Spectre and Meltdown

[andy-o24]

Quote:

the speculation functionality of many modern high-performance processors, despite working as intended, can be used in conjunction with the timing of cache operations to leak some information

Did you all know about this? Admittedly I don't really know what this all means, but it's apparently a security breach utilizing cpu architecture or something? A bit unsettling, but I don't know how bad it is.

Sources:
https://meltdownattack.com

http://googleprojectzero.blogspot.co...-side.html?m=1

[Travis_Flesher]

'A security breach utilizing CPU architecture'
I don't know exactly what all this means either and there are certainly many facets to this topic, but talk is cheap (free in fact, and fun) so here are my thoughts.
Many commercial digital security companies use Linux code and servers.
Most peoples' cellphones are gonna be Android or Apple.
Everything else is Windows, the grandfather OS of computing and the GUI which hath been provided.
There is an inherent flaw. There's always an inherent flaw. There are numerous basic windows services that come packed onto our PCs that if harnessed properly can be used to do some pretty hitech network stuff, but if fell to the hands of an evil genius could do hitech blackhat malware.
Basically, have fun with your computers and try to use them properly and for neat stuff. If you think someone's a hacker, investigate. When it comes to your stuff being hacked or stolen remember that disabling internet will prevent file leaks and use jump drives instead of the cloud.

[Soundwave-]

Whenever you jump around in code, a ton of data used to optimize execution has to be trashed, so processors have a system devoted to speculating whether or not jumps will occur, and executing code based on this speculation. If the processor is right, a ton of time is saved. If it's not, it's not too expensive to just back up and go along the correct path.

Spectre attacks work by training the processor to assume a jump that would normally occur (like say, jumping away from code that tries to access protected memory) instead does not occur. Then an attacker accesses protected memory and loads a known part of memory based on the value of the protected memory. Since the processor has been trained to assume that the memory access will not trip protections, it'll execute the attackers code speculatively. However, eventually the processor will catch the protected memory access, roll back the speculatively executed code, and as far as the attacker knows, their code was never executed.

It sounds foolproof.

And people thought it was, for 23 years.

But there's a problem. The rollback doesn't roll back everything. It rolls back everything except for the memory cache (and the branch predictor, and probably some other trade secrets). See, accessing memory is slow, and so processors cache accessed memory, as the same parts of memory are often accessed in succession. But overwriting the memory cache is also slow, and so it's not done during a rollback. Doing so would defeat the advantages of speculative execution.

Accessing memory is measurably faster if the memory has been cached.

And therein lies the problem. Going back to our scenario, when the processor speculatively executes the attackers code, it loads a part of memory based on some protected memory values. When the execution is rolled back, the cache state remains the same, so if the protected memory value was such that a target part of memory was loaded, when the attacker goes to access that target memory, access will be measurably faster than if the protected memory value was not such that the speculative execution would load the target memory. And thus, information about protected memory is deducible.

Deducing information about protected memory in this manner is a Spectre attack. It for the most part only affects programs attacking each other.

Why? Because when something is really important, like operating system important, a protection ring is used. This is a hardware feature built into the processor that separates code into different privilege levels, and allows memory to be divided between these levels. Execution can only move between these levels in very specific ways dictated by the operating system. Accesses outside of memory assigned to the ring of the currently executing code are shot down even faster than they would be otherwise. The result is that kernel memory is protected from even the malicious Spectre attacks.

In theory.

In practice, Intel (and Intel specifically, as far as we know currently) screwed this one up as well. Speculative execution can bypass even ring checks on Intel hardware, allowing Spectre attacks to crossover ring boundaries. When this happens, the attack is named Meltdown.

Are you vulnerable to these attacks? Yes, at least some forms of Spectre. Meltdown has been contained. Does it present an actual security concern for most people...? Probably not. It's very very common for people to operate on a privileged account. If you do this you're far more likely to accidentally install a malicious rootkit than to get hit by a Spectre attack. Additionally, Spectre attacks are easy enough to prove feasibility for, but in terms of actual attacks, like stealing passwords... it becomes exceedingly difficult. There's just two things to be careful with regarding this: Spectre attacks are unlikely to be detected by anti-virus and anti-malware presently, and Spectre attacks can be carried out through most scripting environments, most notably your browser.

Just keep an eye out, use common sense, and wait for engineers to rethink 2 decades of processor technology.

[Travis_Flesher]

speculative memory kernel packet breach confirmed
Epic post soundwave

[valentineSM]

mfw meltdown

-o24