New "BlindSide" Speculative Execution Attack

[StDragon]

 

----------------------------------------------

Summary

 Security researchers discovered a new form of speculative execution named "BlindSide" to by-pass KASLR (Kernel Address Space Layout Randomization). There is a video showing how Linux can be rooted.

 

 

 

Quotes

Quote

"mount BROP-style attacks in the speculative execution domain to repeatedly probe and derandomize the kernel address space, craft arbitrary memory read gadgets, and enable reliable exploitation. This works even in face of strong randomization schemes, e.g., the recent FGKASLR or fine-grained schemes based on execute-only memory, and state-of-the-art mitigations against Spectre and other transient execution attacks."

Quote

"We presented BlindSide, a new exploitation technique that leverages an under-explored property of speculative execution (i.e., crash/execution suppression) to craft speculative probing primitives and lower the bar for software exploitation. We showed our primitives can be used to mount powerful, stealthy BROP-style attacks against the kernel with a single memory corruption vulnerability, without crashes and bypassing strong Spectre/randomization-based mitigations"

Quote

In addition to the Intel Whiskey Lake CPU in our evaluation,we confirmed similar results on Intel Xeon E3-1505M v5, XeonE3-1270 v6 and Core i9-9900K CPUs, based on the Skylake, KabyLake and Coffee Lake microarchitectures, respectively, as well ason AMD Ryzen 7 2700X and Ryzen 7 3700X CPUs, which are basedon the Zen+ and Zen2 microarchitectures. Overall, our results confirm speculative probing is effective on a modern Linux system ondifferent microarchitectures, hardened with the latest mitigations.

 

My thoughts

The paper states that mitigation would require "hardware-enforced side-effect-free speculative execution" to stop these forms of attacks. But so far none of the proposals have found applicability.

 

So what can be done? Nothing so far. In fact, there might not be anything that can be done short of a new CPU. But before we panic, lets see if a microcode update or other forms of mitigation can be put into place.

 

Sources

https://www.phoronix.com/scan.php?page=news_item&px=BlindSide

https://download.vusec.net/papers/blindside_ccs20.pdf

https://slashdot.org/~Hmmmmmm

[OddOod]

I'm tired of these. If someone had exploited them in the wild, then I might perk up my ears, but this is all just lab demos and the benefits of speculative execution vastly outweigh their downsides

[BobVonBob]

Hooray speculative execution.

[Helpful Tech Witch]

Huh. Something that finally effects and for once. That’s new.

[StDragon]

1 minute ago, OddOod said:

I'm tired of these. If someone had exploited them in the wild, then I might perk up my ears, but this is all just lab demos and the benefits of speculative execution vastly outweigh their downsides

In theory, a user with non-admin privileges could execute code that would root the entire machine. 

[Lurick]

3 minutes ago, HelpfulTechWizard said:

Intel...... Intel..... in you years of peace when the great AMD dragon slumbered, you got lazy. You didn’t try. You leave these maps of great weakness easy to fine, and you lose performance to stop the problems.

It impacts AMD and Intel so.......

[OddOod]

1 minute ago, StDragon said:

In theory, a user with non-admin privileges could execute code that would root the entire machine. 

Yeah, in theory. But that's, again, AFAIK, never happened. And given how easy it is to exploit software, it's pretty much a non-issue

 

[Lurick]

5 minutes ago, OddOod said:

I'm tired of these. If someone had exploited them in the wild, then I might perk up my ears, but this is all just lab demos and the benefits of speculative execution vastly outweigh their downsides

If a vulnerability requires physical access to a machine to exploit then I don't care because at that point you've dun goofed. If I can remotely exploit it then it starts to become an issue and while it might not be something that's applicable today, given enough time it could become button pressing easy to exploit down the line. Sure, the average home user probably doesn't need to freak out about this stuff since it's likely not going to be used against them but for data center operators it's going to be a huge nightmare when someone finds a way to exploit this to take out large swaths of a data center by combining with a wormable exploit higher up.

[BlueChinchillaEatingDorito]

6 minutes ago, HelpfulTechWizard said:

Intel...... Intel..... in you years of peace when the great AMD dragon slumbered, you got lazy. You didn’t try. You leave these maps of great weakness easy to fine, and you lose performance to stop the problems.

