Slashdot Log In
Kaspersky To Demo Attack Code For Intel Chips
Posted by
ScuttleMonkey
on Mon Jul 14, 2008 03:14 PM
from the also-releasing-a-paint-by-number dept.
from the also-releasing-a-paint-by-number dept.
snydeq writes "Kris Kaspersky will demonstrate how attackers can target flaws in Intel microprocessors to remotely attack a computer using JavaScript or TCP/IP packets, regardless of OS. The demo will be presented at the Hack In The Box Security Conference in Kuala Lumpur in October and will show how processor bugs can be exploited using certain instruction sequences and a knowledge of how Java compilers work, allowing an attacker to take control of the compiler. The demonstrated attack will be made against fully patched computers running a range of OSes, including Windows XP, Vista, Windows Server 2003, Windows Server 2008, Linux, and BSD. An attack against a Mac is also a possibility."
Related Stories
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Heh... (Score:5, Funny)
At least I know I'm safe because I run... Oh, crap.
Re:Heh... (Score:5, Interesting)
I wonder if running inside a VM could at all mitigate the attack.
Parent
Re:Heh... (Score:5, Funny)
Parent
Re: (Score:3, Funny)
Re:Reality check (Score:5, Insightful)
You might think that would happen, but if the British experience of removing the monopoly is anything to go by, your postal service will get worse.
We've always had overnight delivery, but then, Britain is a much smaller country.
The private operators are only interested in business mail. DX will do deliveries for small companies. The rest of them are only interested in bulk mail, such as bank statements and utility bills. For the rest of us, Royal Mail are now charging more, because they get less of the bulk mail to subsidise personal mail, and they are becoming much less reliable at delivering it.
Parent
Re:Reality check (Score:5, Insightful)
.
I don't know. To me it's pretty darn amazing that for 42 cents I can drop an envelop in a slot and a few days later it is hand-delivered to someone on the other side of the country. If that service didn't exist and you asked me to guess what it would cost, 42 cents would not be the answer.
Parent
Re:Reality check (Score:5, Insightful)
Actually, the main "valid" reason for the government providing letter service is to provide services to those geographic areas where the "free market" would flat out decide that it wasn't worth servicing those areas. If this wasn't a requirement of the USPS, they could easily drop all their rural routes & compete with any of the normal package carriers.
Of course, whether or not we should be inefficiently supporting those remote rural areas is a whole 'nother area of debate. I'm sure there's a lot of small town supporters that would scream bloody murder if you argue that those small towns should be allowed to disappear by cutting off any form of government infrastructure subsidy for those locations.
Parent
Re:Heh... (Score:5, Funny)
AMD?
Parent
Re:Heh... (Score:5, Funny)
Parent
Re:Heh... (Score:5, Funny)
Parent
Re:Heh... (Score:5, Interesting)
At least I know I'm safe because I run... Oh, crap.
I'm sure AMD fans will make a point that they are protected in this case.
Parent
Re:Heh... (Score:5, Insightful)
Parent
Re:Heh... (Score:5, Funny)
Parent
That's Nothing, This November I'm Going To... (Score:5, Funny)
...demonstrate how you can make a 1GW fusion reactor out of nothing but a sweaty gym sock and the corpse of a field mouse.
No, seriously. 100%. Cross my heart.
Re:That's Nothing, This November I'm Going To... (Score:4, Funny)
Macgyver is that you?
Parent
Re:That's Nothing, This November I'm Going To... (Score:5, Interesting)
Okay, seriously -- based upon nothing but an overly bold claim featuring some massive technical faults, people are actually believing this? My post should be +5 insightful, not funny, because it really isn't intended to be funny.
Are people perhaps thinking this is Eugene Kaspersky or something? This guy is no relation to him.
Maybe, just maybe, someone really is going to sit on an epic, world shaking fault until an October security conference, but every bullshit detector is ringing as loudly as it can ring right now.
October will roll around and some guy will demonstrate some edge condition non-issue and say "Oh, did they misinterpret and overstate? Those bastards!"
Parent
Re:That's Nothing, This November I'm Going To... (Score:5, Informative)
Err, Kris Kaspersky has a good reputation and does write pretty good books [amazon.com].
Parent
Re:That's Nothing, This November I'm Going To... (Score:5, Interesting)
Sounds like they might have found a practical exploit for one of the many bugs in the Core/2 that OpenBSD were throwing a fit about when it was released. Maybe they were right.
Parent
Re:That's Nothing, This November I'm Going To... (Score:5, Informative)
Parent
Re:That's Nothing, This November I'm Going To... (Score:5, Funny)
Parent
GNU Hurd Wins Again (Score:4, Funny)
It's OK I run hurd.
