intel adding antimalware defenses to its cpus

[spartaman64]

Quote

Control-Flow Enforcement Technology, or CET, represents a fundamental change in the way processors execute instructions from applications such as Web browsers, email clients, or PDF readers. Jointly developed by Intel and Microsoft, CET is designed to thwart a technique known as return-oriented programming, which hackers use to bypass anti-exploit measures software developers introduced about a decade ago. While Intel first published its implementation of CET in 2016, the company on Monday is saying that its Tiger Lake CPU microarchitecture will be the first to include it.

Quote

ROP, as return-oriented programming is usually called, was software exploiters’ response to protections such as Executable Space Protection and address space layout randomization, which made their way into Windows, macOS, and Linux a little less than two decades ago. These defenses were designed to significantly lessen the damage software exploits could inflict by introducing changes to system memory that prevented the execution of malicious code. Even when successfully targeting a buffer overflow or other vulnerability, the exploit resulted only in a system or application crash, rather than a fatal system compromise.

ROP allowed attackers to regain the high ground. Rather than using malicious code written by the attacker, ROP attacks repurpose functions that benign applications or OS routines have already placed into a region of memory known as the stack. The “return” in ROP refers to use of the RET instruction that’s central to reordering the code flow.

Quote

CET introduces changes in the CPU that create a new stack called the control stack. This stack can’t be modified by attackers and doesn’t store any data. It stores the return addresses of the Lego bricks that are already in the stack. Because of this, even if an attacker has corrupted a return address in the data stack, the control stack retains the correct return address. The processor can detect this and halt execution.

“Because there is no effective software mitigation against ROP, CET will be very effective at detecting and stopping this class of vulnerability,” Ionescu told me. “Previously, operating systems and security solutions had to guess or infer that ROP had happened, or perform forensic analysis, or detect the second stage payloads/effect of the exploit.”

source: https://arstechnica.com/information-technology/2020/06/intel-will-soon-bake-anti-malware-defenses-directly-into-its-cpus/

 

Hopefully this will work better than SGX and improve security.

[5x5]

Is the nest step a compressor and Freon? 

[Haro]

hopefully it wont affect performance that much 

 

(if i missed this sorry) 

[Lurick]

So are they going to run McAfee or Norton?

[Haro]

1 minute ago, Lurick said:

So are they going to run McAfee or Norton?

no avast 

[Void Master]

That's the great news that i wanted to hear. 

I still have faith in Intel engineers and i am sure they will always find solutions.

But hackers will also find security holes...... 

It's a never ending cycle.

And also: @spartaman64 check the "Promoted Comments" at the end of the article. (and also the last 2 sentences of the article)

Maybe talk a bit about the bypassing of CET ? 

although it doesn't work yet but idk....

This is the comment:

Spoiler

Quote

Null_Space wrote:

"While the protection could give defenders an important new tool, Ionescu and fellow researcher Yarden Shafir have already devised bypasses for it. Expect them to end up in real-world attacks within the decade."

I'm trying to parse this, and reconcile it with the actual link.

The linked article doesn't seem to claim to be a bypass. The closest I found was

"Obviously, it would appear that the existence of this capability is a universal bypass of any CET/CFG-like capability, as every possible ROP gadget could simply be added as a ‘dynamic continuation target’. However, since Microsoft now only legitimately supports out-of-process JIT compilation for browsers and Flash, it’s critical to note that this API only works for remote processes. In fact, calling it on the current process will always fail with STATUS_ACCESS_DENIED."

So it's not a bypass, because it doesn't work.

Hi,

Alex here. The post described the most _naïve_ way one might think of bypassing CET. We did not go into detail on real-world bypass applications on a technical paper, and instead were thinking on presenting some of this research at a conference in the future. Suffice it to say, while you cannot directly _add_ new dynamic exception targets, there are still angles at play with unwinding and static exception targets. Dan's article is accurate.

