'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign

Discussion in 'other security issues & news' started by Minimalist, Jan 2, 2018.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,428
    Location:
    U.S.A.
    A HIPS is not going to prevent a browser based javascript attack using this vulnerability:
    https://blogs.windows.com/msedgedev...mitigations-microsoft-edge-internet-explorer/

    Some AV's employ advanced memory scanners that "might" detect such activity.

    -EDIT- Best analogy is an exploit attack. Exploits are possible when a vulnerability exists. What we have here is a hardware based vulnerability that can only be partial mitigated using software changes to OS and apps. Full mitigation will only be achieved when required firmware BIOS updates are created and released by the hardware manufacturers.
     
    Last edited: Jan 5, 2018
  2. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,495
    Location:
    Italy
  3. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Some thoughts and questions:

    Why specifically does a microcode update require a bios one? I mean, the functionality to do a microcode update must obviously exist in bios, but then isn't it just a case of supplying the data to that function? Is the purpose of the microcode update to increase the speed of the fix to Meltdown?

    Regarding Javascript, yes, that's a huge problem and one that Mozilla has spoken about (degrading the available timers for Spectre). But, it's a big reason to be demanding audited Js code, certainly from 3rd parties. Or do noscript and adblocker etc.

    I believe - since these are side-channel read-only exfiltration attacks - that RBAC or sandboxing which restricts internet access should mitigate for those programs that do not need outbound. So a process could snoop kernel secrets but not be able to transmit them anywhere. Clearly that doesn't work for internet facing apps.

    I can't get my head around what threats there are for virtual machines, especially host and other-guest access. If the host is protected against Meltdown, is that all that's needed?

    Regarding modems and routers, according to the pfsense forum, provided you trust your local computers not to attack the router using any local interface, you're OK. But, freeBSD were apparently only notified late in December and have no date for patching. OTOH, that's much better than all the grotty old proprietary routers which rarely get any updates.

    I'm thinking that - hopefully - AV products should in fact be able to do some kind of a protective job at detecting instruction patterns which would be diagnostic of these classes of attack. The thing is, in order to provoke the attack behaviors, it's all time/cache critical, so that the code should hopefully be harder to obfuscate, and its purpose clearer.

    Rather more obviously, the merits of FOSS just got higher.

    I'm also wondering whether it will be possible to make kernel or application secrets harder to obtain in some way, perhaps marked by compiler - maybe by increasing the bandwidth and time required to extract them, as well as the KASLR approaches. Maybe external processors (HSM etc) could contribute more too. And, is it not time for websites to offer U2F so that loss of password doesn't own you?! I can dream.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,428
    Location:
    U.S.A.
    http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/
     
  5. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Indeed, but here's the thing: you need to "trust" your applications (including the javascript you have no control over, that's a different case).

    Native applications can have malware of many kinds in it, Spectre would seem to me to be a minority sport (for desktop apps). Normally, malware is after privilege escalation at which point, game over - and there are so many vulnerabilities of that kind. And there are already many ways in which user-mode applications can inspect valuable data and exfiltrate it, unless you've got some form of RBAC or sandboxing, you just have to read the disk!
     
  6. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,110
    Location:
    Europe, UE citizen
    Neither setting " Ask " or " Deny " all a set of processes as " Interprocess memory access ", " Windows hooks " etc ?
     
  7. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,114
    Location:
    New York City
  8. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,182
    Thanks for these links. I was telling my boss that AMD was included as well but he said no. He now has some info cheers!
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,428
    Location:
    U.S.A.
    Interprocess memory access - as the name implies, it is preventing one process from accessing the memory of another process. As noted in the prior posting about Spectre, it can be used "to extract information from its own process." Of note is that Spectre's purpose is to capture sensitive data; not to implant malware on the targeted device.

    One existing like technique is global keylogging. Most existing HIPS's detection of SetWindowsHookEx function is limited to when it is used for .dll injection purposes. A global hooker is intercepting message events in kernel space. There are a few commercial HIPS solutions that monitor for both hook setting and thread interception such as McAfee's: https://kc.mcafee.com/corporate/index?page=content&id=KB71794 . Again, this only applies to one process hooking another process. Such is not the case for global keyloggers.
     
  10. aih

    aih Registered Member

    Joined:
    Jan 31, 2010
    Posts:
    32
    Thanks in advance for any help...

    I'm following directions from BleepingComputer at

    https://www.bleepingcomputer.com/ne...stems-for-the-meltdown-and-spectre-cpu-flaws/

    I'm a novice at this, but I want to see what's what and understand how to check my system after I've run whatever Dell provides. (I've already successfully performed the Windows 10 update last night.)

