Kaspersky To Demo Attack Code For Intel Chips 303
snydeq writes "Kris Kaspersky will demonstrate how attackers can target flaws in Intel microprocessors to remotely attack a computer using JavaScript or TCP/IP packets, regardless of OS. The demo will be presented at the Hack In The Box Security Conference in Kuala Lumpur in October and will show how processor bugs can be exploited using certain instruction sequences and a knowledge of how Java compilers work, allowing an attacker to take control of the compiler. The demonstrated attack will be made against fully patched computers running a range of OSes, including Windows XP, Vista, Windows Server 2003, Windows Server 2008, Linux, and BSD. An attack against a Mac is also a possibility."
Heh... (Score:5, Funny)
At least I know I'm safe because I run... Oh, crap.
Re:Heh... (Score:5, Interesting)
I wonder if running inside a VM could at all mitigate the attack.
Re:Heh... (Score:5, Funny)
Re: (Score:3, Insightful)
And then the irony will be that on Windows, the exploit will crash out, in Linux it will require a more up to date version of WINE to be installed so it can run and then crash like in Windows, and in BSD it simply won't run since BSD is that old "eunuchs" stuff that won't run Windows "cross platform" 'sploits.
In the end, everyone is SAFE from attack by the sheer virtues of their software goodness that is inherent in "modern" OS's.
Re: (Score:3, Funny)
Re: (Score:2, Funny)
There aren't any potential problems with that solution are there?
Except if you want them to arrive on time, have friendly support, sort through them getting lost in the mail and the rest of the joys that our government has imposed on us.
Re: (Score:3, Funny)
Re: (Score:2)
and the rest of the joys that our government has imposed on us.
Like .42 USD postage? I highly doubt if anyone but the government ran our postal system we'd see anything but higher rates.
Re: (Score:3, Informative)
Really ?
You don't know about the American Letter Company then.
http://www.lysanderspooner.org/STAMP2.htm [lysanderspooner.org]
http://www.lysanderspooner.org/STAMP1.htm [lysanderspooner.org]
http://www.lysanderspooner.org/STAMP3.htm [lysanderspooner.org]
The sad truth is, USPS is a coercive monopoly which wouldn't exist if it where not for competitors being threatened of jail and large fines.
Re: (Score:2, Funny)
Reality check (Score:3, Insightful)
> The government just supplies a cheap alternative that people elect to use.
No my statist friend, we don't 'elect' to use the USPS if we can avoid it. But we don't have a choice in some cases because the US Government grants a monopoly on letter delivery. UPS and Fedex can deliver freight and because nobody thought it possible and thus Congress didn't forbid it in time, overnight letters. Notice how totally the private competitors dominate the postal service in those catagories? How many YEARS it too
Re:Reality check (Score:5, Insightful)
You might think that would happen, but if the British experience of removing the monopoly is anything to go by, your postal service will get worse.
We've always had overnight delivery, but then, Britain is a much smaller country.
The private operators are only interested in business mail. DX will do deliveries for small companies. The rest of them are only interested in bulk mail, such as bank statements and utility bills. For the rest of us, Royal Mail are now charging more, because they get less of the bulk mail to subsidise personal mail, and they are becoming much less reliable at delivering it.
Re:Reality check (Score:5, Insightful)
.
I don't know. To me it's pretty darn amazing that for 42 cents I can drop an envelop in a slot and a few days later it is hand-delivered to someone on the other side of the country. If that service didn't exist and you asked me to guess what it would cost, 42 cents would not be the answer.
Re:Reality check (Score:5, Insightful)
Actually, the main "valid" reason for the government providing letter service is to provide services to those geographic areas where the "free market" would flat out decide that it wasn't worth servicing those areas. If this wasn't a requirement of the USPS, they could easily drop all their rural routes & compete with any of the normal package carriers.
