Yet another Intel CPU security vulnerability!

Vince · 16 Sep 2019 at 14:09

zx128k said:
There is a video on one of the website of them doing the attack via the browser as you well know and understand. You also well know and understand that having an Intel CPU means no security because software is just a band aid. It cant replace hardware being secure. Please stop wasting my time with your drivel.

I think you need to understand what people are saying in here and gain a better and fundamental understanding of where these attacks are useless and where they are a threat to the environment you run. I think you would be well placed understanding this at a deeper level rather than telling people they are talking drivel when in fact there is a lot of sense being spoken in here. I spend more in a month on security than you likely spend a year on hardware/software/games, basically anything PC related. For me in the environments I run they are serious business and I have spent a lot of money in mitigating the worst of the issues. I spent even more replacing my intel servers and more again investing time myself and among the team I manage to see the migration projects through (The value of which easily exceeds 100k in the last few months). Trust me I'm not a big fan of Intel right now and have laid my reputation as well as stacks of money on the line to prove that the grass is in fact greener. I'm going all AMD in the DC and am all AMD HEDT at home, I'm not AMD on the corporate desktop yet but it's only a matter of time come our next refresh. By rights I should be one of the people shouting the loudest along with all the other intel guys running ESXi or Virtualisation heavy estates, I am a realist though and instead I vote with my pockets and believe that AMD will have less issues over the lifetime of Rome than what I could conceivably buy from Intel.

Intel right now are simply doing what we in the world of IT do, when we see a vulnerability in code or in hardware we will mitigate, be that write better code or deploying some sort of AI security solution to plug a possible gap, it might be as simple as proxying out traffic or pushing incoming mail through a proxy, or even going to town on firewalls with better and more robust protection systems. What I am saying is security is not just hardware, it's everything in the stack and if intel can sidestep the issue in software then they are effectively using their stack to mitigate the issue. You call it a software band aid for a hardware problem, intel simply see it as using part of the software/microde/hardware (the intel stack) to put it right.

IT Troll · 16 Sep 2019 at 14:30

zx128k said:
There is a video on one of the website of them doing the attack via the browser as you well know and understand. You also well know and understand that having an Intel CPU means no security because software is just a band aid. It cant replace hardware being secure. Please stop wasting my time with your drivel.

Please provide a link to a video showing an attack via a browser. Please stop posting your misinformation.

opethdisciple · 16 Sep 2019 at 14:57

Snip.

Haven't followed the thread.

zx128k · 16 Sep 2019 at 23:00

IT Troll said:
Please provide a link to a video showing an attack via a browser. Please stop posting your misinformation.

Its on the website created by the people that found the security issues. Good job proving you have no know knowledge at all about anything. The link has been provided a long time ago.

ZombieLoad in Action
In our demo, we show how an attacker can monitor the websites the victim is visiting despite using the privacy-protecting Tor browser in a virtual machine.

https://zombieloadattack.com/public/videos/demo_720.mp4

This would be known by anyone reading the website to become informed.

zx128k · 16 Sep 2019 at 23:15

Vince said:
I think you need to understand what people are saying in here and gain a better and fundamental understanding of where these attacks are useless and where they are a threat to the environment you run. I think you would be well placed understanding this at a deeper level rather than telling people they are talking drivel when in fact there is a lot of sense being spoken in here. I spend more in a month on security than you likely spend a year on hardware/software/games, basically anything PC related. For me in the environments I run they are serious business and I have spent a lot of money in mitigating the worst of the issues. I spent even more replacing my intel servers and more again investing time myself and among the team I manage to see the migration projects through (The value of which easily exceeds 100k in the last few months). Trust me I'm not a big fan of Intel right now and have laid my reputation as well as stacks of money on the line to prove that the grass is in fact greener. I'm going all AMD in the DC and am all AMD HEDT at home, I'm not AMD on the corporate desktop yet but it's only a matter of time come our next refresh. By rights I should be one of the people shouting the loudest along with all the other intel guys running ESXi or Virtualisation heavy estates, I am a realist though and instead I vote with my pockets and believe that AMD will have less issues over the lifetime of Rome than what I could conceivably buy from Intel.

Intel right now are simply doing what we in the world of IT do, when we see a vulnerability in code or in hardware we will mitigate, be that write better code or deploying some sort of AI security solution to plug a possible gap, it might be as simple as proxying out traffic or pushing incoming mail through a proxy, or even going to town on firewalls with better and more robust protection systems. What I am saying is security is not just hardware, it's everything in the stack and if intel can sidestep the issue in software then they are effectively using their stack to mitigate the issue. You call it a software band aid for a hardware problem, intel simply see it as using part of the software/microde/hardware (the intel stack) to put it right.

