Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Intel Security Operating Systems Privacy Software Hardware Linux

How a Researcher Hacked His Own Computer and Found One of the Worst CPU Bugs Ever Found (reuters.com) 138

Reuters tells the story of how Daniel Gruss, a 31-year-old information security researcher and post-doctoral fellow at Austria's Graz Technical University, hacked his own computer and exposed a flaw in most of the Intel chips made in the past two decades. Prior to his discovery, Gruss and his colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor's "kernel" memory, which is meant to be inaccessible to users, was only theoretically possible. From the report: "When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked," Gruss told Reuters in an email interview, describing how he had unlocked personal data that should be secured. Gruss, Lipp and Schwarz, working from their homes on a weekend in early December, messaged each other furiously to verify the result. "We sat for hours in disbelief until we eliminated any possibility that this result was wrong," said Gruss, whose mind kept racing even after powering down his computer, so he barely caught a wink of sleep.

Gruss and his colleagues had just confirmed the existence of what he regards as "one of the worst CPU bugs ever found." The flaw, now named Meltdown, was revealed on Wednesday and affects most processors manufactured by Intel since 1995. Separately, a second defect called Spectre has been found that also exposes core memory in most computers and mobile devices running on chips made by Intel, Advanced Micro Devices (AMD) and ARM Holdings, a unit of Japan's Softbank.

This discussion has been archived. No new comments can be posted.

How a Researcher Hacked His Own Computer and Found One of the Worst CPU Bugs Ever Found

Comments Filter:
  • by 140Mandak262Jamuna ( 970587 ) on Thursday January 04, 2018 @07:26PM (#55865627) Journal
    OK, the bug is big. Impact is going to be big. But who's gonna be punished by the market? Who can I short? Will users of Cloud services demand their processes to be hosted on exclusive servers not shared with others? Would it raise cloud costs? Would they punish Intel?
    • by XanC ( 644172 ) on Thursday January 04, 2018 @07:30PM (#55865645)

      Most likely Intel's numbers will go up, at least in the short term, as people buy more CPUs to make up for the performance hit.

      • by jabuzz ( 182671 )

        Assuming Intel don't get hit with a lawsuit demanding compensation for faulty products. Given the worst performance hit comes from Meltdown and only Intel seem to be vulnerable, there's a case to be answered. So shorting Intel stock seems the way to go as their numbers will be going down.

    • For every punishing move in the market, there's a reward for new, better, faster, or in this case, more secure.

      Who will get to market first with a fix? This will be fun to watch.

      • I don't think you understand: Meltdown can only be fixed by replacing your Intel processor. There are mitigation steps in software, but it is not possible to fix.
        • by DanDD ( 1857066 )

          Who will get to market with a fixed CPU, is what I should have said to be unambiguous.

          Whoever that company is may reap huge rewards, even if it's Intel.

          • AMD already has a "fixed" CPU. Only Intel is affected by Meltdown.
          • I think it would be premature at this point to start buying new processors. I believe that there are a number of related vulnerabilities that will emerge over the next year and I wouldn't want to guess which processors are vulnerable (well, anything in-order, with no branch predictor is probably fine).

            This has been concerning me for a little while. CPUs have come with a lot of performance improvements over the last 20-30 years that have introduced nondeterminism into execution timings and have regarded

    • Google and Amazon both say its negligible.

      http://www.businessinsider.com... [businessinsider.com]

    • OK, the bug is big. Impact is going to be big. But who's gonna be punished by the market? Who can I short? Will users of Cloud services demand their processes to be hosted on exclusive servers not shared with others? Would it raise cloud costs? Would they punish Intel?

      I read an article that said the Intel CEO dumped a bunch of stock last yer, so it's probably too late to short them.

      • Intel's CEO dumps a bunch of stock every year, he only ever holds on to the minimum he is required to. Also when he does so the stock price doesn't move since he doesn't have stupidly high volumes like say Jeff Bezos.