Of course, whether or not we should be inefficiently supporting those remote rural areas is a whole 'nother area of debate. I'm sure there's a lot of small town supporters that would scream bloody murder if you argue that those small towns should be allowed to disappear by cutting off any form of government infrastructure subsidy for those locations.
Are you really sure about that? (Score:3, Interesting)
Do you really think UPS couldn't eat the postal service's lunch on 1st Class postage if they were allowed to compete? Of course they could, which is why the Postal Workers unions make damned sure Congress never even brings the subject up.
Can you actually point to the section of the US code that prohibits a third party from delivering first class style mail? I mean, if a private company wanted to sell a service moving an ounce across 3000 miles for 50 cents, they could. IT's just, you'd have to be able to
Re: (Score:3, Informative)
Can you actually point to the section of the US code that prohibits a third party from delivering first class style mail? I mean, if a private company wanted to sell a service moving an ounce across 3000 miles for 50 cents, they could.
From Wikipedia [wikipedia.org]:
The federal government has strong powers in this regard because there's a postal clause in the Constitution.
Re: (Score:2)
We still do have competition. UPS, FedEx, etc. The government just supplies a cheap alternative that people elect to use.
I was asked to pay for some postage from the person who sent it to me and this wasn't from the person who sent this to me, but from the post office itself! So, no it isn't just a cheap alternative to UPS/Fed Ex it uses unfair business practices if it wasn't by the government to secure a virtual monopoly.
Re:Heh... (Score:5, Funny)
AMD?
Re: (Score:2, Funny)
Transmeta?
Via?
Sparc?
Re:Heh... (Score:5, Funny)
Re: (Score:2)
Re:Heh... (Score:5, Funny)
Re: (Score:3, Funny)
An Amiga? :)
Re:Heh... (Score:5, Interesting)
At least I know I'm safe because I run... Oh, crap.
I'm sure AMD fans will make a point that they are protected in this case.
Re: (Score:2, Funny)
At least I know I'm safe because I run... Oh, crap.
I'm sure AMD fans will make a point that they are protected in this case.
But on the flip side, they run AMD. :-).
Re:Heh... (Score:5, Insightful)
Re: (Score:2)
At least I know I'm safe because I run... Oh, crap.
I'm sure AMD fans will make a point that they are protected in this case.
Well I'm an AMD fan I'm sure feel protected against his code, on the other hand I guess you are not as afraid as me from having a CPU meltdown in case the fan over my heatsink stops working....=)
Re: (Score:2)
I'm safe because I run each new browser session using a disposable PC on the moon. (i use a telescope and wireless keyboards)
Re: (Score:3, Informative)
Wireless keyboard eh? [theregister.co.uk]
You should do it like Missle Command and ignite the atmosphere with explosions that can be OCRed from your moon computer's webcam.
Re:Heh... (Score:5, Funny)
That's Nothing, This November I'm Going To... (Score:5, Funny)
...demonstrate how you can make a 1GW fusion reactor out of nothing but a sweaty gym sock and the corpse of a field mouse.
No, seriously. 100%. Cross my heart.
Re:That's Nothing, This November I'm Going To... (Score:4, Funny)
Macgyver is that you?
Re:That's Nothing, This November I'm Going To... (Score:5, Interesting)
Okay, seriously -- based upon nothing but an overly bold claim featuring some massive technical faults, people are actually believing this? My post should be +5 insightful, not funny, because it really isn't intended to be funny.
Are people perhaps thinking this is Eugene Kaspersky or something? This guy is no relation to him.
Maybe, just maybe, someone really is going to sit on an epic, world shaking fault until an October security conference, but every bullshit detector is ringing as loudly as it can ring right now.
October will roll around and some guy will demonstrate some edge condition non-issue and say "Oh, did they misinterpret and overstate? Those bastards!"
Re:That's Nothing, This November I'm Going To... (Score:5, Informative)
Err, Kris Kaspersky has a good reputation and does write pretty good books [amazon.com].