Plan 9 baby (Score:4, Funny)
Parent
java: write once... (Score:3, Funny)
...hack everywhere
Don't worry. . . (Score:3, Funny)
I'm sure Intel will release a patch. ;)
They may (Score:5, Informative)
Their new processors can have their microcode updated, and indeed they do update it with BIOS updates. Dunno if people would bother to update their BIOS to patch it, but yes Intel processors can be patched in the field.
Parent
Re:They may (Score:5, Informative)
Parent
Re:They may (Score:5, Insightful)
If this can consistently crash my computer regardless of OS or browser, I'd sure as hell update my BIOS.
This is a big deal.
Parent
Re:They may (Score:5, Informative)
Only some things can be fixed via a ucode patch, others cannot. See AMD's TLB errata for an example of something that cannot. Other things can be fixed by disabling a feature, but disabling that feature might cost performance. Once again, see AMD's TLB errata for an example. Still other things can be worked around in the OS, sometimes for negligible performance loss, sometimes not. The Intel F00F bug [wikipedia.org] was a perfect example of something that could be worked around in the OS with no performance loss, and the AMD TLB errata had an OS workaround too which incurred a small (1%?) performance loss. Other things have almost no workaround, and require Intel or AMD to recall silicon and give out new processors. Intel's Pentium FDIV bug [wikipedia.org] was a good example of that. It depends entirely on what piece of the chip is at fault.
If something can be fixed in ucode for a negligible performance loss, or worked around in the OS for a negligible performance loss, that's the best-case scenario for Intel. In that case it's just a matter of getting BIOSes/OSes updated and patches rolled out to OEMs.
Parent
Re:Don't worry. . . (Score:4, Funny)
Or else go back to 1999 where Pentium III machines with Intel's processor ID enabled in CMOS enable shoppers to have an "enhanced online experience" while they run IE 4.01 from Windows machines that aren't behind a firewall
Parent
Java or Javascript? (Score:5, Insightful)
So is it Java or Javascript? Either the summary is wrong or this guy doesn't even know the difference between the two.
Re:Java or Javascript? (Score:5, Informative)
The official conference website says the same thing
http://conference.hackinthebox.org/hitbsecconf2008kl/?page_id=214 [hackinthebox.org]
Reading the conference website sounds like he is saying the can crash computers through forced tight loops via multiple languages, javascript, java, even TCP/IP
Parent
Huh? (Score:4, Insightful)
Huh? Javascript != Java!!!!
Randomize Something? (Score:3, Insightful)
a knowledge of how Java compilers work
Hrm, seems like he's counting on things happening in a certain sequence. So, perhaps a JVM could do more stuff in an unpredictable order? Perhaps using an SSA representation and context switching threads? Yeah, slightly more expensive, but let Firefox turn it on for me when I'm running untrusted code.
That's it... (Score:5, Funny)
*unplugs ethernet adapter*
[NO CARRIER]
Publicly available? (Score:4, Funny)
Indeed. And are you going to make patches publicly available for all the hardware and operating systems in the world, too?
Re:Publicly available? (Score:4, Informative)
Parent
Re:Publicly available? (Score:5, Insightful)
>I see, so your argument is that if it can't be fixed by the discoverer,
> they should keep it obscure.
Yeah, we could have the oft-heard chicken or egg debate. But we both know where it would end up. One side would say "disclose everything right away" and the other side would say "give the vendors a chance to fix it first". See how much time we just saved?
Parent
Quote (Score:4, Insightful)
... Windows XP, Vista, Windows Server 2003, Windows Server 2008, Linux, and BSD. An attack against a Mac is also a possibility.
Why don't they just say... "any computer that has an Intel chip?".. shock value I guess.
Which ones? (Score:5, Interesting)
Do we have a list of the processors affected by this? Or is this issue in ALL Intel processors?
It must depend some on the OS (Score:5, Informative)
If it's via Java, then it must also depend some on the implementation. I doubt that IBM's java engine uses the same calls to the processor as Sun's, which means that there is further abstraction that the claim has to somehow deal with.
Now, on the opposite side of the argument, there's the issue of what happens if the claim is justified. If this is a remote exploit that is truly OS-independent, then it is a remote exploit that can hit OpenBSD, Trusted Solaris, and other secure OS'. These are OS' used for commercially-sensitive work and classified work. If they are potentially vulnerable to attack, that could seriously impact a lot of organizations that, well, really aren't going to like it. In the event of a conflict flaring up between Intel and the US Marines, we may see them moving the bombing practice areas for their aircraft into the North American mainland after all.
Re:It must depend some on the OS (Score:5, Informative)
Note that some errata like AI65, AI79, AI43, AI39, AI90, AI99 scare the hell out of us. Some of these are things that cannot be fixed in running code, and some are things that every operating system will do until about mid-2008, because that is how the MMU has always been managed on all generations of Intel/AMD/whoeverelse hardware. Now Intel is telling people to manage the MMU's TLB flushes in a new and different way. Yet even if we do so, some of the errata listed are unaffected by doing so.
