'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign

No intervention by OSA.

The description of the error is:

"Unable to access the file"

the error code is:



In my opinion there is no intervention even by WDEG.

Is there any colleague who can execute the exe?
TH.

 

That error code indicates a memory access violation. You could use WinDbg to analyze the dump associated with it which would give you more detailed info.. Again, appears Win OS patch for Spectre is doing its job.

-EDIT- Thinking about this a bit more, I believe spectre.exe is attempting to access branch predictor memory areas associated with itself. And again, the OS patch is detecting this and preventing it. What the test is simulating is a browser based attack for example. And in reality, I don't believe its an accurate test of what would actually occur in a browser based attack.

Another thing that I believe hasn't been established is just how you are supposed to run spectre.exe? I assume it would try to read browser memory. That means first, you need to have your browser open. Next if your browser was patched, it would mitigate any Spectre - variant 1 type attacks which I believe is what the spectre.exe test is for.

You need to determine if you need to feed any parameters to spectre.exe. I suspect this might be in the format of "spectre.exe -xxxxx" where xxxxx = process id of the app you are attacking.

-EDIT- Type this. Run as spectre.exe /? and see if there is any help info associated with it.

 

Also saw this "tidbit" from the Github code example web site comment section in regards to any BIOS updating:

https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6

Which means you really need to be running IE11 or Chrome w/strict web site isolation.

 

Don't know what to make of this. If the malware was being deployed by polymorphic means, its hash would change on each download but the malware is internally the same variant.

 

Here's something worth a read for the Linux folks:

https://capsule8.com/blog/detecting-meltdown-spectre-detecting-cache-side-channels/

Also this is the first article to mention the rowhammer vulnerability.

 

With Chrome open the test ends in the usual way.
I can not test with I.E.11 because it is not installed.
OSA test 27 always dead.

@ to All

Help me.

 

Spectre.exe is a test for Spectre - variant 2. The OS patch, as it should, is preventing spectre.exe from running. If you want to use spectre.exe to test if your CPU is vulnerable, you will have to disable the OS patch.

As far as I am aware of, no one has developed a like program to test for Spectre - variant 1 which would be used to exploit your browser. Most of these type attacks would be remotely executed from a web server and initiated via web page resident javascript or other web page based dynamic code.

 

"Intel alerted computer makers to chip flaws on Nov 29:Report

Intel quietly warned computer manufacturers at the end of November that its chips were insecure due to design flaws...

...[T]op-secret Intel memo sent to OEM customers on November 29 under a confidentiality and non-disclosure agreement,...

That date is about six months after the chip maker was warned in June 2017 about the blunders in its blueprints by researchers at Google and university academics...

The date of the disclosure to OEMs is likely to raise eyebrows as it happened on the same day Intel chief exec Brian Krzanich sold shares in his company worth $25m before tax..."

https://www.theregister.co.uk/2018/01/25/intel_spectre_disclosed_flaws_november/

 

Even this nothing.


https://github.com/stephanvandekerkhof/cpp-spectre-meltdown-vulnerability-windows-test

 

This appears to be a stand-alone version of this: https://repl.it/repls/DeliriousGreenOxpecker.

When I ran the stand-alone ver., I also got 100% "success" indicating system is exploitable in spite of my Win 10 AMD build being fully OS patched. However, when I ran the Oxpecker test from IE11, I got 100% "unclear" indicating to me that IE11 patches are working -or- the tab separate process option is the one mitigating:



Therefore I will take the stephanvandekerkhof test with a "grain of salt."

 

I have edited your picture to show you where is placed sentence "The Magic Words are squeamish Ossifrage" readed by Spectre attack.

 

Yes, I was aware of that.

No one over at GitHub has fully explained what the difference between "Success" and "Unclear" mean in these tests. Until someone does, I am assuming that unclear means that there was an issue with reading memory although the data was displayed. Again these tests are reading from memory areas allocated to the test process and not a "real" currently executing process. For me, the "The Magic Words are squeamish Ossifrage" need to be loaded into the browser memory space for this test meaningful and I see no proof that is happening.