It looks like they've tested on AMD Ryzen 7 2700X and Ryzen 7 3700X systems as well with similar results. 

[Helpful Tech Witch]

3 minutes ago, Lurick said:

It impacts AMD and Intel so.......

Oh oops..... I thought they were older core processors. That will be different in a min.

[StDragon]

1 minute ago, Lurick said:

If a vulnerability requires physical access to a machine to exploit then I don't care because at that point you've dun goofed. If I can remotely exploit it then it starts to become an issue and while it might not be something that's applicable today, given enough time it could become button pressing easy to exploit down the line. Sure, the average home user probably doesn't need to freak out about this stuff since it's likely not going to be used against them but for data center operators it's going to be a huge nightmare when someone finds a way to exploit this to take out large swaths of a data center by combining with a wormable exploit higher up.

I share the same concern. If this can be executed in a browser, look out!!!

[Mateyyy]

46 minutes ago, HelpfulTechWizard said:

Intel...... Intel..... in you years of peace when the great AMD dragon slumbered, you got lazy. You didn’t try. You leave these maps of great treasures easy to fine, and you lose performance to stop the problems.

Quote

we confirmed similar results on Intel Xeon E3-1505M v5, XeonE3-1270 v6 and Core i9-9900K CPUs, based on the Skylake, KabyLake and Coffee Lake microarchitectures, respectively, as well ason AMD Ryzen 7 2700X and Ryzen 7 3700X CPUs, which are basedon the Zen+ and Zen2 microarchitectures. 

[Helpful Tech Witch]

Just now, Mateyyy said:

Dude, I already said I thought they were taliking about older core processors. 

[Mateyyy]

12 minutes ago, HelpfulTechWizard said:

Huh. Something that finally effects and for once. That’s new.

No it's not, lol

[StDragon]

4 minutes ago, Mateyyy said:

No it's not, lol

Unfortunately, you are correct. Past exploits have effected ARM CPUs as well including the ones Apple uses for their A-Series.

[Bombastinator]

One more “speculative execution as arranged has problems” exploit. I’m not sure the “none of these has appeared in the wild so it’s not important” opinions will remain if one of them does appear in the wild.  The question seems to be whether or not it is a foregone conclusion that one eventually will and if its a when not an if.  I personally suspect we’ve likely got a processor generation before this happens, though that and $5 will buy you a coffee at Starbucks. 
A lot of these seem to be “sniffing” exploits and I’ve seen supposition that they could be at least partially defanged by putting the bits that actually contain the tasty snacks in unsniffable sections.  Would require an architectural change.  Security has been an arms race for many hundreds of years.

[Fatih19]

What if either Intel or AMD made a processor that mitigate this and then make the exploit appear in the wild so that their new processor is the only thing immune to the attacks?

[Bombastinator]

Just now, Fatih19 said:

What if either Intel or AMD made a processor that mitigate this and then make the exploit appear in the wild so that their new processor is the only thing immune to the attacks?

Or Apple, or some ARM maker, or some Chinese x86 manufacturer, or some RISKV builder or basically any cpu manufacturer really.  If I was designing chips atm I’d be looking at mitigation stuff. 

[Jet_ski]

21 hours ago, OddOod said:

I'm tired of these. If someone had exploited them in the wild, then I might perk up my ears, but this is all just lab demos and the benefits of speculative execution vastly outweigh their downsides

These more sophisticated attacks are usually performed by states against foreign countries and organizations. You may not be directly attacked but your cloud provider, municipality, or government etc which hold your data might be hacked.

 

Apple, AWS,... all have been subject of massive hacks that they’ve kept very quite. Read this article to see how real of a risk these vulnerabilities are:

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

[Zodiark1593]

8 hours ago, Arika S said:

Then they would cease to exist if they were found out, they would get fined into oblivion and a lot of people would be arrested...

Well, looking at the previous Volkswagon scandal, I’d suspect the companies would get slapped hard in the hypothetical suit, but would still be kept alive as not only is there tons of product already in the field to support, but few (If any) smaller companies can put together high performance CPU designs comparable to the hypothetically deceased corporations.