific language (almost identical to μ spec from recent work and (ii) a formal description of a microarchitectural execution pattern of interest, e.g. a threat pattern. All programs synthesized by our tool are capable of producing the specified execution pattern on the supplied microarchitecture. We used our tool to specify a hardware execution pattern common to Flush+Reload side-channel attacks (i.e., a Flush+Reload threat pattern) and automatically synthesized security litmus tests representative of those that have been publicly disclosed for conducting Meltdown and Spectre attacks. We additionally formulated a Prime+Probe threat pattern, enabling our tool to synthesize a new variant of each— MeltdownPrime and SpectrePrime. Both of these new exploits use Prime+Probe approaches to conduct the timing attack. They are both also novel in that they are 2-core attacks which leverage the cache line invalidation mechanism in modern cache coherence protocols. These are the first proposed Prime+Probe variants of Meltdown and Spectre. But more importantly, both Prime attacks exploit invalidation-based coherence protocols to achieve the same level of precision as a Flush+Reload attack. While mitigation techniques in software (e.g., barriers that prevent speculation) will likely be the same for our Prime variants as for original Spectre and Meltdown, we believe that hardware protection against them will be distinct. As a proof of concept, we implemented SpectrePrime as a C program and ran it on an Intel x86 processor. Averaged over 100 runs, we observed SpectrePrime to achieve the same average accuracy as Spectre [ on the same hardware—97.9% for Spectre and 99.95% for SpectrePrime.

And it looks like the hardware changes Intel and AMD is doing for their upcoming processors is not enough for them to be out of the woods.

Quote

The team have discovered new ways for malware to extract sensitive information, such as passwords and other secrets, from a vulnerable computer's memory by exploiting the Meltdown and Spectre design blunders in modern processors. The software mitigations being developed and rolled out to thwart Meltdown and Spectre attacks, which may bring with them performance hits, will likely stop these new exploits.

 

Crucially, however, changes to the underlying hardware probably will not: that is to say, whatever Intel and its rivals are working on right now to rid their CPU blueprints of these vulnerabilities may not be enough. These fresh exploits attack flaws deeply embedded within modern chip architecture that will be difficult to engineer out. Princeton computer science professor Margaret Martonosi, doctoral candidate Caroline Trippel, and Nvidia senior research scientist Daniel Lustig developed an unnamed tool – to be discussed in a subsequent paper – that models computer chip microarchitectures to analyze specific execution patterns, such as Meltdown-Spectre-based timing attacks. They used their tool to explore fresh methods to trigger the Meltdown and Spectre design faults, and in the process identified new ways to exploit the processor flaws. These latest exploit techniques are dubbed MeltdownPrime and SpectrePrime. One way in which the offshoots differ from their predecessors is that they are two-core attacks – they use two CPU cores against each other – and leverage the way memory is accessed in multi-core systems.

The good news is that as long as your device is up to date, it is protected from the exploit and that the tool is not released to the public for hackers to use. The hardware changes Intel, AMD and ARM is planning might not be enough as the researchers warned that the issue requires new considerations before applying any microarchitectural mitigation. More details on the PDF file linked above but using two CPU cores and the cache to execute the tool is both ingenious and a bit concerning as this is the first time I've read something like this.

Quote

Malicious software exploiting Meltdown and Spectre leverages these processor design characteristics to obtain privileged data, such as personal information, that it shouldn't be able to access. Because accessing CPU memory is comparatively slow, chips include pools of faster memory called caches. The problem with having multiple memory units is you may end up with multiple copies of your data across a system.

 

Thus there are cache coherence protocols which ensure that multiple processor cores can share a consistent view of the state of the cached data and the system's memory. Through various operations, the state of a cache may be changed from, say, shared to invalid or from exclusive to modified. Meltdown and Spectre are referred to as side-channel attacks because they exploit unanticipated side effects arising from these processor design characteristics. Cache-based side-channel attacks involve attempts to discover privileged knowledge about a target application as it executes, in order to use that information against the host system.

The exploit toolkit was tested on a MacBook Pro [2.4GHz core i7 and macOS Sierra] and the researchers noted that it doesn't matter what OS the device is using as long as it's not patched.  At the moment, Intel announced their bug bounty program and they are bold enough to reward anyone up to $250,000 for a vulnerability as serious as Spectre and Meltdown.

Quote

In support of our recent security-first pledge, we’ve made several updates to our program. We believe these changes will enable us to more broadly engage the security research community, and provide better incentives for coordinated response and disclosure that help protect our customers and their data.