 

Based on what has been publically posted about a Spectre attack, it can only be done in the context of the currently executing process. As far as browsers go, the easiest way to do that would be via remote code execution e.g. Spectre malware loaded on the web server. Any other method would involve tactics that exploits currently employ such as a drive-by download.

This means that to employ these spectre.exe tests in existence, you need to either to a load spectre.exe to your web server, or perhaps Apache, and then create a web page with code to do the remote execution from the browser. Or you need to create a web page with code in it to execute spectre.exe that you previously downloaded.

In any instance, I really can't see any merit in just running these spectre.exe tests stand-alone.

 

"Intel Chips With Meltdown, Spectre Protection to Arrive This Year...

The first Intel chips with built-in protections against the Meltdown and Spectre threats will start arriving later this year.

The protections involve "silicon-based changes" to the company's future processors, Intel CEO Brian Krzanich said in a Thursday earnings call..."

https://www.pcmag.com/news/358779/intel-chips-with-meltdown-spectre-protection-to-arrive-this

 

My XP Intel Celeron M380.
Firefox ESR:

 

I took a closer look at the code running for the online Spectre test here: https://repl.it/repls/DeliriousGreenOxpecker .

The code begins with initializing an array named array1 with this, "The Magic Words are Squeamish Ossifrage.", and loading the array to the web page allocated memory. Note that at this very early stage we have a deviation from an actual attack which would use already prediction allocated memory areas:

The code then begins to "guess" where the above prediction allocated memory is using the algorithms shown in the code. The iteration is limited to 999 tries per prediction memory byte for each character previously loaded into array1. This is how the score is calculated. The lower the score for a given character displayed, the higher the likelihood it was found in allocated predictive memory space. The coding then loads the byte(character) predictive memory area into an array i.e. array2 in the program running on the server:

Finally, the online sprectre test program calculates whether the actual character retrieved from predictive memory actually matched each character that was previously loaded into web page memory. A value of "Success" is displayed if there is a high probability that the character previously loaded into web browser memory matches that retrieved from predictive memory space. Otherwise, a value of "Unclear" is displayed.

Conclusions

I believe the "Success" or "Bypass" result is more important than whether the actual test data string is displayed. In a "real" attack, the attacker would have to rely on his prediction algorithms to determine if the data retrieved actually matched his intended targets e.g. logon id, password, etc..

-EDIT- Note that "Success" means that the iteration value( < or = 999 ) for the first scan of memory is equal to or greater than two times the iteration value of the second scan of memory. This translates into a high probability that the data retrieved is from the currently executing process.

 

microcode update guidance (pdf file, date of this document: January 24 2010)
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/microcode-update-guidance.pdf

 

Like I stated previously for security critical web activities, use IE11, Edge, or the latest Chrome ver. w/web site isolation enabled.

 

With XP (POSReady2009) the best security browser is Firefox ESR.

 

Yeah, I had a "brain cramp" moment and forgot XP doesn't support latest IE or Chrome vers. in addition to Edge. Just don't use that PC for on-line banking or like activities.

 

New test (XP) Firefox ESR 52.6.0:



No difference with privacy.firstparty.isolate set to true.

 

When did IE11 get the patch w/web site isolation enabled.

 

There's a "huge" difference! Refer back to your original screen shot. Notice all the "Successes'" shown. Now refer to your last screen shot. Everything is showing "Unclear."

 

It was included in the original KB patch issued in early Jan. for the Spectre/Meltdown mitigations. So if that was not installed or rolled back due to system operationing issues, they IE11/Edge are not patched.

I can't speak for Edge since I don't use it, but IE11 natively w/o patches should block Spectre - variant 1 as long as each tabbed instance results in a new child process of itself started.

 

Both in the first and second screen "privacy.firstparty.isolate" is set to false.