    • by Kaenneth ( 82978 )

      Trezor, and other makers of hardware Bitcoin/Crypto wallets for one should go up.

      All software wallets can be assumed compromised at this point.

    • The punishment should be for you never to buy Intel again and to look for a cloud service that offers what you are asking (which I doubt is really out there since it would make cloud services ridiculously expensive - each user getting their own processor. You might as well leave the cloud at that point.)

  • Woah (Score:5, Insightful)

    by Anonymous Coward on Thursday January 04, 2018 @07:27PM (#55865633)

    Does EVERYTHING have to be in a bold font?

    Please fix!

    • by arth1 ( 260657 )

      Does EVERYTHING have to be in a bold font?

      It's just the front page, no?
      And it would make some people's posts slightly less obnoxious, as you won't see when they abuse the bold tag.

  • by 140Mandak262Jamuna ( 970587 ) on Thursday January 04, 2018 @07:29PM (#55865643) Journal
    Every is seeing too much of bold fonts? Did someone forget a closing bold tag in some style sheet?
    • I'm seeing all text in bold too. We can't ask too much of a nerd website if they can't even handle UTF-8 correctly.

    • I'm also seeing everything in bold, since sometime today.

    • by dohzer ( 867770 )

      I hacked your PC and inserted some bold text do test this vulnerability. Are you by chance running an Intel processor?

    • by gnunick ( 701343 )

      Every is seeing too much of bold fonts? Did someone forget a closing bold tag in some style sheet?

      Yeah, the entire article section had been enclosed within <strong> tags for some reason. I edited the source in Firefox and changed "<strong>" to the meaningless "<string>", just to make it bearable to read the page.

      But thankfully, a few page refreshes afterwards, and they'd already fixed it. Maybe someone had thought <strong> would somehow toughen their security.

      Anyway, c'mon guys... stop editing the live site! ;)

  • Is that yet another flaw or a duplicate name for one of the other two bugs we were already talking about in previous threads?

    In other news, is the Motorola 68K series immune to these two/three problems? (Amiga, Atari ST, classic Macs)

    • by AvitarX ( 172628 )

      I don't think they do predictive branching.

    • by AHuxley ( 892839 )
      Find a fast, modern OS for that CPU?
  • by Anonymous Coward

    If you're not running malicious programs on your computer, you're not vulnerable to these attacks. It's much tougher to sneak malicious functionality into open source software. If the source code is available, it's far more likely someone would notice the malicious behavior than if the software is closed source. It seems like the processor and other hardware hasn't been explored as an attack surface to nearly the same extent as software. I expect there will be more bugs like these, and it's a matter of time

  • by Anonymous Coward

    The article teases you with "how he did it" and answers with "he did it." You want to know how Meltdown or Specter work? Read the papers: https://meltdownattack.com/

  • by dohzer ( 867770 )

    Good thing they clarified who ARM are by referencing a group I have vaguely heard of once or twice.

  • by Anonymous Coward

    Intel PR monkeys are trying to take AMD down with them, let's make this clear:

    For the 3 bugs, the biggest one only affect Intel CPUs, for bug 2 and 3:

    AMD bug only affects THE SAME PROCESS, unlike Intel, which allows exploits to cross processes:

    https://googleprojectzero.blog... [blogspot.com]

    As shown, AMD was only vulnerable to "the ability to read data inside mis-speculated execution within the same process, without crossing any privilege boundaries."

    • That's not at all true. Spectre can most certainly access memory from other processes, including on AMD.

      What they are referring to is Meltdown, which is specifically a privilege escalation exploit that allows a user process to access kernel memory from within it's own virtual memory space. Spectre, on the other hand, tricks another process to leak it's protected memory.

      Even then, the Spectre paper specifically mentions how it may be possible to use it to access privileged memory by targeting an interr
    • by _merlin ( 160982 )

      Given that JavaScript runs in the browser process, that's still dangerous. Even with process-per-tab isolation, JavaScript that exploits Spectre could potentially steal:

      • TLS session key
      • Cookies for a different domain that an asset is loaded from
      • Page content (leaking it to 3rd-party script)
      • Form autofill data (including passwords)
      • User input
  • Does this brings up a another issue ? As fixes roll out what about Intel ME ? That is suppose to be on a somewhat modern 32 bit Intel processor. So I would think that ME will have these same issues.

