Yet another Intel CPU security vulnerability!

[IT Troll]

As is usual from all journalists, i agree its undoubtedly blown out of proportion by them however i don't see anything in the source documents that makes any exceptions to the vulnerabilities of domestic users.

All the vulnerabilities require arbitrary code execution. Which of course could be run on a domestic system, but if you in a position to run arbitrary code on a domestic system there are much simpler and more effective attacks you can use. These types of of cross-boundary attacks are more of a concern for the datacentre where you are more likely to have multi-tenant systems and the opportunity to execute code on a shared hardware. The JavaScript proof of concept is a great headline grabber but in reality doesn't work in any modern browser that a domestic user would be using.

This anti-virus researcher posted some interesting analysis on why we haven't seen any Spectre-based malware. These methods are hard to implement, need to be tuned to individual systems and are not suited to mass infection. Pretty much the opposite of what a malware author would be aiming for in a domestic user scenario.
https://www.virusbulletin.com/virusbulletin/2018/07/does-malware-based-spectre-exist/

 

[Rroff]

All the vulnerabilities require arbitrary code execution. Which of course could be run on a domestic system, but if you in a position to run arbitrary code on a domestic system there are much simpler and more effective attacks you can use. These types of of cross-boundary attacks are more of a concern for the datacentre where you are more likely to have multi-tenant systems and the opportunity to execute code on a shared hardware. The JavaScript proof of concept is a great headline grabber but in reality doesn't work in any modern browser that a domestic user would be using.

This anti-virus researcher posted some interesting analysis on why we haven't seen any Spectre-based malware. These methods are hard to implement, need to be tuned to individual systems and are not suited to mass infection. Pretty much the opposite of what a malware author would be aiming for in a domestic user scenario.
https://www.virusbulletin.com/virusbulletin/2018/07/does-malware-based-spectre-exist/

The take away is worth reproducing:

The take-aways of this work are the following:

• A vulnerable CPU is different from a vulnerable system.
• Android smartphones with an ARM Cortex A53 are not vulnerable to Flush+Reload Spectre attacks.
• Implementing cache attacks on ARM-based smartphones is difficult. Code does not easily port from Intel x86-64 to ARMv7.
• We are currently not aware of any malware based on Spectre.
• Cache attacks are not common in malware.

The future is difficult to foresee. On the one hand, each time an attack goes public, malware authors use it sooner or later (usually quite soon). So, we might expect to see Spectre malware soon. On the other hand, this research work proves that cache attacks are difficult to implement, and perhaps not extremely well suited to mass infection because the malicious implementation will have to handle many CPUs, architectures and operating systems, and tune the attack for each of them. As long as there are easier ways for malware authors to make money, why would they embarrass themselves with such a technical choice? Nonetheless, the attack could certainly interest authors of targeted attacks (governments, political targets etc.).

Especially the first bullet point of the difference between a vulnerability existing within a system and a system being vulnerable is something that quite commonly in this section of the forum isn't well understood for instance with the ASMedia vulnerabilities.

 

[zx128k]

Basically having HT on makes the RIDL attack steal secrets 100% of the time. If remember correct from the white paper, one of the tables shows that with HT on you can steal secrets from any thread. This is not the truth once HT is switched off. Once HT is switched off, then you can only steal secrets from the same thread. The attack stops working 100% of the time with HT turned off.

This means turning HT off is basically your only choice. Given they show proof of concept, for a JavaScript attack via the browser. Then home users are affected. There is a whole section in their white paper for this attack via JavaScript and how they were able to pull it off.

Even with HT off you still have to protect secrets leaking in the same thread. That's were the patches come in but your only chance of mitigating the RIDL attack, you have to turn HT off.

Remember cracking PC games is much harder than these attacks and happens every day. It just takes hackers a few months once a new protection comes out to break them. These protections are meant the be more or less impossible to break. Yet they get broken in mins, hours or days after hackers work out how these protections work.

Just because an attack is hard to do, does not offer any protection and stating someone has not used them yet is not a reason for no action. This shows a lack of real experience with security matters. It's like stating your front door lock is broken but it's fine there is a hole in the path and it will be to hard to reach the door. Or even when they do get in they my not steal stuff anyway, they will just look around.

