This is manifestly false. Spectre, Meltdown and the subsequent and ongoing hardware bugs are exploitable in the browser with Javascript (just one of many attack vectors)
-
Competitor rules
Please remember that any mention of competitors, hinting at competitors or offering to provide details of competitors will result in an account suspension. The full rules can be found under the 'Terms and Rules' link in the bottom right corner of your screen. Just don't mention competitors in any way, shape or form and you'll be OK.
Yet another Intel CPU security vulnerability!
- Thread starter Selekt0r
- Start date
This is manifestly false. Spectre, Meltdown and the subsequent and ongoing hardware bugs are exploitable in the browser with Javascript (just one of many attack vectors)
Some variants have been demonstrated using the SpiderMonkey engine on Linux. They required system-level access to identify specific cores and set core affinity for the attack process. I don’t think there has been a proof of concept with a modern browser.
But not actually ongoing attacks - there have been no demonstrated ways to use them as fire and forget type malware against a generic consumer type user, etc. and if you are using an updated browser with mitigations the chances of being exploited via that vector are exceedingly low even if there was active exploitation of that vector.
What people often overlook is that in the demonstrations of these attacks often things are needed like setting up the environment so target data is being pushed to vulnerable locations 1000s of times a second so that it can be leaked over a few hours or days when in a real situation that data is only there 1-3 times a session at an unpredictable time and would need years of actively trying to exploit while sifting through vast amounts of noise data making it unrealistic.
By far the biggest target for these kind of attacks is server/multi-user systems/networks where an attacker already has one leg in the door in some manner and can use them to gain information from or access to privileged areas from unprivileged levels - environments which might provide the kind of payoff required for the effort these attacks need.
I think you didnt understand what I said? there is no attacks. Which is the case.
But if you are suggesting these are trivial to exploit in a typical environment that hasnt been built with barriers removed to make a test work, then please show me a drive by site showcasing this.
Caporegime
They just keep on coming 
Honestly if I was running servers still where security was at all a concern I wouldn't be using Intel for them. But on the user desktop as long as you are using a web browser with mitigations your exposure to these vulnerabilities is incredibly small as things stand.
They just keep on coming
Variants of these side-channel attacks are just going to keep coming - but they will largely be variants of the same weakness and likely with all the same complications in terms of exploiting them.
RIP ROP, COP, JOP? Intel to bring anti-exploit tech to market in this year's Tiger Lake chip family - The Register
After years in development, Intel is set to debut security mechanisms in its microprocessors that it hopes will block, at the silicon level, exploitation of a class of software vulnerabilities.
Known as Control Flow Enforcement Technology, or CET, the protections are designed to prevent miscreants from exploiting certain programming bugs to execute malicious code that infects systems with malware, steals data, spies on victims, and so on. These bugs typically involve tricking programs into corrupting or overwriting their memory with special values pivotal to the attacks.
"These are all insidious types of attacks that have been plaguing the industry for some time," Tom Garrison, Intel's client computing group VP and general manager of security strategies and initiatives, told The Register. "They are nearly impossible to address with software-based mitigation."
The first CET-enabled chips will be members of the upcoming 10nm Tiger Lake line, due to launch this year. That family is expected to include server and desktop processors, such as the Project Athena silicon going into laptops.
There are various mitigations in place on modern systems, such as Data Execution Prevention (DEP), that stop hackers from injecting and executing malicious code into a program when, for instance, a victim opens a specially crafted document or connects to a remote service. DEP in particular prevents areas of memory marked as data areas, which can be hijacked by hackers, from being used to run smuggled-in code.
However, it is still possible for skilled miscreants to abuse these memory-corruption vulnerabilities to build a chain of malicious code out of the instructions already present in a program, turning the app or server against itself. This so-called Return Oriented Programming (ROP) is achieved by manipulating an application or server thread stack so that the processor bounces between snippets of the software under attack, performing small operations that together typically disable DEP and pull in more malicious code to execute without hindrance.
CET introduces a shadow stack system to detect and thwart the stack manipulation required by ROP. CET also introduces a new instruction called ENDBRANCH that is a NOP on non-CET x86 processors, but for CET CPUs, marks a valid target for a call or jump instruction. Thus if exploit code hijacks the flow of code in an application or server, and makes it jump to someplace the developers didn't intend, this is caught and stopped. This tackles so-called Call or Jump Oriented Programming (COP or JOP). The ENDBRANCH instructions should be inserted automatically by compilers. Other architectures, such as Arm, have something similar.
"What ends up happening is, as the processor is jumping through the code, it checks to make sure it is landing on an end branch," said Garrison, describing Intel's anti-COP-JOP protection. "If the code jumps to an illegal area, it throws up an error."
Intel believes that the adoption process for applications and operating system developers will be minimal: software can be recompiled and re-released for COP-JOP protection, for instance. Windows 10, for one, is due to support shadow stacks, we're told.
"It depends on which class [of attack] you are trying to mitigate," said Garrison, "but in both cases they are relatively modest changes to the application or the OS level."