Updates to our program include:

• Shifting from an invitation-only program to a program that is open to all security researchers, significantly expanding the pool of eligible researchers.
• Offering a new program focused specifically on side channel vulnerabilities through Dec. 31, 2018. The award for disclosures under this program is up to $250,000.
• Raising bounty awards across the board, with awards of up to $100,000 for other areas.

More details on the program, including these new updates, can be found online on the Intel security site or our HackerOne page.

So anyone who's interested can signup to Intel's bug bounty program and you're not only saving the world, you'll get rewarded too. I'm guessing the toolkit will only be disclosed to certain individuals like tech companies to create counter measures to block any malware attempting to do similar stuff. This is the first working exploit toolkit leveraging these vulnerabilities but somehow I can't shake the feeling that someone already did before PrincetonU and NVIDIA collaborated and it's out in the wild. With that said, I can't really blame Intel for the vulnerability because the exploit is taking advantage of the fact that modern CPUs prioritize speed because that's what everyone wants but at the expense of security and it looks like the search for a middle ground between speed and security is getting harder as technology improves.

 

[ARikozuM]

NVIDIA, WHY HAVE YOU FORSAKEN US?!

[captain_to_fire]

1 minute ago, ARikozuM said:

NVIDIA, WHY HAVE YOU FORSAKEN US?!

Maybe NVIDIA is planning to make their own desktop processors just like Intel is making their own dGPUs.

[Zodiark1593]

So far, Spectre feels like the rabbit hole where we keep finding the caves go ever deeper 

[JoostinOnline]

3 minutes ago, hey_yo_ said:

Maybe NVIDIA is planning to make their own desktop processors just like Intel is making their own dGPUs.

They've hinted at it before.

[captain_to_fire]

1 minute ago, JoostinOnline said:

They've hinted at it before.

I wouldn't mind an NVIDIA desktop CPU as long as it's not named "GeForce" and doesn't follow Intel and AMD's messy product naming schemes with numbers (e.g i5-8600 or R5 1600x). They can also include in their PR materials saying "Unlike our blue and red competitors, ours is not vulnerable to Spectre and Meltdown and doesn't need a microcode update that slows your PC down.".

[Blademaster91]

16 minutes ago, hey_yo_ said:

Maybe NVIDIA is planning to make their own desktop processors just like Intel is making their own dGPUs.

Nvidia would release their high end cpu claim its the fastest then bring out a "Ti" and "Titan" cpu out a few months later lol.

[JoostinOnline]

27 minutes ago, hey_yo_ said:

I wouldn't mind an NVIDIA desktop CPU as long as it's not named "GeForce" and doesn't follow Intel and AMD's messy product naming schemes with numbers (e.g i5-8600 or R5 1600x).

Whatever it is, I'm sure AMD will find a way to copy it.

[ARikozuM]

38 minutes ago, JoostinOnline said:

Whatever it is, I'm sure AMD will find a way to copy it.

And delay a vital part of their architecture whilst they search for a new division chair. 

[Energycore]

1 hour ago, hey_yo_ said:

Intel is making their own dGPUs.

WHAT? Where is this news? How did I miss that?

https://d1u5p3l4wpay3k.cloudfront.net/dota2_gamepedia/1/17/Snip_ability_fail_06.mp3

[captain_to_fire]

1 minute ago, Energycore said:

WHAT? Where is this news? How did I miss that?

https://d1u5p3l4wpay3k.cloudfront.net/dota2_gamepedia/1/17/Snip_ability_fail_06.mp3

Intel hired a former AMD engineer responsible for the Radeon GPUs http://www.zdnet.com/article/intel-hires-amds-raja-koduri-to-work-on-high-end-discrete-graphics/

[mr moose]

This sounds like they are opening a can of worms.  The idea of automating the exploit finding process kinda means better protection,  so long as you don't start finding more holes than you have plugs.

[captain_to_fire]

1 minute ago, mr moose said:

This sounds like they are opening a can of worms.  The idea of automating the exploit finding process kinda means better protection,  so long as you don't start finding more holes than you have plugs.

Which is why Intel and AMD should be careful with the hardware changes they're making for their future chips

[mr moose]

3 minutes ago, hey_yo_ said:

Which is why Intel and AMD should be careful with the hardware changes they're making for their future chips

If what I have been reading recently is anything accurate.  Despite their best efforts they are not going to produce a flawless chip (without going back tot he dark ages of CPU design) and we are fucked anyway. 

 

Here's to positive thinking and not being a fatalist.

