Researchers publish 5 new Spectre branches & 2 new Meltdown variants and demonstrate Meltdown running on Ryzen for the first time

[Master Disaster]

A team of 7 researchers, including some of the team who originally discovered Spectre & Meltdown, have published a paper outlining several new variants of the bugs, the team is also pushing for a name change from Speculative Execution to Transient Execution.

Quote

Computer security researchers have uncovered yet another set of transient execution attacks on modern CPUs that allow a local attacker to gain access to privileged data, fulfilling predictions made when the Spectre and Meltdown flaws were reported at the beginning of the year.

 

In short, these processor security flaws can be exploited by malicious users and malware on a vulnerable machine potentially to lift passwords, encryption keys, and other secrets, out of memory that should be off-limits. To date, we're not aware of any software nasties exploiting these holes in the wild, but nonetheless they have been a wake-up call for the semiconductor industry, forcing redesigns of silicon and changes to toolchains.

 

The bit boffins responsible for uncovering these latest vulnerabilities – Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss, from Graz University of Technology, imec-DistriNet at KU Leuven, and the College of William and Mary – include some of the same computer scientists who discovered the original Spectre and Meltdown weaknesses.

 

They argue that the term "transient execution" is preferable to other terminology like "speculative execution" to describe the Spectre, Meltdown, and Foreshadow attacks.

 

"'Speculative execution' is often falsely used as an umbrella term for attacks based on speculation of the outcome of a particular event (i.e., conditional branches, return addresses, or memory disambiguation), out-of-order execution, and pipelining," they explain in a paper distributed through ArXiv on Tuesday.

 

"However, Spectre and Meltdown exploit fundamentally different properties of CPUs. A CPU can be vulnerable to Spectre but not Meltdown (e.g. AMD), and vice versa. The only common property of both attacks is that they exploit side effects within the transient execution domain, i.e., within never-committed execution."

All in all the team has discovered two new Meltdown variants and five new Spectre branches.

Quote

The researchers describe seven new transient execution attacks, consisting of two new Meltdown variants (Meltdown-PK on Intel, and Meltdown-BR on Intel and AMD) and five new Spectre branch predictor mistraining strategies for previously disclosed flaws known as Spectre-PHT (Bounds Check Bypass) and Spectre-BTB (Branch Target Injection). They say they've responsibly disclosed their findings to chip vendors.

 

Where Spectre exploits branch prediction to gain access to transient data, Meltdown bypasses the isolation between applications and the operating system by evaluating transient out-of-order instructions following a CPU exception to read kernel memory.

 

Previously, there were five publicly disclosed Meltdown variants: Meltdown-US (Meltdown), Meltdown-P (Foreshadow), Meltdown-GP (Variant 3a), Meltdown-NM (Lazy FP), and Meltdown-RW (Variant 1.2).

 

The researchers propose two more: Meltdown-PK and Meltdown-BR.

 

The Meltdown-PK attack can defeat a defense in Intel Skylake-SP server chips called memory-protection keys for user space (PKU), which lets processes alter the access permissions of a page of memory from user space, without a syscall/hypercall.

 

"Meltdown-PK shows that PKU isolation can be bypassed if an attacker has code execution in the containing process, even if the attacker cannot execute the wrpkru instruction (e.g., due to blacklisting)," the researchers explain. "Moreover, in contrast to cross-privilege level Meltdown attack variants, there is no software workaround. Intel can only fix Meltdown-PK in new hardware or possibly via a microcode update."

 

Meltdown-BR provides a way to bypass bound checks, which raise exceptions when an out-of-bound value is found. It exploits transient execution after such an exception to capture out-of-bounds secrets that wouldn't otherwise be accessible.

Perhaps most interesting to me is they were able to demonstrate Meltdown running on AMD Ryzen based hardware for this first time ever.

Quote

The researchers demonstrated their attack on an Intel Skylake i5-6200U CPU with MPX support, an AMD 2013 E2-2000 and an AMD 2017 Ryzen Threadripper 1920X. They note this is the first time a Meltdown-style transient execution attack has been shown to be able to take advantage of delayed exception handling on AMD hardware.

 

As for the novel approaches to mistraining the branch predictor in Spectre-PHT and Spectre-BTB attacks, the researchers tested their proof-of-concept exploits on Intel Skylake i5-6200U and Haswell i7-4790, on AMD Ryzen 1950X and a Ryzen Threadripper 1920X, and on an Arm-based NVIDIA Jetson TX1.

 

All vendors have processors that are vulnerable to these variants, they claim. The same, they say is true for Spectre-BTB, though they consider potential attack scenarios far more limited. Presently, no CVEs for these issues have been assigned.

Despite the researchers saying otherwiseboth Intel & ARM say these new attacks can be mitigated using existing patches, AMD have remained silent so far.