Enjoy  

[RejZoR]

I just hope new safety feature won't become a new exploitation vector, like SGX happened to be in the end...

[StDragon]

It's not AV on a chip (engine and definitions) or anything so complicated that would otherwise rob performance and/or introduce other bugs and exploits... No, it's basically Intel's implementation of shadow stack

[akio123008]

3 hours ago, 5x5 said:

Is the nest step a compressor and Freon? 

Haha what you mean I need to hire a plumber to hook up my condenser for cooling?

[StDragon]

The question I have is this - how much extra on-die cache will this consume thereby causing higher cache miss rates?

[Jet_ski]

I think the reason we are hearing about so many of these Intel CPU vulnerabilities is that Intel allowed many of these backdoors for gov agencies, but now they must be realizing that others are finding the exploits. So they are scrambling to fix the older exploits. Just a suspicion, I have no evidence. *removes tinfoil hat.

[Salv8 (sam)]

*two hours later*

Quote

Breaking news, Intel's brand new antimalware defenses have been defeated!

in all seriousness, it's probs gonna survive for two or three months before it's defeated and software has to patch it while losing performance.

[StDragon]

4 hours ago, Jet_ski said:

I think the reason we are hearing about so many of these Intel CPU vulnerabilities is that Intel allowed many of these backdoors for gov agencies, but now they must be realizing that others are finding the exploits. So they are scrambling to fix the older exploits. Just a suspicion, I have no evidence. *removes tinfoil hat.

The majority (if not entirely) all of these exploits are rooted into speculative execution. The paradigm was so fundamentally broken that it not only effected Intel, but AMD and even Apple A series CPU which are ARM based. It's just that Intel was more sloppy about it. But I can assure with 99% confidence that more exploits are to follow.

 

It's so flawed, that two years ago OpenBSD disabled HT by default. Even Theo de Raadt recommended disabling HT in BIOS.

 

Nowadays with current patched microcode (either delivered in BIOS or as part of an OS update), it should be mitigated.....for now.

[bcredeur97]

inb4 the antimalware is exploited and used against you

[Trik'Stari]

5 hours ago, Jet_ski said:

I think the reason we are hearing about so many of these Intel CPU vulnerabilities is that Intel allowed many of these backdoors for gov agencies, but now they must be realizing that others are finding the exploits. So they are scrambling to fix the older exploits. Just a suspicion, I have no evidence. *removes tinfoil hat.

Considering how stupid governments are when it comes to wanting back doors into everything, it wouldn't be surprising.

 

Not that it matters, they just go after the mobo manufacturer and insert a back door directly into the BIOS, at the factory.

[CarlBar]

20 hours ago, Trik'Stari said:

Considering how stupid governments are when it comes to wanting back doors into everything, it wouldn't be surprising.

 

 

Actually it would. Intel isn't going to build a backdoor in that when they inevitably have to patch it when it gets out in the wild will have a negetive performance impact if they can possibly avoid it. So even if there are government mandated backdoors fixing them is very unlikely to involve any performance hits.

[Trik'Stari]

57 minutes ago, CarlBar said:

 

Actually it would. Intel isn't going to build a backdoor in that when they inevitably have to patch it when it gets out in the wild will have a negetive performance impact if they can possibly avoid it. So even if there are government mandated backdoors fixing them is very unlikely to involve any performance hits.

When a bunch of complete morons (The FBI) with an absurd amount of power are threatening you, are you really going to think along those lines?

 

I will give credit where credit is due, big ups to Apple for telling the FBI to get fucked a few years back, when it was blatantly obvious that the FBI wanted nothing more than a legal precedent for forcing a manufacturer/developer to build in a back door just for them.

[Guest]

1 hour ago, CarlBar said:

 

Actually it would. Intel isn't going to build a backdoor in that when they inevitably have to patch it when it gets out in the wild will have a negetive performance impact if they can possibly avoid it. So even if there are government mandated backdoors fixing them is very unlikely to involve any performance hits.

