security New details about the newly discovered CPU vulnerabilities namely Spectre 1.1 and 1.2

[captain_to_fire]

Primary Source: Intel (PDF), Research Paper (PDF), ARM (PDF)

Secondary Source: Bleeping Computer

 

Quote

Speculative Buffer Overflows: Attacks and Defenses

 

Abstract

Practical attacks that exploit speculative execution can leak confidential information via microarchitectural side channels. The recently-demonstrated Spectre attacks leverage speculative loads which circumvent access checks to read memory-resident secrets, transmitting them to an attacker using cache timing or other covert communication channels.

We introduce Spectre1.1, a new Spectre-v1 variant that leverages speculative stores to create speculative buffer overflows. Much like classic buffer overflows, speculative out-ofbounds stores can modify data and code pointers. Data-value attacks can bypass some Spectre-v1 mitigations, either directly or by redirecting control flow. Control-flow attacks enable arbitrary speculative code execution, which can bypass fence instructions and all other software mitigations for previous speculative-execution attacks. It is easy to construct return-oriented-programming (ROP) gadgets that can be used to build alternative attack payloads.

 

We also present Spectre1.2: on CPUs that do not enforce read/write protections, speculative stores can overwrite readonly data and code pointers to breach sandboxes.

 

We highlight new risks posed by these vulnerabilities, discuss possible software mitigations, and sketch microarchitectural mechanisms that could serve as hardware defenses. We have not yet evaluated the performance impact of our proposed software and hardware mitigations. We describe the salient vulnerability features and additional hypothetical attack scenarios only to the detail necessary to guide hardware and software vendors in threat analysis and mitigations. We advise users to refer to more user-friendly vendor recommendations for mitigations against speculative buffer overflows or available patches.

Looks like CPU vulnerabilities will just keep popping out as security researchers continue to poke holes and chip makers are playing a game of whack-a-mole with these vulnerabilities.

I have a feeling that 2018 will end and security researchers have found variant 10 vulnerability and it will come as a smear campaign by a CTS lab wannabe and will give Intel 12 hours to patch it. 

Quote

Spectre 1.1 and Spectre 1.2 short description

According to researchers, a Spectre 1.1 attack uses speculative execution to deliver code that overflows CPU store cache buffers in order to write and run malicious code that retrieves data from previously-secured CPU memory sections. Spectre 1.1 is very similar to the Spectre variant 1 and 4, but the two researchers who discovered the bug say that "currently, no effective static analysis or compiler instrumentation is available to generically detect or mitigate Spectre 1.1." As for Spectre 1.2, researchers say this bug can be exploited to write to CPU memory sectors that are normally protected by read-only flags.

 

"As a result [of malicious Spectre 1.2 writes], sandboxing that depends on hardware enforcement of read-only memory is rendered ineffective," researchers say.

 

To exploit, similarly to most previous Meltdown and Spectre bugs, both vulnerabilities require the presence of malicious code on a user's PC, code responsible for running the attack. This somewhat limits the bug's severity, but doesn't excuse sysadmins who fail to apply patches when they'll become available.

As of now no software mitigations are available but Intel is working with their partners on how to mitigate attacks taking advantage of the exploit at the software level. Microsoft for instance has recently released an advisory that they too are looking into this as well as ARM. If there's any consolation, the security researcher applied for Intel's bug bounty program via HackerOne and got paid $100,000. I don't really get as to why AMD is not listed when all of their CPUs including Ryzen are vulnerable to Spectre 1&2 and the newly published ones uses a similar attack technique. 

 

Maybe for the security conscious person like an IT guy in a company, the only thing that they can do at the moment is use an up to date endpoint security program and implement built-in mitigations like Force ASLR in Windows 10 which is turned off by default. I'm guessing the reason why Force ASLR is turned off by default is that not all programs are compiled to take advantage of ASLR and might result to incompatibilities.

 

as @leadeater once said, naming CPU vulnerabilities are confusing 

[Guest]

Well what do people expect when companies are given a strict time to patch things lol. 

[captain_to_fire]

2 minutes ago, RorzNZ said:

Well what do people expect when companies are given a strict time to patch things lol. 

Not to click random shit on the internet and be careful when opening email attachments?

[sazrocks]

5 minutes ago, captain_to_fire said:

Not to click random shit on the internet and be careful when opening email attachments?

Not enough. Commonly downloaded programs can and have been compromised with malware.

[Arika]

I'm getting bored of all these exploits.

[Jurrunio]

I remember a few of these cpu vulnerabilities also affect Ryzen. Does that mean AMD's FX is the safest because no one bother targeting it?

[captain_to_fire]

2 minutes ago, sazrocks said:

Not enough. Commonly downloaded programs can and have been compromised with malware.

Then keep the PC up to date even though Windows Updates are annoying af and run an up to date antivirus and not click random shit on the internet. 

[Christophe Corazza]

Time to air-gap everything. This internet thing is maybe more trouble than it's worth  

[sazrocks]

5 minutes ago, captain_to_fire said:

not click random shit on the internet. 

Did you read my post?

"Commonly download programs" are not

Quote

random shit on the internet. 

