?

Log in

No account? Create an account

Previous Entry | Next Entry

Spectre Of A Meltdown

I find myself reminded of the infamous Rainforest Puppy, who was recruited to security at MicroSoft when he discovered and reported a huge number of security vulnerabilities in Windows ME.  He left MS because, according to him, MS would issue critical security updates for businesses using their software immediately but took their time to roll them out for home consumers.  He felt this was unfair and struck out to start his own computer security firm.

The computer industry has a very spotty history of sharing information with the world.  From viruses and exploits to hacks (Yahoo, EA, etc.) to even simple flaws in the chips -- one of Intel's Pentiums at the time was found to have a bug that resulting in a math computation error.  Despite the fact that all computer operations are basically math, Intel initially downplayed the flaw, saying the math that would trigger the bug was unlikely to every be executed in software.  For a while, Intel was selling broken hardware and refusing to do anything about it.  There's a reason I usually go with AMD when I have the option.  Hell, I once took a VIA CPU over an Intel.  Go ahead and laugh, but I stand by my decision at the time.

Now, there's a new vulnerability.  And not only did Intel know about it, not only does it appear they knew about it for quite some time, but apparently so did a LOT of major tech companies who were willing to wait until next week to let us know what was happening.  And a lot of people are not happy.

The whole thing starts with a fellow by the name of Daniel Gruss.  Gruss, 31, is no dummy.  He's a post-doctoral fellow at Austria's Graz Technical University and is an information security researcher.  Gruss and two of his colleagues, Mortiz Lipp adn Michael Schwarz, were testing to see if an abstract theory could actually happen.  The theory they were testing was that black hats and crackers could exploit a CPU's kernel memory.

The CPU kernel memory is supposed to be inaccessible to users, so while it was theoretically possible, it should be a practical impossibility.  Gruss and his team had, in fact, made a tool to defend against such attacks.  They initially called it Forcefully Unmap Complete Kernel With Interrupt Trampolines, a.k.a. FUCKWIT.  But by the time they presented their paper on it, the name had changed to Kernel Address Isolation to have Side-channels Effectively Removed, or KAISER for short.  In July, researcher Anders Fogh wrote that it MIGHT be possible to abuse the CPU in the way KAISER defended against, but he was unable to actually exploit the CPU to see how well the tool worked.  So Gruss and his friends started working to to see if they could make it happen.

And in early December, to his horror, Gruss succeeded.

"When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked," Gruss said to Reuters.  Web histories, encrypted passwords, everything was there, and it could be used on a server to get the information on every machine on its network.  He, Lipp, and Schwarz began emailing each other, and tried to find that the information was wrong.  It wasn't.  They had proven the results were correct, the data was legit, the tool worked, and it was the computer security equivalent of the Apocalypse.  So much so, Gruss could barely sleep that night.  The first exploit was dubbed "Meltdown," and affects most chips made by Intel since the dawn of the Pentium era in 1995.  Yeah, over two decades old.  The second is called "Spectre" and while Meltdown is specific to Intel, Spectre exists in EVERYTHING, from Intel to AMD to ARM's.

Right now, you are probably asking, "How does this work?" and "How do I protect myself from it?"  I'll take these questions in order.  So, how does this work?  Time for a lesson in computer science.  In the quest to speed up processing, CPU's developed something called "speculative execution."  Bascially, the CPU doesn't execute commands in the order they receive them, but out of order using side channels.  Basically, the CPU is guessing what commands are going to be run and runs them in advance.  If the CPU makes the correct speculative call, time is saved.  If it gets it wrong, the out-of-order task is cancelled and no time is lost.  It has become the cornerstone of modern computing.  Meltdown and Spectre time the back and forth data on these side channels, and in doing that, they can eventually learn system-level data, including passwords.

So how do you defend against it?  First, some good news -- in order for Meltdown and Spectre to execute, MALICIOUS CODE NEEDS TO BE ON YOUR COMPUTER FIRST.  As long as you are careful about what you are downloading and installing and only visiting trusted web sites (or don't sideload apps), the chances of you having the malicious coded needed to run Meltdown and Spectre are practically nil.  Next, KAISER has been shown to work, and thank God for that.  In fact, developers are already incorporating it into patches.  In fact, depending on how paranoid you are about security updates or how often your manufacturer issues updates (I'm looking at YOU, Android), you might already be safe.  Apple, for example, started fixing the flaws last month.  According to them, Mac OSX 10.13.2, iOS 11.2, and TVos 11.2 lock down the channels and you'll be safe (they say the iWatch is not affected).  They are also going to issue patches to Safari on all OS'es to keep malicious code from being injected from web sites.  Firefox, Internet Explorer, Microsoft Edge, and MS SQL Server are already patched.  Google has already rolled out patches for Android (although it is still up to the manufacturer to incorporate and release the patches for your hardware, thanks to the goofy nature of the Android boot-up.  The Google Pixel phones got their updates this past Wednesday) and ChromeOS -- if you have a Chromebook or Chromebox, they autoupdate so you shouldn't have a problem.  However, if you want some extra security on your Chromebook, or are running the Chrome browser instead of the stock Safari, you won't get it until the planned patch released on January 23rd (behavior like this is why Linus Torvalds kicked Android out of the Linux Kernel Developers List).  Until then, simply enable "site isolation."  To do this, click inside the address bar and type: "chrome://flags#enable-site-per-process", then click the "Enable" button that appears.  It might use more memory, but it will wall you off.  Linux has already dealt with this, the beauty of open source. And developers are already rethinking how to interact with memory -- it might slow the computer (Torvalds estimates it might result in a 5% hit depending on workload), but it will be bulletproof.  MS also says it is redesigning how the OS handles memory, and Intel claims they have fixed the vulnerability for future chip sets.