 

Intel almost certainly already has a backdoor built into all of their CPUs, there's no reason for them to make another one.

 

Intel Management Engine

[Kisai]

On 6/15/2020 at 12:51 PM, Jet_ski said:

I think the reason we are hearing about so many of these Intel CPU vulnerabilities is that Intel allowed many of these backdoors for gov agencies, but now they must be realizing that others are finding the exploits. So they are scrambling to fix the older exploits. Just a suspicion, I have no evidence. *removes tinfoil hat.

I somehow doubt that is the case.

 

The exploits are largely a fault of Intel changing their validation criteria to release things faster. There was a thread a while ago on this topic, and it basically comes back to Intel just letting more CPU's go out the door with errata, and not fixing much of it. There's a reason why we're basically on SkyLake+++++, as these would have all be separate stepping levels of the same CPU released in the 200x's, and the pipeline has been unchanged since Intel "Core" (14 stage pipeline) from 2006.

 

Intel should have saved face in 2018 and threw out the entire 14nm Core brand, and made sure what came out next is permanently fixed one way or the other. This news is "the other", since it's requiring something to be added to the CPU that otherwise is a performance penalty.

[NumLock21]

On 6/15/2020 at 12:38 PM, Lurick said:

So are they going to run McAfee or Norton?

Funny thing is Intel owns McAfee or did they sold it to someone else.

 

And at the end of that article. I found this. 

https://arstechnica.com/video/watch/linus-tech-tips-reacts-to-his-top-1000-youtube-comments

[StDragon]

5 hours ago, Trik'Stari said:

When a bunch of complete morons (The FBI) with an absurd amount of power are threatening you, are you really going to think along those lines?

 

I will give credit where credit is due, big ups to Apple for telling the FBI to get fucked a few years back, when it was blatantly obvious that the FBI wanted nothing more than a legal precedent for forcing a manufacturer/developer to build in a back door just for them.

Washington DC is a cesspit full of sociopaths that sleep around with spies. They say lose lips sink ships. If they could, they would sink the world with a smile on their faces.

 

If the feds get their wish with a backdoor, be it hardware based and/or key escrow, some a-hole will leak/sell it to our adversaries. 

 

 

[Trik'Stari]

21 minutes ago, StDragon said:

Washington DC is a cesspit full of sociopaths that sleep around with spies. They say lose lips sink ships. If they could, they would sink the world with a smile on their faces.

 

If the feds get their wish with a backdoor, be it hardware based and/or key escrow, some a-hole will leak/sell it to our adversaries. 

 

 

At this point, with what little I know about security (I have an AS in Network Security, I feel that makes my statement of "I know fuck all about security" an educated one), my best guess is that all of them are working together, and that at this point, the idea of nations fighting one another is, at best, a divisive tactic meant to distract the wider population and maintain control.

[StDragon]

39 minutes ago, Trik'Stari said:

my best guess is that all of them are working together, and that at this point, the idea of nations fighting one another is, at best, a divisive tactic meant to distract the wider population and maintain control.

Nah, nothing so well organized. All sociopaths crave power and live "in the moment" with abject hedonistic narcissism. Fall out from their folly? That's someone else's problem.

 

Anyways, mitigation against the human element is best achieved through decentralization and reduced complexity to ensure a reduction in the number of attack vectors.

[Drama Lama]

Didn’t Intel sell McAffe with their processors at one time ?

they should have shipped better coolers instead 

[Trik'Stari]

20 hours ago, StDragon said:

Nah, nothing so well organized. All sociopaths crave power and live "in the moment" with abject hedonistic narcissism. Fall out from their folly? That's someone else's problem.

 

Anyways, mitigation against the human element is best achieved through decentralization and reduced complexity to ensure a reduction in the number of attack vectors.

Not so much organized, but more of a "mutual understanding". Keep people on edge and spike their fear from time to time, but never actually "push the button".