Basically intels CPU's have no security and every man and his dog have example code to work off. The latest attacks require HT be turned off and for which the previous software mitigations make easier to pull off. This leaves the 9900k crippled performance wise. So every person is denying the evidence, sure the people with phd's spell it out in black in while in their while paper so any moron can understand. TURN HT OFF. We will ignore it because we can make crap up and we know its a 40% hit to performance which will be added to the 28% hit already payed. Sure everyone else does not know what they are talking about, they are stupid.

Once security is broken in this way via hardware. The only way to fix the problem is replace the hardware. Also enjoy having no performance as patch after patch destroys it in a vain hope off plugging all the wholes.

IT Troll · 16 Sep 2019 at 23:18

zx128k said:
Its on the website created by the people that found the security issues. Good job proving you have no know knowledge at all about anything. The link has been provided a long time ago.

This would be known by anyone reading the website to become informed.

The irony of your post is beautiful. That is not an attack via a browser. This is executable code running locally on the machine to reveal browsing history. Which takes us back to the point you are failing to comprehend.

zx128k · 16 Sep 2019 at 23:44

IT Troll said:
The irony of your post is beautiful. That is not an attack via a browser. This is executable code running locally on the machine to reveal browsing history. Which takes us back to the point you are failing to comprehend.

It them stealing data from the browser. We show how an attacker can monitor the websites the victim is visiting despite using the privacy-protecting Tor browser in a virtual machine. Sure what do PHD people know anyway, you know better. We know from the white paper you can use JavaScript to do the attack. So yes you can 100% use the browser.

IT Troll · 17 Sep 2019 at 00:13

zx128k said:
It them stealing data from the browser. We show how an attacker can monitor the websites the victim is visiting despite using the privacy-protecting Tor browser in a virtual machine. Sure what do PHD people know anyway, you know better. We know from the white paper you can use JavaScript to do the attack. So yes you can 100% use the browser.

You were certain you had a video of an attack via a browser. Clearly you don’t understand what you are looking at or how these attacks might be used. The RIDL (not ZombieLoad) researchers do indeed have a JavaScript proof of concept but they admit themselves in their paper that they don’t have this working in a browser. You seem to be conflating the different pieces of research and jumping to your own conclusions.

Rroff · 17 Sep 2019 at 00:19

zx128k said:
Its on the website created by the people that found the security issues. Good job proving you have no know knowledge at all about anything. The link has been provided a long time ago.

ZombieLoad in Action
In our demo, we show how an attacker can monitor the websites the victim is visiting despite using the privacy-protecting Tor browser in a virtual machine.

https://zombieloadattack.com/public/videos/demo_720.mp4

This would be known by anyone reading the website to become informed.

This isn't the browser as a vector as you were talking about before but cross boundary snooping by a process on the same machine - despite the software being separated by a virtual machine, OS and hardware security layers it is still possible to snoop on the browser's activity. This is another case again to what you were talking about earlier and using it as an example to follow up your earlier posts shows you know a lot less of what you are talking about than the people you are branding as morons.

I'll repeat what I said before on the average consumer desktop by the time you have software (malware) in a position to do what is demonstrated in that video you've already been owned and having HT on and off makes zero difference. Where it makes a difference is where a would be attacker is able to run software i.e. in a logged in VPS where HT makes it considerably easier for them to snoop across what should be isolated domains.

No one is disputing Intel have serious security issues but you are failing to understand the nuances when it comes to hyper-threading and on the average consumer desktop as things stand turning it on or off doesn't really change your security position in any material way - while it is a very different story for server like environments.

zx128k · 17 Sep 2019 at 00:26

Rroff said:
This isn't the browser as a vector as you were talking about before but cross boundary snooping by a process on the same machine - despite the software being separated by a virtual machine, OS and hardware security layers it is still possible to snoop on the browser's activity. This is another case again to what you were talking about earlier and using it as an example to follow up your earlier posts shows you know a lot less of what you are talking about than the people you are branding as morons.

I'll repeat what I said before on the average consumer desktop by the time you have software (malware) in a position to do what is demonstrated in that video you've already been owned and having HT on and off makes zero difference. Where it makes a difference is where a would be attacker is able to run software i.e. in a logged in VPS where HT makes it considerably easier for them to snoop across what should be isolated domains.