This is form of denial. This goes hand in hand with unwarranted doubt about any information they don't agree with. Gish Gallop. Playing the poster by trying to find anything wrong with his posts. Derision and denial when cornered. This is basically used to harass, the method usually is aggressive pressure is answer all questions about their unwarranted/unfounded doubts (on the spot fallacy is a logical fallacy that occurs when a debater is considered wrong (or even incapable of having an opinion) if they cannot recite specific data or technical minutiae on some topic). Then if answered followed by attacks on personal credibility, see intimidation. This has the effect of bullying out the dissenting view and clouding the argument by making it look like its contentious.

The reason for disabling HT, is that the issue is in hardware and cannot be fixed. Also it currently cannot be mitigated in software. Even if a mitigation is found in software, that mitigation will be complex and that implies a big performance penalty.

Argue however you like, that's the truth of the matter. There is nothing contentious here. Is it really so hard to turn HT off when you browse the internet? Also maybe disable JavaScript and patch your system. Seems prudent while you wait to get a replacement CPU to fix the issue.

 

[chrcoluk]

Well given javascript in a browser has pretty much no performance benefit from HTT anyway, mitigating that wont yield a performance penalty of any note, and now days browser vulnerabilities are almost the only thing that matters for consumers. The vast majority of security hardening is focused on the gateway between machine and internet which for most people on windows is the web browser.

 

[zx128k]

Well given javascript in a browser has pretty much no performance benefit from HTT anyway, mitigating that wont yield a performance penalty of any note, and now days browser vulnerabilities are almost the only thing that matters for consumers. The vast majority of security hardening is focused on the gateway between machine and internet which for most people on windows is the web browser.

JavaScript was one of the methods use to pull off a attack. It's not a big deal disabling HT for that task. The issue is most customers won't be able to turn it off and on themselves. That's why google turned it off for their customers and told them you can turn it back on for chrome if they want too. Most customers wont be able too.

There is a big hit for other tasks, older CPU's are hit the most. 9900k is still fast in game with HT off because games wont be cpu limited. Older cpu this is not the case. None of this is overclockers fault and they should not have to pay for it in any way.

 

[Rroff]

Sadly there is a lot omitted from documentation in their testing procedures which makes it a lot harder to explain to a lay person - just like their proof of concept for attacking passwd (and by extension SSH) was done without the tools and configuration usually used to prevent such attacks their JavaScript example used a specially setup process (including an unrealistic way of pushing the string into cache memory so as it stuck out for them to find) for means of demonstration that is academically interesting but doesn't represent something that works in the real world.

My comments aren't about it being hard to do offering protection but that at the point of being able to exploit these side-channel attacks at a level where the hyper-threading vulnerabilities come into play your system would be already owned and it would be a moot point exactly which methods they used - which goes back to what I said before for the average consumer desktop it makes turning off HT a pointless exercise and if you are worried enough about the security of the platform and what might happen then you really should be seriously looking at moving away from Intel.

 

[zx128k]

They call that type of argument, preaching the doubt, poisoning the well and muddying the waters. There is no doubt about the hyper-threading vulnerabilities and everyone advises to turn HT off. Turning HT off is a choice the customer should make.

"Sadly there is a lot omitted from documentation in their testing procedures which makes it a lot harder to explain to a lay person - just like their proof of concept for attacking passwd (and by extension SSH) was done without the tools and configuration usually used to prevent such attacks their JavaScript example used a specially setup process (including an unrealistic way of pushing the string into cache memory so as it stuck out for them to find) for means of demonstration that is academically interesting but doesn't represent something that works in the real world."

Basically they provide proof of concept, its very clear they did when you read the white paper. They set aside a hole section for the javascript attack. If you believe if is unrealistic feel free to knock yourself proving it in the real world. I like video over written documents. Just because I am lazy.