    So, I've launched PowerShell as administrator. I enter Install-Module SpeculationControl. I then get the message, 'Untrusted repository, You are installing the module from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'?" And then there is prompt for Yes, Yes to All, etc.

    I don't know what I'm doing beyond following the directions and looking for the results per the directions. Why am I getting this message? Am I supposed to Answer Yes or Yes to All?

    Or, ignore the BleepingComputer article and directions and do something else?

    Thanks again.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,428
    Location:
    U.S.A.
    Be careful correcting the boss.:cautious:

    AMD's official position is:
    https://www.amd.com/en/corporate/speculative-execution

    Variant one is the Meltdown vulnerability. Variants two and three are Spectre vulnerabilities.

    As far as the Google research goes, variant two was shown to be possible running Linux and only once.
     
  12. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,084
    So, are the newest Intel cpus vulnerable? Or which AMD cpus?
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,428
    Location:
    U.S.A.
  14. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,560
    Location:
    Member state of European Union
    Linux kernel can load microcode to CPU too. I don't know whether it is permanent or needs to be loaded again after reboot.
    Vanilla (kernel.org) Linux kernel has microcode included, but it does not have FOSS license, so Debian is deblobing kernel by decoupling kernel code from microcode. As a result one need to add non-free repository to be able to install intel-microcode package. Sid (unstable, rolling-release version of Debian) has updated microcode in its repository.
    https://www.kernel.org/doc/Documentation/x86/early-microcode.txt
     
    Last edited: Jan 6, 2018
  15. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,182
    I have no problem correcting the boss lol.

    Thanks so it was for Linux only and not Windows?
     
  16. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    7,011
  17. pb1

    pb1 Registered Member

    Joined:
    Apr 4, 2014
    Posts:
    883
    Location:
    sweden
    Run the command for execution error and then go forward to the next command.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,428
    Location:
    U.S.A.
    http://www.theregister.co.uk/2018/01/04/intel_amd_arm_cpu_vulnerability/
     
  19. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,560
    Location:
    Member state of European Union
    It means: yes, Spectre is also found in AMD's Ryzen family. It is a hardware bug. It should work in all operating system allowing reading data from the same process the attack is executed.
    They found a Linux-specific way to read data from Linux kernel, because BPF JIT compiles and executes code inside kernel process.
     
  20. aih

    aih Registered Member

    Joined:
    Jan 31, 2010
    Posts:
    32
    Thanks, I did that at the time and still got the untrusted repository. But I went ahead and repeated and selected Yes to All.

    Also, I had switched to the instructions at ....

    https://support.microsoft.com/en-us...ive-execution-side-channel-vulnerabilities-in

    .... and compared the output on my system to the output given at the article.

    The output on my machine matches the output at the Microsoft page. Also no red, and nothing about updating firmware.

    It appears my system is now patched. I'm unsure about this because I didn't think Dell had done anything about this vulnerability yet, but looks like Dell did so with the last bios update, which I did last month. I'm going on the information at http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=ND42N and the fact that the output from PowerShell seems to indicate that both the OS patch and the firmware patch have been implemented.... If I correctly interpret the results from what I just did. Geez I hate this.

    Thanks again.
     
    Last edited: Jan 5, 2018
  21. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,182
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,428
    Location:
    U.S.A.
    Here's a "goodie" I just discovered.

    According to US-Cert, you have to manually update the registry after the MS patches have been applied: o_O
    https://www.kb.cert.org/vuls/id/AAMN-AUP5VG

    I checked my Win 10 1709 registry and the referenced keys are indeed not present.

    The above might be why many are not experiencing any performance impacts from the patch?

    -EDIT- Verified that this only applies to Win Server OS versions
     
    Last edited: Jan 5, 2018
  23. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,410
    A few questions.

    1. Could a firewall prevent the data from being transmitted?

    2. Could a keystroke encryption software like KeyScrambler or Zemana Antilogger prevent this data from being read properly?
     
  24. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Interesting that four years ago, Intel CEO Brian Krzanich was in a reddit live chat, questions and answer session and refused to respond to questions on whether the NSA can access their CPU's.
     
  25. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,710
    Location:
    Outer space
    Perhaps in some cases, depends on the attack vector. For example if it is a javascript running in your browser, it is not practical to block, unless you only visit a few websites and only allow the browser to connect those IP adresses.
    No. These attacks work at a lower level and can read all kinds of data. For example with keystroke encryption the attacker could just obtain the typed text from the memory of the application you entered the keystrokes into. Or they could just read the encryption key from memory.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.