As I said before, hiding in this list are 20-30 bugs that cannot be worked around by operating systems, and will be potentially exploitable. I would bet a lot of money that at least 2-3 of them are.
And from TFA:
"It's possible to fix most of the bugs, and Intel provides workarounds to the major BIOS vendors," Kaspersky said, referring to the code that controls the most basic functions of a PC. "However, not every vendor uses it and some bugs have no workarounds."
Sounds like the the same issues to me.
Parent
Re:It must depend some on the OS (Score:4, Informative)
Now that you mention OpenBSD, I recall an email from Theo de Raadt (2007-06-27 17:08:16 - source [marc.info]):
As I said before, hiding in this list are 20-30 bugs that cannot be worked around by operating systems, and will be potentially exploitable. I would bet a lot of money that at least 2-3 of them are.
People have been aware that microprocessor bugs are potentially quite dangerous for some time now. Here's a write-up of Adi Shamir's report to RISKS about using processing bugs to steal private encryption keys [imagicity.com].
Parent
you say tomato... (Score:5, Insightful)
They call it a flaw, while I call it a backdoor.
i've read a number of story summaries in my time (Score:4, Informative)
and this one ranks among the hallowed few best described as "excuse me, i just crapped my pants"
Discovery channel (Score:5, Funny)
As seen on today's TV schedule for Discovery
Now showing: Intel, when code attacks.
Next show: Lasers.
Next week: Shark week.
Interesting (Score:4, Insightful)
If the fundamental flaw is BOTH the way intel chips execute code and a primitive in Java, that could be dangerous.
I could get all snarky and tell everyone I buy AMD, but I wouldn't be too confident that a similar exploit couldn't exist there either.
This is all possible if...
You need to reliably produce a series of instructions on a typical jvm. This doesn't present a problem as primitive expressions probably get predictable JIT sequences,
The next question is what kind of exploit? Are you running native x86 code? If so, you are still limited by the OS level protection. If you can then create an exploit that elevates your permissions that doubly bad.
One more snarky comment. I don't like JITs. I like my interpreted code interpreted, and I like my binary code native. I prefer something like a PHP model where you put glue in PHP and hard code in a C extension or a service.
Disable scripting/plug-ins by default/use NoScript (Score:5, Interesting)
If malware based on this "attack code" got into the wild, it sounds like one of the attack vectors would be malicious Web sites (which is nothing new). As many security researchers have been recommending for years, turning off JavaScript and other active content by default will greatly reduce the potential for infection, even from many kinds of as-yet undiscovered exploits. A good way to do this with Firefox (without ruining compatibility with trustworthy sites) is to install NoScript [noscript.net], which allows you to whitelist trusted sites while allowing you to block scripts, Java, Flash, Silverlight, other plug-ins, etc. on every other site by default.
Of course, if the flaw lies in the microprocessor, then there are certainly other potential attack vectors than just malicious Web sites.
Someone pointed out that Intel processors are BIOS-upgradeable. What about computers based on EFI [wikipedia.org] instead of BIOS, such as all the Intel-based Macs?
Also, as someone else pointed out, the headline is extremely misleading. The security researcher Kris Kaspersky is not affiliated with Kaspersky Lab [kaspersky.com] or Eugene Kaspersky [wikipedia.org], but he's apparently the author of a number of books [amazon.com] on programming and other computer subjects.
This is so old! (Score:5, Interesting)
1 GOTO 1
The compiler would write in machine code:-
BR .
When you executed this the CPU would instack the instruction and the machine would crash. It could get worse as the memory was mainly core and the mainframe would just try to restart the program it was executing. So often you had to wait for the CDC Engineer to arrive to pull the correct wires off the CPU to allow the machine to restart.
In fact in those days they fixed it in the FORTRAN compiler to turn the BRANCH into a JUMP that voided the instack and allowed the hardware to get control back from the CPU.
Is this really History repeating itself.
Re:Speculative (Score:4, Informative)
An attack against a Mac is also a possibility
That's a bit of a conjecture isn't it? Can we at least have a demonstration?
OMFG! From the summary:
Attack Code For Intel Chips ... regardless of OS
Parent
Re:Im sure his Anti Virus will stop it :) (Score:4, Informative)
Im sure his Anti Virus will stop it :)
I initially made that mistake too, but Kris Kaspersky != Eugene Kaspersky
Kris [amazon.com] is a security researcher and author.
Eugene [wikipedia.org] is the guy behind Kaspersky Lab [wikipedia.org].
I wish the article had made the distinction, since some people are more familiar with Kaspersky the anti-virus creator and not the author.
Though this does remind me of the urban legend that anti-virus companies are behind all of the anti-viruses:
http://xkcd.com/250/ [xkcd.com]
Parent