Re:That's Nothing, This November I'm Going To... (Score:5, Interesting)
Sounds like they might have found a practical exploit for one of the many bugs in the Core/2 that OpenBSD were throwing a fit about when it was released. Maybe they were right.
Re:That's Nothing, This November I'm Going To... (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
Re:That's Nothing, This November I'm Going To... (Score:5, Funny)
Re: (Score:2)
GNU Hurd Wins Again (Score:4, Funny)
It's OK I run hurd.
Re: (Score:3, Funny)
Yeah, you have nothing to worry about - not even the virus writers make programs for hurd!
Plan 9 baby (Score:4, Funny)
java: write once... (Score:3, Funny)
...hack everywhere
Don't worry. . . (Score:3, Funny)
I'm sure Intel will release a patch. ;)
They may (Score:5, Informative)
Their new processors can have their microcode updated, and indeed they do update it with BIOS updates. Dunno if people would bother to update their BIOS to patch it, but yes Intel processors can be patched in the field.
Re:They may (Score:5, Informative)
Re:They may (Score:5, Insightful)
If this can consistently crash my computer regardless of OS or browser, I'd sure as hell update my BIOS.
This is a big deal.
Re: (Score:2, Funny)
If this can consistently crash my computer regardless of OS or browser, I'd sure as hell update my BIOS.
This is a big deal.
I guess they'll be calling it the Ron Burgundy exploit.
Re: (Score:3, Interesting)
They also do volatile microcode loading IIRC, so you could deliver an OS "driver" that runs early at boot and closes the window... provided the flaw is within the realm of microcode patching anyway.
Re: (Score:3, Interesting)
Re:They may (Score:5, Informative)
Only some things can be fixed via a ucode patch, others cannot. See AMD's TLB errata for an example of something that cannot. Other things can be fixed by disabling a feature, but disabling that feature might cost performance. Once again, see AMD's TLB errata for an example. Still other things can be worked around in the OS, sometimes for negligible performance loss, sometimes not. The Intel F00F bug [wikipedia.org] was a perfect example of something that could be worked around in the OS with no performance loss, and the AMD TLB errata had an OS workaround too which incurred a small (1%?) performance loss. Other things have almost no workaround, and require Intel or AMD to recall silicon and give out new processors. Intel's Pentium FDIV bug [wikipedia.org] was a good example of that. It depends entirely on what piece of the chip is at fault.
If something can be fixed in ucode for a negligible performance loss, or worked around in the OS for a negligible performance loss, that's the best-case scenario for Intel. In that case it's just a matter of getting BIOSes/OSes updated and patches rolled out to OEMs.
Not totally a pipe dream? (Score:2)
Don't Intel processors contain a flash area? And, if so, what can it be used for? Can it be used in some way to fix or bypass this?
Re: (Score:2)
If the processor has a flash area that can be used to patch processor bugs, I imagine that a crafty black hat could put bugs in there too.
Re:Don't worry. . . (Score:4, Funny)
Or else go back to 1999 where Pentium III machines with Intel's processor ID enabled in CMOS enable shoppers to have an "enhanced online experience" while they run IE 4.01 from Windows machines that aren't behind a firewall
Java or Javascript? (Score:5, Insightful)
So is it Java or Javascript? Either the summary is wrong or this guy doesn't even know the difference between the two.
Re: (Score:3, Funny)
Re:Java or Javascript? (Score:5, Informative)
The official conference website says the same thing
http://conference.hackinthebox.org/hitbsecconf2008kl/?page_id=214 [hackinthebox.org]
Reading the conference website sounds like he is saying the can crash computers through forced tight loops via multiple languages, javascript, java, even TCP/IP
Re: (Score:2)
So a new f00f bug then?
http://en.wikipedia.org/wiki/F00f [wikipedia.org]
Re: (Score:2)
That or he's a bit slow in the head.
Huh? (Score:4, Insightful)
Huh? Javascript != Java!!!!
Re: (Score:2)
There are a couple of JavaScript compilers which target the JVM, eg Mozilla's Rhino. It is quite a common way of compiling for a cross platform target.