This is a welcome development – though not at all if you're an exploit developer – yet bear in mind hardware-level solutions aren't necessarily perfect. Intel's SGX has suffered side-channel leaks, and Apple's Arm-based pointer authentication protections have been bypassed in the past, for example. ®
Known as Control Flow Enforcement Technology, or CET, the protections are designed to prevent miscreants from exploiting certain programming bugs to execute malicious code that infects systems with malware, steals data, spies on victims, and so on. These bugs typically involve tricking programs into corrupting or overwriting their memory with special values pivotal to the attacks.
"These are all insidious types of attacks that have been plaguing the industry for some time," Tom Garrison, Intel's client computing group VP and general manager of security strategies and initiatives, told The Register. "They are nearly impossible to address with software-based mitigation."
The first CET-enabled chips will be members of the upcoming 10nm Tiger Lake line, due to launch this year. That family is expected to include server and desktop processors, such as the Project Athena silicon going into laptops.
There are various mitigations in place on modern systems, such as Data Execution Prevention (DEP), that stop hackers from injecting and executing malicious code into a program when, for instance, a victim opens a specially crafted document or connects to a remote service. DEP in particular prevents areas of memory marked as data areas, which can be hijacked by hackers, from being used to run smuggled-in code.
However, it is still possible for skilled miscreants to abuse these memory-corruption vulnerabilities to build a chain of malicious code out of the instructions already present in a program, turning the app or server against itself. This so-called Return Oriented Programming (ROP) is achieved by manipulating an application or server thread stack so that the processor bounces between snippets of the software under attack, performing small operations that together typically disable DEP and pull in more malicious code to execute without hindrance.
CET introduces a shadow stack system to detect and thwart the stack manipulation required by ROP. CET also introduces a new instruction called ENDBRANCH that is a NOP on non-CET x86 processors, but for CET CPUs, marks a valid target for a call or jump instruction. Thus if exploit code hijacks the flow of code in an application or server, and makes it jump to someplace the developers didn't intend, this is caught and stopped. This tackles so-called Call or Jump Oriented Programming (COP or JOP). The ENDBRANCH instructions should be inserted automatically by compilers. Other architectures, such as Arm, have something similar.
"What ends up happening is, as the processor is jumping through the code, it checks to make sure it is landing on an end branch," said Garrison, describing Intel's anti-COP-JOP protection. "If the code jumps to an illegal area, it throws up an error."
Intel believes that the adoption process for applications and operating system developers will be minimal: software can be recompiled and re-released for COP-JOP protection, for instance. Windows 10, for one, is due to support shadow stacks, we're told.
"It depends on which class [of attack] you are trying to mitigate," said Garrison, "but in both cases they are relatively modest changes to the application or the OS level."
This is a welcome development – though not at all if you're an exploit developer – yet bear in mind hardware-level solutions aren't necessarily perfect. Intel's SGX has suffered side-channel leaks, and Apple's Arm-based pointer authentication protections have been bypassed in the past, for example. ®
https://www.tomshardware.com/uk/new...breach-floods-the-internet-mentions-backdoors
Not only processors are broken. Seems internal data handling as well
Not only processors are broken. Seems internal data handling as well
Yes, but follow this logic:
- Sell server CPUs which due to security vulnerabilities lose 10%-20% of their speed.
- Watch as data centres buy an extra 10%-20% processors
- Profit!
Soldato
- Joined
- 1 Oct 2006
- Posts
- 13,888
Either Intel are a really terrible company, or someone has it in for them and they're systematically destroying them.
Never attribute to malice that which is adequately explained by stupidity
https://en.wikipedia.org/wiki/Hanlon's_razor
Associate
- Joined
- 14 Aug 2017
- Posts
- 1,194
A little of column A, a little of column B ...
But also this stuff is *really* hard. If you read through the descriptions of spectre and meltdown, it's kinda insane, (IIRC, it's been a while) using speculative branch prediction to read another process's data. Who even thinks of that? Well, security researchers, and apparently hackers.
Soldato
- Joined
- 22 Nov 2018
- Posts
- 2,715
Yes researchers think up the ideas and publish their findings. Then all a hacker needs to do is read the news.
Makes me wonder if security exploits should be published in a private publication for hardware and security firms only. Then again, it would only get leaked.
It's good that the public are told about exploits but not good that hackers are told indirectly.
Associate
- Joined
- 14 Aug 2017
- Posts
- 1,194
A lot of times the manufacturers are given a heads-up ahead of the public release, but often those subtle heads-up notifications are ignored, rebuked or outright threatened with legal action. Sometimes the only thing to do is release and force their hands.
Plus there's no particular reason to think that if, a security researcher can find the problem, an enterprising hacker team or state-sponsored hacker group won't have already found it and be using it in the wild. It's in all our interests that this stuff comes out into the open.
Last edited:
The linux kernel documentation is a real interesting read, and will be a big learning curve to those who think they are secure with OS patches. (of course against a vulnerability that is likely very low risk to consumer pc's and laptops). One read of that documentation and you know turning all this junk off is an ok decision to make. The only real use of it is for commercial cloud/vps providers.
Caporegime
It does seem that as well as resting on their laurels vis a vis performance upgrades over the last decade, they were rather lackadaisical in their approach to security too. Yes, AMD has a couple of vulns as well but compared to Intel?...