Quote

In a statement emailed to The Register, an Intel spokesperson brushed off the findings. "The vulnerabilities documented in this paper can be fully addressed by applying existing mitigation techniques for Spectre and Meltdown, including those previously documented here, and elsewhere by other chipmakers," Intel's spokesperson said.

 

"Protecting customers continues to be a critical priority for us and we are thankful to the teams at Graz University of Technology, imec-DistriNet, KU Leuven, and the College of William and Mary for their ongoing research."

 

Arm's spokesperson said, "The recent Spectre and Meltdown vulnerabilities identified by academic researchers can be addressed by applying existing mitigations as described previously in Arm's white paper found here."

 

AMD did not immediately respond to a request for comment.

 

The chip vendors' insistence that they're not affected contradicts the researchers' published statements. "Even with all mitigations enabled, we were still able to execute Meltdown-BR, Meltdown-PK, and Meltdown-RW," they state in their paper, adding that "some transient execution attacks are not successfully mitigated by the rolled out patches and others are not mitigated because they have been overlooked."

Industry expertssay no current mitigation technique is perfect and a fundamental redesign of hardware is required to fix this properly.

Quote

As was suggested when Spectre and Meltdown were first disclosed, better fixes may mean redesigned hardware. In a statement emailed to The Register, Cody Brocious, a security researcher at HackerOne, said, "As long as speculative execution is performed in processors, this type of bug will continue to be discovered. It's impossible to perform operations without side-effects on a hardware level, and abstractions that pretend such operations are side-effect-free and always going to cause security issues."

The group finished the paper with the following statement

Quote

The threat from transient-execution attacks did not change in any way with this publication. The main thing we tried to contribute to the community was a clear way to analyze and categorize new variants, a clear way to validate and analyze defense techniques. So, this is what changed: Now we can better assess what specific defense techniques offer."

https://www.theregister.co.uk/AMP/2018/11/14/spectre_meltdown_variants/

 

This situation keeps getting worse and worse. Seems like Intel & ARM have taken to sticking their fingers in their ears and shouting to try and drown out the noise.

[Ashley MLP Fangirl]

2 minutes ago, Master Disaster said:

AMD have remained silent so far.

i'm not surprised. they and their fanboys were all like yes we're not vunerable. buy our cpu's. 

[mr moose]

Just goes to show we can't avoid it, best practice is to maintain updates and hope their isn't a vulnerability that has far worse potential out there already.

 

Also, I have it on good authority that this is likely just a company out to manipulate AMD share price because it is absolutely, positively, undeniable and reliably impossible for AMD to be vulnerable to such exploits and that only an evil company resting on its laurels (AKA Intel) would be.

 

 

[Master Disaster]

6 minutes ago, huilun02 said:

But they found just one vulnerability on Ryzen processors, so I'm glad to be using Intel

I think they used local as a qualifier because theres speculation of a remote variant that researchers are currently trying to find.

 

I left it out of my post but here it is...

Quote

While a remote Spectre attack called NetSpectre has been proposed by other researchers, these latest techniques appear to be local threats for the time being.

 

"Remote attacks are very difficult to mount for now," said Gruss in an email to The Register.

 

[Ashley MLP Fangirl]

5 minutes ago, Master Disaster said:

I think they used local as a qualifier because theres speculation of a remote variant that researchers are currently trying to find.

how is that even possible? besides, couldn't a good firewall stop such attacks?

[vanished]

I remember watching an interesting video on hardware problems (undocumented instructions and bugs) prior to the initial spectre and meltdown news breaking, and it seems even more relevant today.

 

 

Basically, software is routinely and thoroughly investigated to make sure it does everything it's supposed to correctly, and nothing it shouldn't, but the same isn't true for hardware, not because it isn't necessary - it is - but because there really isn't a good way to do so. The fact of life is hardware can and does suffer from the same potential issues as software - hidden functionality, and critical bugs - and I believe as CPUs continue to get more complex, these problems are going to become more serious and more common as the very necessary but too often overlooked process of testing and vetting becomes more difficult.

 

So basically, it's hopeless, just accept there's always going to be issues and don't worry about it.

But also, doing everything possible to make that ^ statement false is and should be a priority.

 

Yes, a bit of a conflicting conclusion I know but ¯\_(ツ)_/¯ oh well

[mr moose]

Just now, firelighter487 said:

how is that even possible? besides, couldn't a good firewall stop such attacks?

A good hardware firewall in between you and the internet probably will, but the kind of attack (even on intel) that could be done remotely would need to infect your pc with some pretty customised malware first.  Likelihood of average pc users being caught out with this are rare to non existent, you are more likely to be a victim of ransomware.

[Taf the Ghost]

Quote

Presently, no CVEs for these issues have been assigned.

While I appreciate the work, what the **** is wrong with some security researchers lately. 