From the white paper,
Generating the correct machine code and triggering the page fault are relatively straightforward. However,constructing a reliable feedback channel for speculative attacks within the browser presents some challenges. The absence of the clflush instruction forced our implementation to rely on an Evict + Reload channel to leak the in-flight data. Since the process of evicting entries from the L1D cache makes extensive use of the LFBs due to TLB misses as well as filling cache lines—this adds a significant source of noise. We also need to ensure that the TLB entries for our reload buffer are still present after the eviction process, adding another source of noise to our attack. Finally, we need a reliable high-resolution timer to measure cache evictions for our Evict + Reload channel.While built-in high-resolution timers have been disabled as part of browser mitigations against side-channel at-tacks [64], [63], prior work has demonstrated a variety

of techniques to craft new high-resolution timers [66],[56], [60], such as Shared ArrayBuffer [60] and GPU-based counters [56]. The Shared ArrayBuffer feature was recently re-enabled in Google Chrome, after the introduction of Site Isolation [67], [68]. Mozilla Firefox is currently working on a similar Process Isolation strategy [69].

Despite these challenges, we successfully implemented a proof-of-concept exploit on top of Firefox’ SpiderMonkey JavaScript engine to reliably leak data from a victim process running on the same system. For simplicity, our exploit uses an old-style built-in high-resolution timer in SpiderMonkey to measure cache evictions. When targeting a victim process repeatedly writing a string to memory, our exploit running in the JavaScript sandbox on a different hardware thread is capable of leaking the victim string at a rate of ~1B/s. We also implemented a high-resolution timer in Chrome using WebAssembly threads which provided sufficient accuracy for our Evict + Reload channel. At the time of writing, any site can opt into this functionality using the ‘origin trials’ system.

Although we do not currently have a reliable RIDL exploit running inside unmodified Chrome, we believe that our results already cast doubt on the effectiveness of site isolation as a mitigation against side-channel attacks.

So site isolation as a mitigation might not work. https://mdsattacks.com/files/ridl.pdf

 

[Rroff]

There is no doubt about the hyper-threading vulnerabilities and everyone advises to turn HT off. Turning HT off is a choice the customer should make.

Like most security advisories of this nature of is a catch all because it is impossible to account for all levels of user experience/knowledge and system configuration. I'm starting to think your posts are more about justifying your own CPU decisions to yourself than an actual interest in understanding what is going on.

Basically they provide proof of concept, its very clear they did when you read the white paper. They set aside a hole section for the javascript attack. If you believe if is unrealistic feel free to knock yourself proving it in the real world. I like video over written documents. Just because I am lazy.

There are some telling bits in there such as:

When targeting a victim process repeatedly writing a string to memory, our exploit running in the JavaScript sandbox on a different hardware thread

Which shows that they had to setup specific (unrealistic) circumstances to get it to do anything useful even when they managed to accomplish it working in a simulated browser environment and that if somehow anyone ever did find a way to use it then it can cross hardware thread boundaries anyway.

You obviously don't understand half of what you copy and pasted there or you wouldn't be disagreeing with me.

 

[zx128k]

Like most security advisories of this nature of is a catch all because it is impossible to account for all levels of user experience/knowledge and system configuration. I'm starting to think your posts are more about justifying your own CPU decisions to yourself than an actual interest in understanding what is going on.



There are some telling bits in there such as:



Which shows that they had to setup specific (unrealistic) circumstances to get it to do anything useful even when they managed to accomplish it working in a simulated browser environment and that if somehow anyone ever did find a way to use it then it can cross hardware thread boundaries anyway.

You obviously don't understand half of what you copy and pasted there or you wouldn't be disagreeing with me.

Prove it. Why is it unrealistic? Should give me peace for awhile at least.

 

[Rroff]

Prove it. Why is it unrealistic? Should give me peace for awhile at least.

Prove what? the nature of their description is self-evident from a programming perspective.

But they then mention that exploit would work across hardware threads anyhow.

 

[zx128k]

Prove what? the nature of their description is self-evident from a programming perspective.

But they then mention that exploit would work across hardware threads anyhow.

If you turn HT on. You can leak secrets from any thread. If HT is off you leak secrets from the same hardware thread. That's what I got with a quick scan read. So with HT on you always leak a secret. With HT off, you can't leak from other threads and only in most cases from the same thread. That's from the figure 3 closer to the start of the white paper, if you want the whole more complete reason for what happens, see below. So a big part of the mitigation is turning off HT.