 

9 minutes ago, captain_to_fire said:

Then keep the PC up to date

Did you read your bleeping computer source?

Quote

Researchers didn't release information on CPUs impacted by Spectre 1.2. No patches are available for either bugs at the moment, but an Intel spokesperson told Bleeping Computer that its guide on handling Meltdown and Spectre flaws contains information on how developers can inspect and modify their source code to mitigate the vulnerability at the app/software level.

 

[captain_to_fire]

33 minutes ago, Christophe Corazza said:

Time to air-gap everything. This internet thing is maybe more trouble than it's worth  

Said by almost every parent 

 

[captain_to_fire]

1 minute ago, sazrocks said:

Did you read your bleeping computer source?

I did. I indicated it in the OP. I was just showing the most common way of making one's computer safe. Just because there's no software patch at the moment doesn't mean there won't be one in the coming weeks. So I don't really know what you're riling about. 

[Zodiark1593]

11 minutes ago, Christophe Corazza said:

Time to air-gap everything. This internet thing is maybe more trouble than it's worth  

Raspberri Pis to rule the internet?

[sazrocks]

2 minutes ago, captain_to_fire said:

I did. I indicated it in the OP. I was just showing the most common way of making one's computer safe. Just because there's no software patch at the moment doesn't mean there won't be one in the coming weeks. So I don't really know what you're riling about. 

We seem to be having a miscommunication. I'll just drop it.

[Christophe Corazza]

26 minutes ago, Jurrunio said:

I remember a few of these cpu vulnerabilities also affect Ryzen. Does that mean AMD's FX is the safest because no one bother targeting it?

 

Intel ship the most $ worth of CPUs by a very wide margin, so they will naturally attract the most attention. The fact is SPARC, MIPS, ARM and even POWER have been reported as having SPECTRE vulns - so it's not just poor likkle old Intel.

 

To my reckoning there are an awful lot of VMs out there sharing Intel boxes on networks with strangers, so it seems reasonable that Intel cops the majority of the flak to me... Big fail is a natural by-product of big success.  

[mr moose]

4 hours ago, Arika S said:

I'm getting bored of all these exploits.

I vote we start a new internet where our pcs don't have these exploits.

[leadeater]

10 minutes ago, mr moose said:

I vote we start a new internet where our pcs don't have these exploits.

Hmm? That's an excellent point, why has no one though of it before. Pfff, security experts can't even figure out such a basic solution as this .

[Deus Voltage]

1 minute ago, leadeater said:

Hmm? That's an excellent point, why has no one though of it before. Pfff, security experts can't even figure out such a basic solution as this .

Blockchain quantum internet? /s

[NMS]

Still hoping for Nvidia to drop out of nowhere the news on entering the CPU market. Maybe their architecture would have no security vulnerabilities.

Because while this was scary at first, especially if you owned Intel, at this point does anyone even gives a f*ck? I mean, it's not like you can just stop using Intel or AMD CPU's.

[mr moose]

3 minutes ago, Deus Voltage said:

Blockchain quantum internet? /s

I was thinking we just ban people from talking about it.  if no one knows it's an exploit we go back to June last year when it wasn't a problem.

[leadeater]

1 minute ago, Deus Voltage said:

Blockchain quantum internet? /s

We just need to distribute it to thousands and thousands of fridges, RIP Anton.

[themctipers]

I really want a new laptop, but fucking spectre and meltdown is annoying the back of my head like: don't get cucked, look at your core duo laptop, 32 bit only. 

[mr moose]

1 minute ago, NMS said:

Still hoping for Nvidia to drop out of nowhere the news on entering the CPU market. Maybe their architecture would have no security vulnerabilities.

Because while this was scary at first, especially if you owned Intel, at this point does anyone even gives a f*ck? I mean, it's not like you can just stop using Intel or AMD CPU's.

I can imagine there are a handful of personality types that are not sleeping well with this news,  they'd be the same ones that ruin every thread with conspiracy theories about bill gates poisoning the children etc.

[Deus Voltage]

2 minutes ago, mr moose said:

I was thinking we just ban people from talking about it.  if no one knows it's an exploit we go back to June last year when it wasn't a problem.

Let's make the "Tech Ministry of Truth" while we're at it. All found exploits are propaganda by the enemy

3 minutes ago, leadeater said:

We just need to distribute it to thousands and thousands of fridges, RIP Anton.

Think of all the money we can make, maybe we'll be the first trillionaires 

[mr moose]

2 minutes ago, Deus Voltage said:

Let's make the "Tech Ministry of Truth" while we're at it. All found exploits are propaganda by the enemy

 

That's already happening on this internet, it doesn't appear to be working to well because it seems we still have security issues.  Well just run a script that deletes all pages that contains the words exploit, security, flaw,  vulnerability,  patch and update.  that should take care of most of it.

 

I personally look forward to never having to hear about update issues again.

[ScratchCat]

4 hours ago, Zodiark1593 said:

Raspberri Pis to rule the internet?

Actually yes.

Those and cheap android phones. The A53 doesn't use speculative execution and so is invulnerable to  spectre and its derivatives.