Academics Publish New Software-Level Protections Against Spectre and Rowhammer Attacks

Catalin Cimpanu, writing for BleepingComputer: Academics from multiple universities have announced fixes for two severe security flaws known as Spectre and Rowhammer. Both these fixes are at the software level, meaning they don't require CPU or RAM vendors to alter products, and could, in theory, be applied as basic software patches.

The first of these new mitigation mechanisms was announced on Thursday, last week. A research team from Dartmouth College in New Hampshire says it created a fix for Spectre Variant 1 (CVE-2017-5753), a vulnerability discovered at the start of the year affecting modern CPUs. Their fix uses ELFbac, an in-house-developed Linux kernel patch that brings access control policies to runtime virtual memory accesses of Linux processes, at the level of ELF binary executables.

[...] The second fix for a major flaw announced last week came on Saturday from the Systems and Network Security Group at VU Amsterdam. Researchers announced a new technique called ZebRAM that they said is a comprehensive software protection against Rowhammer attacks.

Research BS

[x0ra]

Don't publish a freaking paper, send a goddamn diff on the LKML, and we'll be able to comment. This PR-seeking behavior from researcher is pretty deplorable.

diffs != funding

[WoodstockJeff]

Publicity for an academic paper, on the other hand, can lead to funding.

Re:

[x0ra]

my point exactly, researchers are grant whores, beggars, never wasting an occasion to release a bs paper to get to keep their status, leading to a very low signal-to-noise ratio. (and yes, I did witness this first hands, on top of wasting money on useless crap just to safeguard their fundings... there is a lot of swamp draining needed)

Re:

[DamonHD]

That's a little harsh. If paying the rent requires getting grants, you'll aim to get grants. What do you call what you do to get money? (Plus let's not insult in passing other groups that you clearly consider beneath contempt...)

Re:

[x0ra]

Depends. By your definition, being a criminal to get rent money would be acceptable. There is already a de-facto very limited percentage of actual "research" usable in the industry (I'm fairly sure that kernel gurus would technically destroy this patch pretty quickly), so there is no need to keep the SNR as low as currently done by the paper industry... if they really care about usable solutions, and real life practical results. That being said, the universities are living in a echo chamber...

Re:

[x0ra]

if only I could have enjoyed witnessing the spending of close to EUR50k of useless spending for no other sake than spending money to justify the next funding cycle...

Re:

[Aighearach]

You don't seem to comprehend that in this part of the field, academics are professionals doing real work. And grants cause that work to move forwards.

I don't doubt that you "did witness this[] first hands," the question is, do you even comprehend what the "this" in the story is that you're claiming to have seen? I'm assuming from your words that you actually just mean that when you were an assistant coach on the wrassling team in college, and you misdirected funds, you never got caught. If you want it to so

Re:Research BS

[Anonymous Coward]

These are researchers in academia, where you're judged largely on your publications. While releasing a patch to the Linux kernel might be a useful synergistic activity, it simply doesn't have the impact of publications. As a researcher, I like releasing source code and, when feasible, my data sets. However, those simply don't have the same impact as publications. Publishing a paper isn't mutually exclusive from releasing the source code. Don't blame the researchers. Blame the system that disproportionately rewards publications over other contributions.

The one exception here might be if lots of other researchers use your software or data set in their research. In that case, your data or software could get a DOI and be highly cited in its own right. I doubt a patch to the Linux kernel would get cited much if at all, so the publication is probably the one thing that matters in academia.

Re:

[jiriw]

As if the Linux kernel is the only kernel out there running on Spectre / Rowhammer vulnerable architectures. Beside, how do you know the implementation is needed on the kernel level? Have you read the paper to get to that conclusion? I haven't (yet) but I can easily imagine practical applications are only needed at the application level, for applications that actually could be attack vectors. Why drag down your whole operating system with an all encompassing solution when you only need to be careful with, s

So why should AMD systems slow down to cover Intel

[Joe_Dragon]

So why should AMD systems slow down to cover Intel? or say in a system where I don't need security like this but need speed?