Randomize Something? (Score:3, Insightful)
a knowledge of how Java compilers work
Hrm, seems like he's counting on things happening in a certain sequence. So, perhaps a JVM could do more stuff in an unpredictable order? Perhaps using an SSA representation and context switching threads? Yeah, slightly more expensive, but let Firefox turn it on for me when I'm running untrusted code.
We just need a CPU Patch!! (Score:2)
No... wait....
Re: (Score:2)
Exactly. There's absolutely no way that a processor could ever be made to be updated. It's not like those X86 instructions are implemented in code or anything. Hah. What would they call that, microcode or something? Completely stupid. :P
Re: (Score:2)
Does this mean we need to buy VIA and AMD? And maybe their STOCK???? How embarrassing for Intel. How maniacal for the rest of us that now need to patch most things we've bought in the past few years. Perhaps buying a G4 Mac was a good idea after all.....
That's it... (Score:5, Funny)
*unplugs ethernet adapter*
[NO CARRIER]
Re: (Score:2)
I think I have your cable right here [flickr.com].
I hope your computer is all right.
Re: (Score:3, Funny)
Hate to break the news to you, but that "ethernet" cable you unplugged was a phone cord leading to a modem. And you thought you had broadband ...
But you can't hear me now, can you?
Re: (Score:3, Funny)
Re: (Score:3)
What is the link layer protocol on Ethernet? CSMA/CD
Carrier Sense Multiple Access with Collision Detection.
Publicly available? (Score:4, Funny)
Indeed. And are you going to make patches publicly available for all the hardware and operating systems in the world, too?
Re:Publicly available? (Score:4, Informative)
Re:Publicly available? (Score:5, Insightful)
>I see, so your argument is that if it can't be fixed by the discoverer,
> they should keep it obscure.
Yeah, we could have the oft-heard chicken or egg debate. But we both know where it would end up. One side would say "disclose everything right away" and the other side would say "give the vendors a chance to fix it first". See how much time we just saved?
Re: (Score:2)
If you take a look at some of the many exploits used on the internet, many of them have been created by copying-and-pasting proof of concept code distributed by security researchers. Given that anyone capable of creating a complex exploit like this would have to be pretty skilled, that completely excludes the average script kiddie.
Although releasing proof of concept code may be necessary if Intel absolutely refuse to acknowledge or fix the issue, releasing it straight away for every single malware author to
Re: (Score:3, Insightful)
As an end-user, to me it doesn't matter. If patches aren't available, I still need to know the details of the vulnerability so I can judge which of my systems need how much of their external access blocked or removed. To me, keeping it secret doesn't remove the vulnerability. I have to assume that, if it exists, the bad guys know about it and will use it. The only question for me is whether or not I know I need to take protective measures. If you say I don't need to, then I say "OK, let's you sign this cont
Quote (Score:4, Insightful)
... Windows XP, Vista, Windows Server 2003, Windows Server 2008, Linux, and BSD. An attack against a Mac is also a possibility.
Why don't they just say... "any computer that has an Intel chip?".. shock value I guess.
Re: (Score:3, Informative)
Which ones? (Score:5, Interesting)
Do we have a list of the processors affected by this? Or is this issue in ALL Intel processors?
Im sure his Anti Virus will stop it :) (Score:3, Funny)
And slow windows to a crawl.
Re:Im sure his Anti Virus will stop it :) (Score:4, Informative)
Im sure his Anti Virus will stop it :)
I initially made that mistake too, but Kris Kaspersky != Eugene Kaspersky
Kris [amazon.com] is a security researcher and author.
Eugene [wikipedia.org] is the guy behind Kaspersky Lab [wikipedia.org].
I wish the article had made the distinction, since some people are more familiar with Kaspersky the anti-virus creator and not the author.
Though this does remind me of the urban legend that anti-virus companies are behind all of the anti-viruses:
http://xkcd.com/250/ [xkcd.com]
filter (Score:2)
I wonder if these exploits can be prevented using a filter in the compiler?
