Kaspersky To Demo Attack Code For Intel Chips 303
snydeq writes "Kris Kaspersky will demonstrate how attackers can target flaws in Intel microprocessors to remotely attack a computer using JavaScript or TCP/IP packets, regardless of OS. The demo will be presented at the Hack In The Box Security Conference in Kuala Lumpur in October and will show how processor bugs can be exploited using certain instruction sequences and a knowledge of how Java compilers work, allowing an attacker to take control of the compiler. The demonstrated attack will be made against fully patched computers running a range of OSes, including Windows XP, Vista, Windows Server 2003, Windows Server 2008, Linux, and BSD. An attack against a Mac is also a possibility."
They may (Score:5, Informative)
Their new processors can have their microcode updated, and indeed they do update it with BIOS updates. Dunno if people would bother to update their BIOS to patch it, but yes Intel processors can be patched in the field.
Re:Java or Javascript? (Score:5, Informative)
The official conference website says the same thing
http://conference.hackinthebox.org/hitbsecconf2008kl/?page_id=214 [hackinthebox.org]
Reading the conference website sounds like he is saying the can crash computers through forced tight loops via multiple languages, javascript, java, even TCP/IP
Re:They may (Score:5, Informative)
It must depend some on the OS (Score:5, Informative)
If it's via Java, then it must also depend some on the implementation. I doubt that IBM's java engine uses the same calls to the processor as Sun's, which means that there is further abstraction that the claim has to somehow deal with.
Now, on the opposite side of the argument, there's the issue of what happens if the claim is justified. If this is a remote exploit that is truly OS-independent, then it is a remote exploit that can hit OpenBSD, Trusted Solaris, and other secure OS'. These are OS' used for commercially-sensitive work and classified work. If they are potentially vulnerable to attack, that could seriously impact a lot of organizations that, well, really aren't going to like it. In the event of a conflict flaring up between Intel and the US Marines, we may see them moving the bombing practice areas for their aircraft into the North American mainland after all.
Re:Speculative (Score:4, Informative)
An attack against a Mac is also a possibility
That's a bit of a conjecture isn't it? Can we at least have a demonstration?
OMFG! From the summary:
Attack Code For Intel Chips ... regardless of OS
Re:Publicly available? (Score:4, Informative)
Re:Quote (Score:3, Informative)
Re:It must depend some on the OS (Score:5, Informative)
Note that some errata like AI65, AI79, AI43, AI39, AI90, AI99 scare the hell out of us. Some of these are things that cannot be fixed in running code, and some are things that every operating system will do until about mid-2008, because that is how the MMU has always been managed on all generations of Intel/AMD/whoeverelse hardware. Now Intel is telling people to manage the MMU's TLB flushes in a new and different way. Yet even if we do so, some of the errata listed are unaffected by doing so.
As I said before, hiding in this list are 20-30 bugs that cannot be worked around by operating systems, and will be potentially exploitable. I would bet a lot of money that at least 2-3 of them are.
And from TFA:
"It's possible to fix most of the bugs, and Intel provides workarounds to the major BIOS vendors," Kaspersky said, referring to the code that controls the most basic functions of a PC. "However, not every vendor uses it and some bugs have no workarounds."
Sounds like the the same issues to me.
This exploit is extremely limited in scope... (Score:3, Informative)
My personal view is that such malware may only be able to take over a very small percentage of systems out there. The scope may be limited to something as (relatively) rare as an Intel Core 2 CPU within a specific FSB range and specific stepping. Throwing all those factors together, I doubt any such errata would encompass more than 10% of the PCs out there. Considering how many different variations of CPUs are out there--Intel/AMD/Via, Pentium-D/Core 2/Xeon/Pentium-M/Pentium 4, FSB differences, stepping, etc.; such malware might be extremely dangerous for a very small subset of Internet-connected PCs.
Now, if a malware author knows of a CPU bug that Intel/AMD does not know about, then this could be extremely serious, encompassing multiple generations of CPUs...
Re:Speculative (Score:3, Informative)
Nope. But I'm saying every OS use the chip differently. For example, Windows apps share the same memory space (well, far pointers do anyhow). So this does affect what a CPU-level attack could do. That and other issues I'm sure.
