Info Regarding Meltdown and Spectre

Proof of concept source code for the Spectre and Meltdown attacks have surfaced on github today. Perusing through much of the code shows that the most egregious architecture bungle in the history of man can be accomplished with 122 lines of code according to security experts. Get ready folks. Things are about to get weird in 2018.

Quick Facts on Spectre & Meltdown

1: This is not just an Intel Architecture Problem. Spectre makes this is a general CPU architecture problem that affects all CPUs. Performance being prioritized over Security will no longer work. However, AMD is being vocal that the chances of its CPUs being heavily impacted on this is very unlikely.

Conversely, Intel has issued a warning that just about every server chip it has made in the last 10 years is open to these attacks.

Intel is saying that it will have updates issued by the end of the week for 90 percent of the processor products built in the last five years.

2: These flaws allow the entire contents of memory to be dumped for nearly any device that uses a CPU. Desktops, laptops, servers, mobile phones. Dumping memory exposes EVERYTHING.

3: Spectre affects ALL PROCESSORS. It exploits a fundamental design flaw in contemporary CPU architecture. There is no fix for current hardware.

4: Meltdown affects INTEL processors. It’s easier to pull off the attack than Spectre but has a mitigating patch. Unfortunately, the patch is expected to affect performance significantly in certain workloads.

5: The Meltdown patch still does not address Spectre, though the criticality is largely the same.

6: To reinforce the severity of the issues these attacks could present. Imagine a threat actor making their way onto an AWS cloud server and dumping / reading the entire contents of memory for everything on that server. Think about how many companies exist on a single cloud server. The amount of sensitive data present is staggering. Passwords, Log-Ins, Personal Info, Intellectual Property, Files, SSL Keys, Databases…The list goes on.

7: Vendors don’t understand the issue, with many stating Microsoft has already fixed this in an upcoming patch. Again, Meltdown can be patched. Spectre cannot. They both accomplish the same end result. Spectre is difficult to exploit, but in the hands of the right threat actor is easily doable. Once Spectre is streamlined and automated for ease of use, all bets are off.

The Bottom Line

I wish I could really say right now, but considering that most of the world is run on Intel CPUs when it comes to servers, the simple suggestion to “Replace CPU hardware,” is a bit daunting, except to probably AMD and possibly Qualcomm and its new Centriq processors. As for a current anti-virus list, you can follow this well laid out spreadsheet from @GossiTheDog.

What to do with the information we have today:

Average Desktop User (Intel): At this point your best and only option is to apply the Microsoft KAISER patch when they become available. As this attack is also reported to have delivery via web-browser via .js, it may be plausible to block .js execution from the browser as well.

Average Desktop User (AMD): Your CPU is mostly immune, as AMD is adamant that these exploits do not affect their architecture. If anything changes, I am actively tracking and will alert you.

The Gamer (Intel): Early reports are stating 5-35% performance loss with some going as high as 50%, however, thorough performance impact benchmarks have not been widely done yet, so we really have no idea how massive of performance hit gaming on Intel CPUs will take. You could risk it and keep Windows from updating, but we would not recommend that currently.

The Gamer (AMD): Current Patches are only for Meltdown and will not affect performance, but when Spectre is patched the performance loss may be 0-2%, per AMD. Feel free to keep your computer updated and secure with no concern for the possible performance collapse Intel processors will experience.

The Admin: This is going to boil down to company policy. You will have to weigh the unknown vs. the known. Are the patches compatible with your AV suites? Will they cause an adverse business impact when deployed? Will performance impacts cause issues and what could they affect specifically? If it was me, I’d look at critical systems and start there. Sensitive data being protected is a priority. When upgrade time comes around, I would pressure the higher ups to switch to AMD EPYC based servers ASAP.

Analysis of Spectre & Meltdown by a Computer Guy

This has been a very interesting New Year – and I have something technical to wax lyrical about again. There’s a lot of flak and misinformation flying around, and it’s hard for most people to see what, precisely, is going on. That’s understandable, since what is going on is pretty weird.

So here’s a brief summary of what, exactly, the three security vulnerabilities are:


Spectre v1: “Bounds-Check Bypass”.

The CPU is tricked into speculatively loading data from outside the bounds of an array which is bounds-checked, ie. at a virtual address chosen by the attacker. The bounds-check means that the data is never actually loaded into registers visible to the program. However, the data can be passed through several subsequent speculative instructions, including loads from dependent addresses, so cache-timing effects can be used as a side-channel to exfiltrate the data. The data, however, must legitimately be readable by the same process.