At least with linux I can force it off at the kernel level.

Re:So why should AMD systems slow down to cover In

[HiThere]

This is Spectre 1, not Meltdown. I believe it also affects AMD. IIRC, it was also expected to be quite difficult to implement, though I didn't hear any follow-up about that.

I also didn't hear that Rowhammer was specific to Intel. Do you have reason to believe differently?

FWIW, and IIUC, while Linux allows you to disable the protection against Spectre (or was it Meltdown), the kernel automatically optimizes it away if the processor is not vulnerable. (IIUC, the original patch submitted by Intel didn't do that, but AMD submitted a revised patch.)

not buying it

[iggymanz]

Software can be subverted, these flaws have to be addressed in hardware redesign

Re:

[chispito]

Software can be subverted, these flaws have to be addressed in hardware redesign

Yes, but a hardware revision does nothing for those who cannot or will not refresh their hardware, nor does it do anything for the next hardware based attack that is announced.

Re:

[iggymanz]

Large banks, traders and insurance clearing houses were my clients, they do refresh hardware. If a mom and pop shops don't, or your local governmetn doesn't, that's a small time problem.

Fearmongering about unknown future bugs is pointless.

Re: not buying it

[Anonymous Coward]

Rowhammer, Meltdown, and Spectre all share the same flaw.

They aren't a way in...they only work on already compromised (in serious ways) systems. Stop the way in and you stop all 3 at once.

Re:

[HiThere]

It's not a good forwards-looking option, but with all the vulnerable computers already out there, it's an excellent interim step. And its going to take a long time for all those computers to get replaced. IIRC, there are still a few i486-s still running. I know of an i386 that was running until about 3 years ago...it was even running MSWindows 95a.

Re:

[HiThere]

Someone else is/was running the i486's. The i386 was only for the purpose of running MSWind95, and when the need for it went away, so did the machine. (Well, actually hardware problems rather forced the issue...but if I'd had to keep it running I would have.)

That said, neither is a really good choice on a modern machine. Easier would be the keep it running isolated from the web, which the i386 definitely needed anyway (and that was easy, because it was running MSWind 95a...no included internet connection

Re:

[Waffle Iron]

Yes, let's take us some juicy hardware problems and fix'em in software!

Well, that's not an especially good idea, even if you can successfully do it.

OK, I'm personally going to need several new replacement CPUs once the hardware fixes have been implemented. Will you buy them for me?

Are any of these vulnerabilities actually in use?

[Fly Swatter]

Yes I realize someone could figure out a mass application exploit at any time now, but are there any actual active threats out there besides the mental scare tactics currently imparted by all the news outlets?

Re: Are any of these vulnerabilities actually in u

[Anonymous Coward]

Found the Intel shill! Seriously, though - there is no reason to believe they are not in active use. The time between a vulnerability being publicised and seen being exploited as part of a professional criminal exploit in the wild is generally under two weeks. After all, you don't leave your car unlocked because nobody has stolen it yet.

Intel sponsored BS

[Anonymous Coward]

After the moderate success of the Pentium 3, when AMD and Intel were pretty level, Intel went NETBURST.

Netburst was an ultra long pipeline design chasing 10GHz. It was the biggest disaster in x86 architecture to date. As it became clear to Intel that AMD would trivially defeat netburst with its own x64 design, Intel infamously went back to the Pentium 3, updated the architecture, and made Core 1/Core 2 which eventually became todays vastly improved core architecture.

Intel used AMD patents for the core 2, wh

Cool!

[Misagon]

What ELFbac is doing is to partition the memory space into regions with different protection depending on which region the access is coming from.
You could say that it is like automated partitioning of a program into multiple processes communicating via shared memory.

The cool feature here is that the access control matrix is derived from the existing link information in the binary itself (ELF format), which means that no code rewrite is necessary.

I'm not sure how it would stop Spectre though, especially on I