Fig. 3: In each pair of bars, one bar shows the LFB hit count,and the other one the number of attacks. With SMT, we always leak the secret. Without SMT and no victim code, RIDL only reads zeros, but with victim and attacker in the same hardware thread, we still leak the secret in most cases (top/red bar), while occasionally finding the value the CPU should have loaded. https://mdsattacks.com/files/ridl.pdf

 

[Rroff]

EDIT: I will have to concede on the hardware thread side as it isn't clear enough from the document in that JavaScript example if it (exclusively) relies on HT or not. (Obviously RIDL method itself benefits from HT on to cross boundaries hence why it is so potentially dangerous in server environments).

Regardless by the time an attacker has got to this point your system is owned HT on or off. If the circumstances are right to make it possible to pull off that attack then like with the passwd example your pants are already down.

 

[zx128k]

EDIT: Actually not clear in the document.

The document is not easy to read. White papers never are, they just take it for granted that you understand whats going on at their level of thinking and if you don't then well. Someone can explain it to you.

It's also the only way to keep the document small. They don't spell every little aspect out, they just online their argument so that other researchers can follow whats happening. It does not make it easier that they are very intelligent and understand their subject to a very high degree. I also happen that their target audience is the same, so we may find the document is easy enough for them to follow. So it suits them just fine and the rest of us can just work it out but who cares right. Some white papers you need a thesaurus to follow because the researcher is sure as hell using one to write it. Big words look more intelligent right?

 

[Rroff]

The document is not easy to read. White papers never are, they just take it for granted that you understand whats going on at their level of thinking and if you don't then well. Someone can explain it to you.

It's also the only way to keep the document small. They don't spell every little aspect out, they just online their argument so that other researchers can follow whats happening. It does not make it easier that they are very intelligent and understand their subject to a very high degree. I also happen that their target audience is the same, so we may find the document is easy enough for them to follow. So it suits them just fine and the rest of us can just work it out but who cares right. Some white papers you need a thesaurus to follow because the researcher is sure as hell using one to write it. Big words look more intelligent right?

There are things that are pertinent at any level which are omitted - they don't mention how they target a specific process or even if that is important in the JS example though show elsewhere a filter used to target specific information but in realistic circumstances even if they got that far they are unlikely to return anything but noise unless the attacker has inside information to use as a reference. They omit several aspects in each example critical to making them reality such as the more easy example with passwd which requires no programming knowledge to understand where their technique while academically interesting (more effective than a dictionary attack never mind pure brute force) is easily defeated by the same standard denial of service and anti-brute force protection but they don't mention that.

 

[zx128k]

There are things that are pertinent at any level which are omitted - they don't mention how they target a specific process or even if that is important in the JS example though show elsewhere a filter used to target specific information but in realistic circumstances even if they got that far they are unlikely to return anything but noise unless the attacker has inside information to use as a reference. They omit several aspects in each example critical to making them reality such as the more easy example with passwd which requires no programming knowledge to understand where their technique while academically interesting (more effective than a dictionary attack never mind pure brute force) is easily defeated by the same standard denial of service and anti-brute force protection but they don't mention that.

Figure2illustrates the main steps and the underlying mechanism enabling the RIDL leaks. First, as part of its normal execution, the victim code, in another security domain, loads or stores some secret data4. Internally,the CPU performs the load or store via some internal buffers—for example,Line Fill Buffers(LFBs). Then,when the attacker also performs a load, the processor speculatively uses in-flight data from the LFBs (with noa ddressing restrictions) rather than valid data. Finally, by using the speculatively loaded data as an index into aFlush + Reload buffer (or any other covert channel),attackers can extract the secret value.



A simple example of our attack is shown in Listing1.As shown in the listing, the code is normal, straight-line code without invalid accesses (or, indeed, error suppression), which, as we will show, can also be implemented in managed languages such as JavaScript. Lines 2–3 only flush the buffer that we will later use in our covert channel to leak the secret that we speculatively access in Line 6.Specifically, when executing Line 6, the CPU speculatively loads a value from memory in the hope it is from our newly allocated page, while really it is in-flight data from the LFBs belonging to an arbitrarily different security domain.