This vulnerability is difficult to exploit usefully. In most cases where it’s possible to inject code to perform the attack, you can simply inject code to read the data directly, instead. Proofs of concept use JIT compilers (eBPF and Javascript) to implement the attack.

Vulnerable CPUs: Potentially anything with branch-prediction and a sufficiently deep pipeline. This is not an x86-specific exploit. The newer the CPU, the more likely it is vulnerable. In particular on the AMD side, Piledriver, Excavator and Ryzen are confirmed to be vulnerable – but this is nothing special. Potentially even K6 and Pentium Pro are vulnerable, but early Atoms and the Pentium-MMX are not.

Software Mitigation: Bounds-checked array accesses in untrusted JIT-compiled code should be associated with a memory barrier, so that the array access itself is not speculatively executed with respect to the bounds check. This has a small performance impact on JIT-compiled code.


Spectre v2: “Branch Target Injection”.

The CPU is tricked into mispredicting an indirect branch (commonly used to implement ‘virtual’ functions in C++, or jump tables in the kernel) to speculatively execute program code chosen by the attacker. This code can directly read data visible to the process executing the branch, then perform a dependent read to permit exfiltration over the same cache-timing side-channel as Spectre v1. The exfiltrated data may reside in a privileged address space, if the targeted branch happens to be in privileged code.

The architectural results of this speculative execution are cancelled when the true branch target becomes known to the CPU, and true execution resumes from the correct address; it is therefore difficult to detect that the attack has taken place. The branch-target injection can be performed by another process or thread executing on the same CPU core as the target process, since the Branch Target Buffer (BTB) is shared between them.

This vulnerability is potentially useful to a local attacker. It can obtain secret data from a privileged address space, such as cryptographic tokens or the location of a viable Rowhammer target.

Vulnerable CPUs: This attack requires poisoning the CPU’s BTB. This is easy on at least Intel Haswell CPUs (and probably some other Intel CPUs), because BTB entries are aliased in a very predictable way. Some recent ARM Cortex-A series CPU cores are reportedly vulnerable too, for the same reason. It is much more difficult on all AMD CPUs, because BTB entries are not aliased – the attacker must know (and be able to execute arbitrary code at) the exact address of the targeted branch instruction.

Software Mitigation: Indirect branches that can be mispredicted should be removed from privileged code. This is apparently being done in the Linux kernel on vulnerable CPUs. It’s not yet clear what the performance impact is, but it should be small.


Meltdown: “Rogue Data Cache Load”.

The CPU is tricked into speculatively loading data which is in the L1 D-cache, but which is marked as unreadable in the page tables. Such data is typically accessible to privileged code running in the same process (eg. upon executing a syscall), and is left mapped but unreadable as a performance optimisation. As with the Spectre attacks, the attack relies on passing the data through further speculatively-executed instructions to perform side-channel exfiltration, and normal execution resumes with no obvious side-effects once the speculation window closes.

This vulnerability is potentially useful to a local attacker. It can obtain secret data from a privileged address space, such as cryptographic tokens or the location of a viable Rowhammer target.

Vulnerable CPUs: This attack requires that the CPU fails to promptly check security flags while performing L1 D-cache loads for a speculatively-executed instruction. Various Intel CPUs (the full extent is not yet clear) are vulnerable. AMD CPUs are not vulnerable.

Software Mitigation: Operating Systems can fully unmap privileged address spaces, instead of merely marking them as inaccessible, when kernel-mode code is not being executed. This means that the rogue load in the attack code will not find the target data. This carries a significant overhead for each syscall, because switching to the alternative page tables and back requires flushing the TLBs twice. Most workloads could see a 30% slowdown, but over 50% performance loss has been reported on newer Intel CPUs, such as the i7 8700k. 

Linus Torvalds “(Intel) CPU’s are crap”

rom Linus Torvalds <>
Date Wed, 3 Jan 2018 15:51:35 -0800
Subject Re: Avoid speculative indirect calls in kernel
share 0
share 129
On Wed, Jan 3, 2018 at 3:09 PM, Andi Kleen wrote:
> This is a fix for Variant 2 in
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
>
> Any speculative indirect calls in the kernel can be tricked
> to execute any kernel code, which may allow side channel
> attacks that can leak arbitrary kernel data.

Why is this all done without any configuration options?

A *competent* CPU engineer would fix this by making sure speculation
doesn’t happen across protection domains. Maybe even a L1 I$ that is
keyed by CPL.