It must depend some on the OS (Score:5, Informative)
If it's via Java, then it must also depend some on the implementation. I doubt that IBM's java engine uses the same calls to the processor as Sun's, which means that there is further abstraction that the claim has to somehow deal with.
Now, on the opposite side of the argument, there's the issue of what happens if the claim is justified. If this is a remote exploit that is truly OS-independent, then it is a remote exploit that can hit OpenBSD, Trusted Solaris, and other secure OS'. These are OS' used for commercially-sensitive work and classified work. If they are potentially vulnerable to attack, that could seriously impact a lot of organizations that, well, really aren't going to like it. In the event of a conflict flaring up between Intel and the US Marines, we may see them moving the bombing practice areas for their aircraft into the North American mainland after all.
Re:It must depend some on the OS (Score:5, Informative)
Note that some errata like AI65, AI79, AI43, AI39, AI90, AI99 scare the hell out of us. Some of these are things that cannot be fixed in running code, and some are things that every operating system will do until about mid-2008, because that is how the MMU has always been managed on all generations of Intel/AMD/whoeverelse hardware. Now Intel is telling people to manage the MMU's TLB flushes in a new and different way. Yet even if we do so, some of the errata listed are unaffected by doing so.
As I said before, hiding in this list are 20-30 bugs that cannot be worked around by operating systems, and will be potentially exploitable. I would bet a lot of money that at least 2-3 of them are.
And from TFA:
"It's possible to fix most of the bugs, and Intel provides workarounds to the major BIOS vendors," Kaspersky said, referring to the code that controls the most basic functions of a PC. "However, not every vendor uses it and some bugs have no workarounds."
Sounds like the the same issues to me.
Re:It must depend some on the OS (Score:4, Informative)
Now that you mention OpenBSD, I recall an email from Theo de Raadt (2007-06-27 17:08:16 - source [marc.info]):
As I said before, hiding in this list are 20-30 bugs that cannot be worked around by operating systems, and will be potentially exploitable. I would bet a lot of money that at least 2-3 of them are.
People have been aware that microprocessor bugs are potentially quite dangerous for some time now. Here's a write-up of Adi Shamir's report to RISKS about using processing bugs to steal private encryption keys [imagicity.com].
you say tomato... (Score:5, Insightful)
They call it a flaw, while I call it a backdoor.
This exploit is extremely limited in scope... (Score:3, Informative)
My personal view is that such malware may only be able to take over a very small percentage of systems out there. The scope may be limited to something as (relatively) rare as an Intel Core 2 CPU within a specific FSB range and specific stepping. Throwing all those factors together, I doubt any such errata would encompass more than 10% of the PCs out there. Considering how many different variations of CPUs are out there--Intel/AMD/Via, Pentium-D/Core 2/Xeon/Pentium-M/Pentium 4, FSB differences, stepping, etc.; such malware might be extremely dangerous for a very small subset of Internet-connected PCs.
Now, if a malware author knows of a CPU bug that Intel/AMD does not know about, then this could be extremely serious, encompassing multiple generations of CPUs...
Re: (Score:2)
I doubt any such errata would encompass more than 10% of the PCs out there.
Even if 0.1% of all PC's/servers where affected, that would have a huge impact. The problem with most of these errata is that they can't be patched by the OS.
i've read a number of story summaries in my time (Score:4, Informative)
and this one ranks among the hallowed few best described as "excuse me, i just crapped my pants"
Discovery channel (Score:5, Funny)
As seen on today's TV schedule for Discovery
Now showing: Intel, when code attacks.
Next show: Lasers.
Next week: Shark week.
Interesting (Score:4, Insightful)
If the fundamental flaw is BOTH the way intel chips execute code and a primitive in Java, that could be dangerous.
I could get all snarky and tell everyone I buy AMD, but I wouldn't be too confident that a similar exploit couldn't exist there either.