[vanished]

4 minutes ago, firelighter487 said:

how is that even possible? besides, couldn't a good firewall stop such attacks?

Getting a bit crazy but not outside the realm of possibility imo - they could compromise the router/firewall, and from there move on to attacking the computer directly.

[Ashley MLP Fangirl]

1 minute ago, mr moose said:

A good hardware firewall in between you and the internet probably will, but the kind of attack (even on intel) that could be done remotely would need to infect your pc with some pretty customised malware first.  Likelihood of average pc users being caught out with this are rare to non existent, you are more likely to be a victim of ransomware.

since when has the need for advanced malware stopped attackers?

[Ashley MLP Fangirl]

Just now, Ryan_Vickers said:

Getting a bit crazy but not outside the realm of possibility imo - they could compromise the router/firewall, and from there move on to attacking the computer directly.

that could actually be easy if another SSH flaw or something gets discovered. 

[Taf the Ghost]

1 minute ago, mr moose said:

A good hardware firewall in between you and the internet probably will, but the kind of attack (even on intel) that could be done remotely would need to infect your pc with some pretty customised malware first.  Likelihood of average pc users being caught out with this are rare to non existent, you are more likely to be a victim of ransomware.

Yup, but these attacks are utterly important to figure out and prevent. The CCleaner attack is where things are going. The attack took entering that network and stalking the activity for months to figure out how to inject the malware into a verified build. Major Attacks now look a lot like complex bank heists more than classic hacking approaches. And that's really important with much of the financial world running on Intel x86 servers. 

[mr moose]

3 minutes ago, firelighter487 said:

since when has the need for advanced malware stopped attackers?

Since it has to be targeted.  There are much easier ways too get information/hack your average personal PC than trying to use one of these exploits. It is more of a concern for large companies and people with extremely sensitive information (think spies, government agencies etc).  

 

EDIT: plus what he ^^ said.

[Ashley MLP Fangirl]

Just now, mr moose said:

Since it has to be targeted.  There are much easier ways too get information/hack your average personal PC than trying to use one of these exploits. It is more of a concern for large companies and people with extremely sensitive information (think spies, government agencies etc).  

oh okay, that makes sense. although that's even more scary, since as of now most servers have intel cpu's....

[mr moose]

Just now, firelighter487 said:

oh okay, that makes sense. although that's even more scary, since as of now most servers have intel cpu's....

And because of that there is some meltdown/spectre mitigation in place for those servers.  calling @leadeater to take over. this is where my knowledge of the ins and outs starts to wane.

[Taf the Ghost]

3 minutes ago, firelighter487 said:

oh okay, that makes sense. although that's even more scary, since as of now most servers have intel cpu's....

It gets more specific as most of the Financial World is really supplied by all of 3 major Server Suppliers. You need a single firmware Zero Day after you've setup shop within a protected network to take near control of an entire Bank.

[leadeater]

4 minutes ago, mr moose said:

And because of that there is some meltdown/spectre mitigation in place for those servers.  calling @leadeater to take over. this is where my knowledge of the ins and outs starts to wane.

CBF, too sleepy 

[mr moose]

1 minute ago, leadeater said:

CBF, too sleepy 

but even then you would likely still be more accurate than me.  besides, it's only 10:15 over there,  WAKE UP!!

[emosun]

47 minutes ago, Master Disaster said:

taken to sticking their fingers in their ears and shouting to try and drown out the noise

this works really well when any issue ever arises for anything

[leadeater]

4 minutes ago, mr moose said:

but even then you would likely still be more accurate than me.  besides, it's only 10:15 over there,  WAKE UP!!

Something something, sacrifice chickens, system is secure now. My work here is done.

[Master Disaster]

2 minutes ago, leadeater said:

Something something, sacrifice chickens, system is secure now. My work here is done.

So you're saying i should pour chicken blood over my CPU to prevent Spectre & Meltdown?

 

Edit

 

I shouldn't have to do this but JIC...

 

DO NOT POUR CHICKEN BLOOD OVER YOUR PC!!!

[mr moose]

10 minutes ago, Master Disaster said:

So you're saying i should pour chicken blood over my CPU to prevent Spectre & Meltdown?

 

Edit

 

I shouldn't have to do this but JIC...

 

DO NOT POUR CHICKEN BLOOD OVER YOUR PC!!!

 

11 minutes ago, leadeater said:

Something something, sacrifice chickens, system is secure now. My work here is done.

 

 

 

[Master Disaster]

2 minutes ago, mr moose said:

 

 

 

 

What in all that is holy did I just watch? I want my 3 and a half minutes back.

[mr moose]

1 minute ago, Master Disaster said:

What in all that is holy did I just watch? I want my 3 and a half minutes back.

You can't have them back, youtube stole it fair and square.

[Shally]

Scary times men. You're never safe anymore