I think somebody inside of Intel needs to really take a long hard look
at their CPU’s, and actually admit that they have issues instead of
writing PR blurbs that say that everything works as designed.

.. and that really means that all these mitigation patches should be
written with “not all CPU’s are crap” in mind.

Or is Intel basically saying “we are committed to selling you ****
forever and ever, and never fixing anything”?

Because if that’s the case, maybe we should start looking towards the
ARM64 people more.

Please talk to management. Because I really see exactly two possibibilities:

– Intel never intends to fix anything

OR

– these workarounds should have a way to disable them.

Which of the two is it?

Linus

https://lkml.org/lkml/2018/1/3/797

Lisa’s(AMD) Commitment to CPU security backed up by Linus Torvalds(father of Linux)

Linus Torvalds on Github has posted a few urgent fixes for PTI to address Intel’s gaping security hole that we covered earlier today. Of note in his post is that he is confident in excluding AMD processors from the update as the company has been confident that they are not affected by the bug. Here is what Lisa Su said (auto-start video warning). Also, the official statement from AMD…

Article Image

Exclude AMD from the PTI enforcement. Not necessarily a fix, but if AMD is so confident that they are not affected, then we should not burden users with the overhead – x86/cpu, x86/pti: Do not enable PTI on AMD processor.

Tom Lendacky has made a BIG call!

AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.

Exploits for Intel CPUs (AMD is Immune) Documented

Well, we know that Intel says Intel and ARM processors are open to these attacks. And we know AMD is almost certainly not. Read up, buttercup.

News Image

Am I affected by the bug?

Most certainly, yes.

Can I detect if someone has exploited Meltdown or Spectre against me?

Probably not. The exploitation does not leave any traces in traditional log files.

Can my antivirus detect or block this attack?

While possible in theory, this is unlikely in practice.

And that’s the good news!

Statement from AMD –

Article Image

ALL Intel based computers set to lose 35% performance due to 10 Year Old Bug

There is mounting evidence that an Intel CPU bug, which could have lasting consequences for Amazon, Google, and other major cloud providers, is about to be disclosed. While a fix is in the pipeline, people say that it could impose performance penalties of as much as 35 percent. AMD chips are reportedly unaffected.

If I had to simplify this as best as possible, basically, for the last 10 years Intel “cheated” by sacrificing accuracy in CPU processing in order to gain performance. Where as AMD with their Phenom II, FX and Ryzen CPU’s focused on accurate processing at the sake of performance, and as such are not affected by the bug that leaves a gaping hole in security due to inaccurate calculations.

I’m looking forward to benching my i7 4790k, i7 3770k and i7 2600k against my FX-8350. The bright spot for Intel is that for newer chips (Skylake, Kabylake, Coffeelake) will be less severe.

News Image

tl;dr: there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve. Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November. In the worst case, the software fix causes huge slowdowns in typical workloads on Intel based machines.

Coinbase’s Conundrum

Users of Coinbase, a popular website used to buy and sell cryptocurrencies, claim to be mulling over legal action after trades and customer service have allegedly stalled to a halt.

 

On Monday (1 January), multiple comments were posted to the Coinbase community page on Reddit which pledged to take fresh action against the California-based cryptocurrency exchange.

“I propose a class action lawsuit against Coinbase for all the victims,” wrote user brightapps, also posting a link to a website where others could submit interest.

“In the first instance I would like to gather information on the scale of the problem and enough for me to pass on details to a lawyer for them to handle the case.

“I am proposing that the lawyer take a small % of the recovered funds to cover their fees but this has not yet been finalised. I am hoping that this alone will prompt Coinbase into action.”

The same day, another Reddit user wrote: “It’s been two months since I first contacted Coinbasewithout any response from them at all. I think it’s time to collectively start pursuing legal action.”

A third commenter claimed that up to $10,000 worth of bitcoin was being held “hostage.” It remains unclear, however, how widespread the issues are in the context of the wesbite’s vast userbase.

A notice appeared on Coinbase that said its support team “is currently under heavy load”, adding that it was now prioritizing responses for users who had been locked out of accounts or had suffered delayed payments.

Responding to mounting questions online, a Coinbase engineer identified only as Justin wrote: “The fact that you had to resort to Reddit is not something we take lightly. This is definitely not the kind of experience or customer support we’re trying to provide, and for that I apologise.”

Cryptocurrency fanatics (such as myself) flocked to Coinbase  – which boasts more than 10 million users across the world – as the value of bitcoin spiked during the tail end of last year.