    How would that get patched ? Can ME even access kernel memory on the main chip like meltdown can on VM ?

    Hope this does not keep you awake at night :)

  • by JoeyRox ( 2711699 ) on Thursday January 04, 2018 @08:49PM (#55866045)
    FTA: The key players were independent researcher Paul Kocher and the team at a company called Cyberus Technology, said Gruss, while Jann Horn at Google Project Zero (GOOGL.O) came to similar conclusions independently.

    Which begs the question - how long has the NSA known about this too?
    • It isn't possible all these people independently "discovered" a 20 year old flaw at the same time. Think about it. Google supposedly discovered it six months ago. I don't believe it.
      • Why?

        • Re: (Score:2, Informative)

          by Anonymous Coward

          I encountered an only slightly older blog post where somebody demonstrates that speculative execution causes cache line reads. He claims no security hole and that the negative result is interesting because of how close he got. On reading it I had enough to develop the rest.

          Anders Fogh deserves the real credit. https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/

      • Hey, don't go insulting the Supreme Intelligence, a.k.a. Google and their Engineers. Surely we must believe they invented everything and found everything. Or maybe those random eastern European researchers used gmail to communicate, and Google found it there.. :)

      • by thomst ( 1640045 )

        https://slashdot.org/~110010001000 protested:

        It isn't possible all these people independently "discovered" a 20 year old flaw at the same time. Think about it. Google supposedly discovered it six months ago. I don't believe it.

        Apparently you haven't heard of steam engine time [urbandictionary.com]. If Newton and Liebnitz could (more or less) simultaneously, independently invent "the calculus", why can't three disparate security research teams (more or less) simultaneously, independently discover the same security bug?

        Note, as another example from a third field, that both Jennifer Doudna's and Zhang Feng's teams (more or less) simultaneously, independently discovered the CRISPR gene-splicing techni

      • by e r ( 2847683 )
        It is probably the result of previous research done into cache timing attacks that was released a year or two ago. Then all these guys who are on the bleeding edge started getting curious how they could combine those earlier techniques with speculative execution and thus, since they all were spurred at the same time, came to the same conclusion at roughly the same time. Read the papers on Meltdown and Spectre: the papers used cache timing as a fundamental technique for carrying out the full attacks during t
    • by AHuxley ( 892839 )
      The NSA and GCHQ went for the network, servers, OS, networks at the place the OS was been created, hardware been exported, every network in and out of nations. Global and domestic collect it all.
      NSA ANT catalog https://en.wikipedia.org/wiki/... [wikipedia.org]
      PRISM (surveillance program) https://en.wikipedia.org/wiki/... [wikipedia.org]
      Room 641A https://en.wikipedia.org/wiki/... [wikipedia.org]
      Most of what was released talks to malware, OS support, hardware additions.
      What is missing is the Equation Group https://en.wikipedia.org/wiki/... [wikipedia.org] effort
  • by Anonymous Coward

    For an article with a title containing "How a researcher hacked his own computer and found 'worst' chip flaw", there is very little detail about "How the Researcher Hacked His Own Computer" - other than the words "Daniel Gruss didn’t sleep much the night he hacked his own computer".

  • by gurps_npc ( 621217 ) on Thursday January 04, 2018 @10:43PM (#55866599) Homepage

    How much you want to bet that this was one of their dirty tricks...

    • I'm shocked that this is the first time I've seen anyone besides me suggest this is an on-purpose back door.
  • by Anonymous Coward

    Does this mean that users can use Meltdown and Spectre to peek behind the Windows 10 curtain, and see what telemetry it collects?

  • What is this "kernel" memory you speak of?

Each new user of a new system uncovers a new class of bugs. -- Kernighan

Working...