1/* Flush flush & reload buffer entries. */
2for(k=0; k<256;++k)
3flush(buffer+k*1024);
4
5/* Speculatively load the secret. */
6charvalue=*(new_page);
7/* Calculate the corresponding entry. */
8char*entry_ptr=buffer+(1024*value);
9/* Load that entry into the cache. */
10*(entry_ptr);
11
12/* Time the reload of each buffer entry to
13see which entry is now cached. */
14for(k=0; k<256;++k) {
15t0=cycles();
16*(buffer+1024*k);
17dt=cycles()-t0;
18
19if(dt<100)
20++results[k];
21}

Listing 1: An example of RIDL leaking in-flight data.

When the processor eventually detects the incorrect speculative load, it will discard any and all modifications to registers or memory, and restart execution at Line 6 with the right value. However, since traces of the speculatively executed load still exist at the micro-architectural level (in the form of the corresponding cache line), we can observe the leaked in-flight data using a simple (Flush + Reload) covert channel—no different from that of other speculative execution attacks. In fact,the rest of the code snippet is all about the covert channel.Lines 8-10 speculatively access one of the entries in the buffer, using the leaked in-flight data as an index. Asa result, the corresponding cache line will be present.Lines 12-21 then access all the entries in our buffer to see if any of them are significantly faster (indicating that the cache line is present)—the index of which will correspond to the leaked information. Specifically, we may expect two accesses to be fast, not just the one corresponding to the leaked information. After all, when the processor discovers its mistake and restarts at Line 6 with the right value, the program will also access the buffer with this index.Our example above use demand paging for the loaded address, so the CPU restarts the execution only after handling the page-in event and bringing in a newly mapped page. Note that this is not an error condition, but rather a normal part of the OS’ paging functionality.

We found many other ways to speculatively execute code using in-flight data. In fact, the accessed address is not at all important. As an extreme example, rather than accessing a newly mapped page, Line 6 could even dereference aNULL pointer and later suppress the error (e.g., using TSX). In general, any run-time exception seems to be sufficient to induce RIDL leaks, presumably because the processor can more aggressively speculate on loads in case of exceptions.

https://mdsattacks.com/files/ridl.pdf page 4 and 5

Synchronization in part B

Conclusion:we can use serialization, contention and eviction to synchronize attacker and victim.

Cross-process attacks
In a typical real-world setting, synchronizing at the exact point when sensitive data is in-flight becomes non-trivial, as we have limited control over the victim process. Instead, by repeatedly leaking the same information and aligning the leaked bytes, we can retrieve the secret with-out requiring a hard synchronization primitive. For this purpose, we show a noise-resilient mask-sub-rotate attack technique that leaks 8 bytes from a given index at a time.

in the case of RIDL, the attacker can access any in-flight data currently streaming through internal CPU buffers without performing any check. As a result,address space, privilege, and even enclave boundaries do not represent a restriction for RIDL attacks

Mitigating RIDL in software.Since sensitive information can be leaked from sibling hardware threads, we strongly recommend disabling SMT to mitigate RIDL.

Worse, it is still possible to leak sensitive information from another privilege level within a single thread (as some of our exploits demonstrated), including information from internal CPU systems such as the MMU.

 

[chrcoluk]

JavaScript was one of the methods use to pull off a attack. It's not a big deal disabling HT for that task. The issue is most customers won't be able to turn it off and on themselves. That's why google turned it off for their customers and told them you can turn it back on for chrome if they want too. Most customers wont be able too.

There is a big hit for other tasks, older CPU's are hit the most. 9900k is still fast in game with HT off because games wont be cpu limited. Older cpu this is not the case. None of this is overclockers fault and they should not have to pay for it in any way.

Most games arent affected by no HTT either, the pain is mostly in content creation and VM's. Which dont apply to most consumers. Although I admit I am confused by you saying google turning it off. You mean by cloud platforms hosted by google? I am more talking about people using their desktop's and laptop devices. Chrome will probably get a patch to mitigate the issue and in that situation HTT will still be enabled system wide.

Same as how chrome made a patch to mitigate spectre.

One such solution would be to make chrome check for a HTT cpu on the system, and if detected on launch use cpu affinity to start any child process with odd numbered cpu's disabled (thus avoiding HTT for its processes).