As stated in the while paper, the code only works 100% of the time with HT enabled and does not work 100% of the time with HT disable. This makes disabling HT the biggest part of mitigating MDS attacks. This was posted before with the link to the text in the while paper but I guess you known better than the phd that found the issue in the first place.

Rroff · 17 Sep 2019 at 00:32

zx128k said:
Cross boundary snooping does include the browser.

But the browser is what is being snooped on in this case and in the zombieload demonstration you could swap it out for many other types of software rather than what you were talking about before of the browser being the enabling feature for snooping/intrusion.

You were talking about before the browser being the entry point - in this case the malware is already running on the same system.

zx128k · 17 Sep 2019 at 00:38

Rroff said:
But the browser is what is being snooped on in this case and in the zombieload demonstration you could swap it out for many other types of software rather than what you were talking about before of the browser being the enabling feature for snooping/intrusion.

You were talking about before the browser being the entry point - in this case the malware is already running on the same system.

The white paper states the browser as enabling the attack. End of story. No one rejects this and you have to turn off HT as its the biggest part of the security whole but not the only part.

See the white paper's comments on the browser attacks which have been posted before.

sideways14a · 17 Sep 2019 at 00:44

WTF is it this time? another HT related "feature" or what?

One of these days there is going to be an utter stinker that is very exploitable, hilarious if it wasn't so annoying.

Rroff · 17 Sep 2019 at 00:50

zx128k said:
The white paper states the browser as enabling the attack. End of story. No one rejects this and you have to turn off HT as its the biggest part of the security whole but not the only part.

See the white paper's comments on the browser attacks which have been posted before.

You are just taking random snippets of information that seem to support your point and throwing them into the thread now without understanding them or how they connect with the whole.

zx128k · 17 Sep 2019 at 00:51

Rroff said:
You are just taking random snippets of information that seem to support your point and throwing them into the thread now without understanding them or how they connect with the whole.

Yet again I must refer you back to the white papers which are very clear on their wording.

IT Troll · 17 Sep 2019 at 00:55

zx128k said:
Yet again I must refer you back to the white papers which are very clear on their wording.

Take your blinkers off and have a read of page 10 section G were the researchers explain in their own words why they don’t have this JavaScript example working in a browser.

Rroff · 17 Sep 2019 at 00:57

zx128k said:
Yet again I must refer you back to the white papers which are very clear on their wording.

No offence but you've struggled several times with fundamental concepts when it comes to malware - several of your posts show ignorance for example as to the difference between side-channel snooping and a dropper.

zx128k · 17 Sep 2019 at 01:01

IT Troll said:
Take your blinkers off and have a read of page 10 section G were the researchers explain in their own words why they don’t have this JavaScript example working in a browser.

Page 1 as posted before,

"The implications are worrisome. First, RIDL attack scan be implemented even from linear execution with no invalid page faults, eliminating the need for exception suppression mechanisms and enabling system wide attacks from arbitrary unprivileged code (including JavaScript in the browser). "

If you believe they are wrong then engage with the peer review process. Then prove they are wrong, that "including JavaScript in the browser" is not possible. Then return here with your research and present it to us. You want to be slimy, here comes a real debate.

Rroff · 17 Sep 2019 at 01:05

zx128k said:
Page 1 as posted before,

"First, RIDL attack scan be implemented even from linear execution with no invalid page faults, eliminating the need for exception suppression mechanisms and enabling system wide attacks from arbitrary unprivileged code (including JavaScript in the browser). "

If you believe they are wrong then engage with the peer review process. Then prove they are wrong, that "including JavaScript in the browser" is not possible. Then return here with your research and present it to us. You want to be slimy, here comes a real debate.

We aren't saying they are wrong - your interpretation (or rather just face value reproducing what looks like incriminating bits) is. There is a difference between can in a theoretical sense and can in the sense of something that is easily utilised. These are proof of concepts showing that a path exists under the right circumstances not that the path is possible to actually utilise.

zx128k · 17 Sep 2019 at 01:08

Rroff said:
Just because you (a hacker) can do this doesn't mean an attacker can indiscrimantly make use of it in a useful way though. Amongst other factors some areas will only ever be academic curiosities other times there will be far easier approaches and so on. Otherwise we'd have already seen massive malware impact from these side-channel vulnerabilities - that isn't intended to diminish how concerning they are as often they are powerful tools (albeit for no good) in the appropriate application.

That's your opinion, please prove it. If not please stop posting it. Proof would be passing the peer review process and returning here with your research findings.