[captain_to_fire]

Just now, mr moose said:

If what I have been reading recently is anything accurate.  Despite their best efforts they are not going to produce a flawless chip (without going back tot he dark ages of CPU design) and we are fucked anyway. 

 

Here's to positive thinking and not being a fatalist.

Exactly. There's already the existing design flaw in Intel processors from Skylake and beyond which makes it easier to circumvent ASLR so I won't be surprised if someone will soon uncover design vulnerabilities in Intel and AMD's upcoming chips.

[Nicnac]

It's really interesting that some kind of Nvidia against AMD and Intel front has formed now. Let's see how this plays out

[asus killer]

i also think that if google labs or someone else well funded tries to find security flaws on whatever software/hardware they will eventually find it. There will never be things like perfect software or hardware.

 I never got the pitchforks out as i think this was blown out of proportion. The only question is did Intel and AMD know about it and keept selling? I really don't think so and wont bring my conspiracy theory hat out as well.

[captain_to_fire]

3 minutes ago, asus killer said:

i also think that if google labs or someone else well funded tries to find security flaws on whatever software/hardware they will eventually find it. There will never be things like perfect software or hardware.

 I never got the pitchforks out as i think this was blown out of proportion. The only question is did Intel and AMD know about it and keept selling? I really don't think so and wont bring my conspiracy theory hat out as well.

I think you’re talking about Google Project Zero https://googleprojectzero.blogspot.com/  

 

9 minutes ago, Nicnac said:

It's really interesting that some kind of Nvidia against AMD and Intel front has formed now. Let's see how this plays out

I’d be excited to see an NVIDIA made desktop processor 

[mr moose]

8 minutes ago, asus killer said:

The only question is did Intel and AMD know about it and keept selling?

Yes, they did. Because not only is that standard business practice in situations like this, but no one can expect the tech industry to just stop and wait to see what happens next.

[leadeater]

Of course Nvidia helps develop something that will not impact themselves in a single way but screw over other major technology companies, only 50% sarcasm btw.

[captain_to_fire]

1 minute ago, leadeater said:

Of course Nvidia helps develop something that will not impact themselves in a single way but screw over other major technology companies, only 50% sarcasm btw.

While NVIDIA develops their own x86/64 processor that is free from Spectre and Meltdown. 

[leadeater]

1 minute ago, hey_yo_ said:

While NVIDIA develops their own x86/64 processor that is free from Spectre and Meltdown. 

I didn't think they had anything current?

[captain_to_fire]

7 minutes ago, leadeater said:

I didn't think they had anything current?

They don’t but I was just hoping they have something in the works deep down in their R&D labs 

[LAwLz]

11 minutes ago, leadeater said:

Of course Nvidia helps develop something that will not impact themselves in a single way but screw over other major technology companies, only 50% sarcasm btw.

Except for the tiny fact that, you know, there are several Nvidia products which are also vulnerable to Spectre and Meltdown. Like the ones currently in, and planned for future self driving cars and other embedded systems.

 

 

 

Don't get why people think this is about Nvidia trying to sabotage for Intel and AMD.

It's Nvidia helping a university to research these exploits in the hopes of finding solutions to them, and minimizing the risk of it happening in the future.

[leadeater]

20 minutes ago, LAwLz said:

Except for the tiny fact that, you know, there are several Nvidia products which are also vulnerable to Spectre and Meltdown. Like the ones currently in, and planned for future self driving cars and other embedded systems.

 

 

 

Don't get why people think this is about Nvidia trying to sabotage for Intel and AMD.

It's Nvidia helping a university to research these exploits in the hopes of finding solutions to them, and minimizing the risk of it happening in the future.

None of their GPU hardware is effected and their ARM CPUs they never really 'confirmed' they were, they are working on microcode updates for them to ensure they are not though so that could be an admission of exposed risk or just playing it safe.

 

Nvidia's risk is extremely low for Spectre so unfortunately for them that warrants a joke about it or two. You've got companies trying to develop microcode updates for effected products which is taking a significant amount of time and effort, which this project is unlikely to immediately help with that, yet they are helping increase the risk of exploitation.

 

I'll give them the "Only trying to help card" only if they did it after the first wave of microcode updates have been successfully deployed and customers are more protected. They aren't minimizing a damn thing right now, only making it worse.

 

Edit:

I would like to note that the Spectre mitigation included in the Windows Updates is off by default on Windows Server and the current advice from Microsoft is to leave it off unless the server is at an exposed risk of exploitation.