I deal with IT security for a living, and assess any threat in isolation, assess the pros and cons of mitigation. I have done this on my own personal devices and decided to disable optional cpu vuln mitigation's due to the fact I consider the risk very remote and the cost too high. Its one of those things thats been hyped up above the actual risk, I have seen "many" vulnerabilities far worse than spectre etc. get no press coverage at all.

 

[zx128k]

Most games arent affected by no HTT either, the pain is mostly in content creation and VM's. Which dont apply to most consumers. Although I admit I am confused by you saying google turning it off. You mean by cloud platforms hosted by google? I am more talking about people using their desktop's and laptop devices. Chrome will probably get a patch to mitigate the issue and in that situation HTT will still be enabled system wide.

Same as how chrome made a patch to mitigate spectre.

One such solution would be to make chrome check for a HTT cpu on the system, and if detected on launch use cpu affinity to start any child process with odd numbered cpu's disabled (thus avoiding HTT for its processes).

I deal with IT security for a living, and assess any threat in isolation, assess the pros and cons of mitigation. I have done this on my own personal devices and decided to disable optional cpu vuln mitigation's due to the fact I consider the risk very remote and the cost too high. Its one of those things thats been hyped up above the actual risk, I have seen "many" vulnerabilities far worse than spectre etc. get no press coverage at all.

Google has pushed out a Chrome OS update (version 74) with a quick fix for the new MDS vulnerabilities that can let a bad actor read privileged portions of memory. That's the good news; the bad is that to make sure any exploits can't affect Chrome users, Hyper-Threading is now disabled by default.

Because this flaw exists in the actual CPU hardware and not in the software, the best way to secure your Chromebook is to disable Hyper-Threading. This changes how the processor schedules its jobs and the fill and store buffer in the CPU cache won't be able to be read by outside software.

https://www.androidcentral.com/mds-vulnerability-chrome-os

No one wants to disable HT.

Intel and the researchers disagree on the severity of the flaw. While Intel rates the attacks as "low to medium" in severity, researchers from the institutions that discovered the attacks told Wired that they could "reliably dig through that raw output to find the valuable information they sought." https://www.imore.com/intel-processors-hit-another-serious-security-flaw-impacting-millions-pcs

Anyway all I would advise is reading the white papers and if you are happy with the risk, then keep HT enabled. I need to stop thinking about this for awhile or I will become fixated on it. Call it a condition I have.

 

[chrcoluk]

Right, thanks for clarifying you meant the ChromeOS.

Researchers of course will want to hype up the vulnerability, intel will want to minimise it, the actual will probably be somewhere in between.

 

[Rroff]

"In a typical real-world setting, synchronizing at the exact point when sensitive data is in-flight becomes non-trivial, as we have limited control over the victim process. Instead, by repeatedly leaking the same information and aligning the leaked bytes, we can retrieve the secret with-out requiring a hard synchronization primitive. For this purpose, we show a noise-resilient mask-sub-rotate attack technique that leaks 8 bytes from a given index at a time."

I have mostly been concentrating on what it takes to even expose these exploits in the first place more than specifically how they work once running and there is a lot omitted but that bit above is part of what I was talking about earlier - they had to make the target process behave in an unrealistic manner so as to identify data from it and a lot of missing information about the steps taken with the victim process. Even with the victim process essentially waving "hey I'm over here" they struggled and that is with control over the environment and inside knowledge of where it should be so to speak.

 

[zx128k]

I have mostly been concentrating on what it takes to even expose these exploits in the first place more than specifically how they work once running and there is a lot omitted but that bit above is part of what I was talking about earlier - they had to make the target process behave in an unrealistic manner so as to identify data from it and a lot of missing information about the steps taken with the victim process. Even with the victim process essentially waving "hey I'm over here" they struggled and that is with control over the environment and inside knowledge of where it should be so to speak.

They cover all that on page 6 B. Synchronization. They can use Serialization, Contention and Eviction. They cover each method, what matters really is they are able to pull it off. You can just read it yourself. The commands they list.

Example,
Serialization. The mfence instruction therefore forms a point of synchronization that allows us to observe the last few loads and stores before the buffers are completely drained.

Contention. Another way of synchronizing victim and attacker is to create contention within the LFB, ultimately forcing entries to be evicted.

Eviction. Finally, we can control the values that we leak from the victim by evicting cache entries from the cache set in which we are interested.