Win 3.1 called and wants it memory model(s) back. Win32 has a 32-bit flat memory space (or 64-bit on x64), all pointers are the same size, segments do not matter and each process has a local space. Some pages might be shared, of course, but that's done through memory mapping, like in (mostly) any other OS. WinCE has/had some interesting slots, though.
i've read a number of story summaries in my time (Score:4, Informative)
and this one ranks among the hallowed few best described as "excuse me, i just crapped my pants"
Re:Java or Javascript? (Score:1, Informative)
Shrug. Mozilla Rhino [mozilla.org] is javascript implemented in java. It's handy if you want to embed a friendly interpreter in your java app, sort of like the way TCL used to be used for C apps, and the way GNU intended Guile to be used (but screwed up because apparently 90% of everyone hates Scheme).
Some java people prefer beanshell or jruby, but I like rhino because, well, it's standard javascript instead of completely made up (beanshell) or obnoxiously line-noisy (ruby).
Re:Im sure his Anti Virus will stop it :) (Score:4, Informative)
Im sure his Anti Virus will stop it :)
I initially made that mistake too, but Kris Kaspersky != Eugene Kaspersky
Kris [amazon.com] is a security researcher and author.
Eugene [wikipedia.org] is the guy behind Kaspersky Lab [wikipedia.org].
I wish the article had made the distinction, since some people are more familiar with Kaspersky the anti-virus creator and not the author.
Though this does remind me of the urban legend that anti-virus companies are behind all of the anti-viruses:
http://xkcd.com/250/ [xkcd.com]
Re:Heh... (Score:3, Informative)
Wireless keyboard eh? [theregister.co.uk]
You should do it like Missle Command and ignite the atmosphere with explosions that can be OCRed from your moon computer's webcam.
Re:They may (Score:5, Informative)
Only some things can be fixed via a ucode patch, others cannot. See AMD's TLB errata for an example of something that cannot. Other things can be fixed by disabling a feature, but disabling that feature might cost performance. Once again, see AMD's TLB errata for an example. Still other things can be worked around in the OS, sometimes for negligible performance loss, sometimes not. The Intel F00F bug [wikipedia.org] was a perfect example of something that could be worked around in the OS with no performance loss, and the AMD TLB errata had an OS workaround too which incurred a small (1%?) performance loss. Other things have almost no workaround, and require Intel or AMD to recall silicon and give out new processors. Intel's Pentium FDIV bug [wikipedia.org] was a good example of that. It depends entirely on what piece of the chip is at fault.
If something can be fixed in ucode for a negligible performance loss, or worked around in the OS for a negligible performance loss, that's the best-case scenario for Intel. In that case it's just a matter of getting BIOSes/OSes updated and patches rolled out to OEMs.
Re:That's Nothing, This November I'm Going To... (Score:5, Informative)
Err, Kris Kaspersky has a good reputation and does write pretty good books [amazon.com].
Re:It must depend some on the OS (Score:4, Informative)
Now that you mention OpenBSD, I recall an email from Theo de Raadt (2007-06-27 17:08:16 - source [marc.info]):
As I said before, hiding in this list are 20-30 bugs that cannot be worked around by operating systems, and will be potentially exploitable. I would bet a lot of money that at least 2-3 of them are.
People have been aware that microprocessor bugs are potentially quite dangerous for some time now. Here's a write-up of Adi Shamir's report to RISKS about using processing bugs to steal private encryption keys [imagicity.com].
Re:That's Nothing, This November I'm Going To... (Score:5, Informative)
Re:Heh... (Score:3, Informative)
Really ?
You don't know about the American Letter Company then.
http://www.lysanderspooner.org/STAMP2.htm [lysanderspooner.org]
http://www.lysanderspooner.org/STAMP1.htm [lysanderspooner.org]
http://www.lysanderspooner.org/STAMP3.htm [lysanderspooner.org]
The sad truth is, USPS is a coercive monopoly which wouldn't exist if it where not for competitors being threatened of jail and large fines.
Re:Are you really sure about that? (Score:3, Informative)
Can you actually point to the section of the US code that prohibits a third party from delivering first class style mail? I mean, if a private company wanted to sell a service moving an ounce across 3000 miles for 50 cents, they could.
From Wikipedia [wikipedia.org]:
The federal government has strong powers in this regard because there's a postal clause in the Constitution.