As for you Windows users?  You've got a bit of a problem.  MS has released a patch for Win10, but, in a move that uses up the world's supply of irony, your anti-virus may not let you download it.  Because the patch uses the same channels the AV software uses, some programs like Webroot block it.  And disabling your AV to install the patch could result in system conflicts.  Bascially, you will have to wait until your AV provider incorporates the patch into THEIR software and update that.  You should still make sure that Windows has updated, though, so that everything is ready to go once the stars align.  Also, look for firmware updates to your chips.  Surface tablets will do this automatically.  Don't have a Surface and still running Windows?  There's a stupid easy way to do it -- hie yourself to MicroSoft's Update Catalog site and search for "KB4056890."  Select your processor architecture, and ba-boom.

So, back to the story.  On Wednesday, January 3, Gruss made his findings public.  The story got picked up by techie web site The Register, and the whole world exploded.  Apparently, manufacturers were planning to release news on the defects on January 9 when most had time to work out a complete fix, but suddenly decided to do it now.  British cyber security expert Graham Cluley even told Newsweek, "The good news is that this particular isue has been examined closely behind closed doors in recent months (emphasis mine -- G) and updates are either already out or on their way."  (Emphasis mine again.  -- G)

They KNEW.

They motherfuckin' KNEW.

And they were waiting until later to tell everyone.

By the way, apparently, Intel CEO Bryan Krzanich sold $24 mil worth of Intel stock in November, allegedly months after he was made aware of the problem.  Things that make you go, "Hmmmmmm....."

In mid-December, Gruss and his team would up making contact with Paul Kocher of Cyberus Technology and Jann Horn at Google Project Zero.  Each of them and also discovered the flaw.  The three of them combined, like Voltron, to try to and stop the exploit.  The work Gruss and his team did on KAISER became key to it.

Because MicroSoft and Apple are tied so closely to Intel, they issued their patches and smiled about how everything is going to be fine.  However, Linux is open source.  There is no company backing it.  Which means Linus Torvalds, creator of Linux and all-around unrepentant asshole, gets to say what everyone else can't.  On Wednesday, he sent out the following email to the Linux list:

From Linus Torvalds
Date Wed, 3 Jan 2018 15:51:35 -0800
Subject Re: Avoid speculative indirect calls in kernel

On Wed, Jan 3, 2018 at 3:09 PM, Andi Kleen <andi@firstfloor.org> wrote:
>This is a fix for Variant 2 in
>https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
>
>Any speculative indirect calls in the kernel can be tricked
>to execute any kernel code, which may allow side channel
>attacks that can leak arbitrary kernel data.

Why is this all done without any configuration options?

A *competent* CPU engineer would fix this by making sure speculation doesn't happen across proection domains.  Maybe even a L1 I$ that is keyed by CPL.

I think somebody inside of Intel needs to really take a long hard look at their CPU's, and actually admit that they have issues instead of writing PR blurbs that say everything works as designed.

... and that really means that all these mitigation patches should be written with "not all CPU's are crap" in mind.

Or is Intel basically saying "we are committed to selling you shit forever and ever, and never fixing anything"?

Because if that's the case, maybe we should start looking towards the ARM64 people more.

Please talk to management.  Because I really see exactly two possibilities:

- Intel never intends to fix anything

OR

- these workarounds should have a way to disable them.

Which of the two is it?

Linus

SIDE NOTE:  Business Insider wrote an article detailing the subjects of this post, Meltdown and Spectre.  While its reports of what was going on and who was doing what to fix it are generally available, the deep dive article was behind a paywall.  And not everybody talks to techies like I do, so they can't get critical information unless they sign up for a subscription.  This is for you, Business Insider --

no title

You've earned it, you lugs.

Latest Month

June 2019
S M T W T F S
      1
2345678
9101112131415
16171819202122
23242526272829
30      

Tags

Powered by LiveJournal.com