The platform ultimately stumbled under the weight of visitors, as officials admitted problems in a series of corporate blog posts.

In one, its CEO, Brian Armstrong, was forced to publicly deny accusations of insider trading upon the launch of Bitcoin Cash, a fork of bitcoin which launched in August last year.

“Coinbase services may become degraded or unavailable during times of significant volatility or volume,” Armstrong acknowledged in the post, published on Twitter-owned blogging site Medium.

Still, despite several company assurances, users say that the majority of complaints have been met with silence. One person claimed a financial transfer had been pending for more than a month.

In mid-December 2017, the last update posted to its website, Coinbase warned users about delays in wire transfers – by up to five business days – due to a “high transaction volume.”

Is Via’s Cyrix going to join AMD’s Ryzen and Intel’s Core series as a third CPU option in 2018?

Chip maker VIA is set on making a return to the CPU market. You might remember them from the past, they became known with their motherboard chipsets and Cyrix procs actually. They are working on a Zhaoxin series CPUs, which are to compete with AMD and Intel. The newly introduced KX-5000 processors provide eight x86 cores at a clock rate of 2.0 GHz. 

Zhaoxin has introduced the KX-5000 x86 chips, which are equipped with DDR4 memory and a graphics unit. With this first release, VIA plans to be in line with AMD within two generations of product releases. Since everything in the CPU market is about licenses and patents, the good news for VIA is that they have an x86 license for processors, which could be used for cross-license agreements. 

The KX-5000 is a native Octa-core with initially 2 GHz in the form of a system-on-a-chip. It integrates a graphics unit for 4K video, a dual-channel DDR4 controller, PCIe Gen3 lanes, USB 3.1 Gen2 and Sata 6 Gbps. The design is meant to run up-to 2.4 GHz and actually will be used by Lenovo in 2018 with the desktop system M6200. For the next few years, the KX-6000 and the KX-7000 are planned.

  

 

A roadmap of Zhaoxin shows that in the future a 16nm processor is in the works, with 8 cores on a DIE. That core clock is expected to rise to 3.0 gigahertz, but further improvements in architecture are not mentioned. In a later stage, KX-7000 would switch to PCI-E 4.0 and DDR5. As Tralalak reports, these processors are expected to reach the same level as the AMD processors, probably comparable with Zen 2 in 2019.

Source: PCGamesHardware

New Orleans International – Airport Power Outage Reported

A partial power outage affected Louis Armstrong New Orleans International Airport New Year’s Day—at least one terminal went dark.

WVUE reportedAccording to officials with the airport, the cause of the outage has not been determined. There is also no word on if the outage affected any flight schedules.

 

Images posted to social media showed the scene.

The power was later restored, a spokesperson said.

Louis Armstrong New Orleans International Airport is an international airport in Jefferson Parish, Louisiana.

Regulators Now Looking into Sudden Price Increase in RAM

It’s been a couple years now that we’ve seen continuously increasing pricing of DRAM and NAND semiconductors. The price increase, which has been hailed and documented overover, and over again, follows reported increased demand which has failed to be accompanied by its respective manufacturing and supply ability.

However, reports that that companies were planning on increasing production of DRAM and NAND below the expected increases in supply demand may have turned at least some regulatory eyes towards the issue. China’s National Development and Reform Commission’s Pricing Supervision Department (NDRC) said they are aware of the situation, how it could point towards price-fixing from the four major NAND production players (Samsung, Hynix, Micron and Toshiba), and are looking into the matter. “We have noticed the price surge and will pay more attention to future problems that may be caused by ‘price fixing’ in the sector,” the official Xu Xinyu was quoted as saying in an interview to Chinese newspaper Daily China.

Samsung at least is reported to have already been approached by Chinese officials regarding this matter, although it would seem both Samsung and SK Hynix have declined to comment on the matter. Chinese companies have been particularly affected by the NAND and DRAM price surges, since China has a booming smartphone industry – the number of Chinese smartphone companies is nothing short of numerous, really. As such, and with Chinese semiconductor manufacturers’ inability to produce the premium, best price/performance 3D NAND, means these companies have been particularly subjected to the markets’ whims and price increases – a situation that China’s businesses would certainly like to see fixed. “China is the biggest smartphone manufacturer… So of course China wants to pay more attention and play a more important role in the whole industry,” said Hattie He, Shanghai-based analyst at research firm Canalys. “Memory is one of the key components for smartphones so it makes sense that Chinese vendors want to have more capabilities to control these components,” she said.

Source: Reuters