This is all possible if...
You need to reliably produce a series of instructions on a typical jvm. This doesn't present a problem as primitive expressions probably get predictable JIT sequences,
The next question is what kind of exploit? Are you running native x86 code? If so, you are still limited by the OS level protection. If you can then create an exploit that elevates your permissions that doubly bad.
One more snarky comment. I don't like JITs. I like my interpreted code interpreted, and I like my binary code native. I prefer something like a PHP model where you put glue in PHP and hard code in a C extension or a service.
Re: (Score:3, Interesting)
One more snarky comment. I don't like JITs. I like my interpreted code interpreted, and I like my binary code native. I prefer something like a PHP model where you put glue in PHP and hard code in a C extension or a service.
Remember that interpreting turns 1 instruction into hundreds of real machine instructions. I bare-minimum'd a basic add at around 112 or so once, based on a O(1) jump table and data decoding. That doesn't begin to touch on the data cache becoming, effectively, instruction cache for the interpreted instructions; or the massive overuse of instruction cache in an interpreter.
"Virtual Machine" are more a toy than a real tool. Mono and Java and .NET require real, native system support (i.e. gtk+ for gtk# etc)
Disable scripting/plug-ins by default/use NoScript (Score:5, Interesting)
If malware based on this "attack code" got into the wild, it sounds like one of the attack vectors would be malicious Web sites (which is nothing new). As many security researchers have been recommending for years, turning off JavaScript and other active content by default will greatly reduce the potential for infection, even from many kinds of as-yet undiscovered exploits. A good way to do this with Firefox (without ruining compatibility with trustworthy sites) is to install NoScript [noscript.net], which allows you to whitelist trusted sites while allowing you to block scripts, Java, Flash, Silverlight, other plug-ins, etc. on every other site by default.
Of course, if the flaw lies in the microprocessor, then there are certainly other potential attack vectors than just malicious Web sites.
Someone pointed out that Intel processors are BIOS-upgradeable. What about computers based on EFI [wikipedia.org] instead of BIOS, such as all the Intel-based Macs?
Also, as someone else pointed out, the headline is extremely misleading. The security researcher Kris Kaspersky is not affiliated with Kaspersky Lab [kaspersky.com] or Eugene Kaspersky [wikipedia.org], but he's apparently the author of a number of books [amazon.com] on programming and other computer subjects.
Comment removed (Score:5, Interesting)
Re:Speculative (Score:4, Informative)
An attack against a Mac is also a possibility
That's a bit of a conjecture isn't it? Can we at least have a demonstration?
OMFG! From the summary:
Attack Code For Intel Chips ... regardless of OS
Re: (Score:2)
Nope. But I'm saying every OS use the chip differently. For example, Windows apps share the same memory space (well, far pointers do anyhow). So this does affect what a CPU-level attack could do. That and other issues I'm sure.
So, saying a specific CPU attack could also affect another system is speculative. I'm willing to concede there's a risk but simply FUDding the issue around is just not constructive.
Re: (Score:3, Informative)
Nope. But I'm saying every OS use the chip differently. For example, Windows apps share the same memory space (well, far pointers do anyhow). So this does affect what a CPU-level attack could do. That and other issues I'm sure.
Win 3.1 called and wants it memory model(s) back. Win32 has a 32-bit flat memory space (or 64-bit on x64), all pointers are the same size, segments do not matter and each process has a local space. Some pages might be shared, of course, but that's done through memory mapping, like in (mostly) any other OS. WinCE has/had some interesting slots, though.
Re: (Score:2)
You cheat!
But it was implied it was about Mac OS X on Intel Macs.
Re: (Score:2)
Yea, well MY other box is in moms basement. It is totally immune to your "real world" problems.
Re: (Score:2)
Now I know why javac stole my vacation pictures^h^h^h^h^h^h^h^h^h^h^h^h^h^h^h^h^h porn. It was driven by an attacker!
Fixed.