How a Researcher Hacked His Own Computer and Found One of the Worst CPU Bugs Ever Found (reuters.com) 138
Reuters tells the story of how Daniel Gruss, a 31-year-old information security researcher and post-doctoral fellow at Austria's Graz Technical University, hacked his own computer and exposed a flaw in most of the Intel chips made in the past two decades. Prior to his discovery, Gruss and his colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor's "kernel" memory, which is meant to be inaccessible to users, was only theoretically possible. From the report: "When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked," Gruss told Reuters in an email interview, describing how he had unlocked personal data that should be secured. Gruss, Lipp and Schwarz, working from their homes on a weekend in early December, messaged each other furiously to verify the result. "We sat for hours in disbelief until we eliminated any possibility that this result was wrong," said Gruss, whose mind kept racing even after powering down his computer, so he barely caught a wink of sleep.
Gruss and his colleagues had just confirmed the existence of what he regards as "one of the worst CPU bugs ever found." The flaw, now named Meltdown, was revealed on Wednesday and affects most processors manufactured by Intel since 1995. Separately, a second defect called Spectre has been found that also exposes core memory in most computers and mobile devices running on chips made by Intel, Advanced Micro Devices (AMD) and ARM Holdings, a unit of Japan's Softbank.
Gruss and his colleagues had just confirmed the existence of what he regards as "one of the worst CPU bugs ever found." The flaw, now named Meltdown, was revealed on Wednesday and affects most processors manufactured by Intel since 1995. Separately, a second defect called Spectre has been found that also exposes core memory in most computers and mobile devices running on chips made by Intel, Advanced Micro Devices (AMD) and ARM Holdings, a unit of Japan's Softbank.
If only I know who to short ... (Score:3, Insightful)
Re:If only I know who to short ... (Score:5, Insightful)
Most likely Intel's numbers will go up, at least in the short term, as people buy more CPUs to make up for the performance hit.
Re: (Score:3)
We don't know that AMD doesn't have it's own issues which are just as bad...
However, AMD Kind of has Intel on the ropes in the performance space with that Rizen line. Intel's answer has been to drop more cores into the unit and then having to force them to lower clock rates due to heat. Intel is still turning huge profits, but AMD has started to recapture market share....
SO.... I point all this out to say the following. AMD now has a huge hole in Intel's armor to drive their marketing trucks though an
Re: (Score:2)
Until recently, Intel's best mainstream desktop CPU had four cores, and their best mainstream laptop CPU had two. (By "mainstream laptop" I mean the U series ultra-low-voltage parts, not the more power hungry H series that are used in gaming and workstation laptops.) They moved up the release date of the Coffee Lake aka 8000 series (six core desktop CPUs and four core U series laptop CPUs) as a response to the competitive threat from AMD.
Intel still has the edge in performance per core. Ryzen narrowed the
Re: (Score:1)
That's a massive mischaracterization of the fuckedness. Intel CPUs allow access to privileged memory from user space. There is no fix and the mitigation will cause significant slowdowns for any workloads that frequently switch between kernel space and user space. That's server loads. That's VM loads. AMD is not affected by this bug. The bug that affects AMD CPUs most likely also affects all other modern processors. It has been shown for Intel and ARM CPUs and there are rumors that IBM PowerPC also misbehave
Re: (Score:2)
Re: (Score:2)
AMD seems way better off.
AMD was closing performance gap, now Intel just lost about 5-10% (workload dependant estimated mitigation costs of meltdown on a CPU with PCID) performance. This puts AMD at a tie in some areas (cost equivalent single thread) where it was slightly behind, and further grows its multi thread advantage.
Both CPUS are in theory vulnerable to spectre, which will likely be mitigated in software by application and be equally damaging to all.
At least that's how I've read it. Mitigation of me
Re:If only I know who to short ... (Score:5, Insightful)
Actually, AMD is significantly harder to exploit than Intel. The performance crushing patch simply brings the Intel processor level with AMD.
Re: (Score:2)
By level, I mean in terms of security.
Re: (Score:2)
You're right that AMD is unaffected (as unaffected as anything), but I don't think they can handle the volume. Not in the short term.
Re: (Score:1)
But they may be able to handle and extra 10-15% of cash for the same volume. That'd be real good on the books.
Re: (Score:2)
Actually, I'd expect many businesses to use it as an excuse to outsource more of their outdated on-prem equipment to "the cloud". Guess who makes over 95% of the CPU's used by the cloud hosting providers? Not AMD's.
Sure, that might sound counter-intuitive considering that this vulnerability showed a huge potential security issue with shared hosting models. That said, spending more money on upgrading what's considered to be a "legacy" data center by senior management probably won't get you that "VP of Infras
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
That would be exactly opposite of the right strategy. As bad as information leaks between processes can be, it's worse when those other processes are owned by a different entity. Who would you rather be potentially able to read your banking details, a family member or some random guy whose name you don't know who could be living anywhere in the world?
Re: (Score:3)
You're assuming that the attacker has no control over their placement. The only person who is going to see leaks from these vulnerabilities is someone who is actively running the exploit (you don't just get someone else's memory in your address space, you have to scan it one bit at a time). If I wanted to exploit this, I'd spin up a bunch of VMs in Amazon, Google, and Microsoft's clouds and start scanning. I would not be actively targeting your company, but if I saw anything confidential and valuable the
Re: (Score:3)
No, I was considering that. If My company uses a public cloud, one of those bad actirs MIGHT end up running in another VM on the same machine my VM is running on. If instead, I run on a server I actually own and use exclusively, even if I run several VMs, I can KNOW that the bad guy is NOT also running a VM on that server. At worst, another department in the same company might have a VM on the same hardware with me.
So if security is a concern at all, avoiding outsourcing VMs to the cloud is the right strate
Re: (Score:2)
Assuming Intel don't get hit with a lawsuit demanding compensation for faulty products. Given the worst performance hit comes from Meltdown and only Intel seem to be vulnerable, there's a case to be answered. So shorting Intel stock seems the way to go as their numbers will be going down.
First to market with a fixed CPU gets big rewards? (Score:2)
For every punishing move in the market, there's a reward for new, better, faster, or in this case, more secure.
Who will get to market first with a fix? This will be fun to watch.
Re: (Score:2)
Re: (Score:2)
Who will get to market with a fixed CPU, is what I should have said to be unambiguous.
Whoever that company is may reap huge rewards, even if it's Intel.
Re: (Score:2)
Re:First to market with a fixed CPU gets big rewar (Score:5, Insightful)
Re: (Score:2)
I think it would be premature at this point to start buying new processors. I believe that there are a number of related vulnerabilities that will emerge over the next year and I wouldn't want to guess which processors are vulnerable (well, anything in-order, with no branch predictor is probably fine).
This has been concerning me for a little while. CPUs have come with a lot of performance improvements over the last 20-30 years that have introduced nondeterminism into execution timings and have regarded
I'm not so sure the impact is going to be big (Score:2)
Google and Amazon both say its negligible.
http://www.businessinsider.com... [businessinsider.com]
To nit pick myself (Score:1)
I guess technically the CVSS scale runs from 0 to 10, but still this one wallows in the bottom half of the Low classification.
https://nvd.nist.gov/vuln-metr... [nist.gov]
Re: (Score:3)
I can't help but wonder if this is only because they haven't found much in the kernel address space. If on could find hashed passwords for local accounts, it might cause people to reconsider..
Re: (Score:3)
Re: (Score:3)
The link you provided reports the following CVSS metrics:
Base 4.4 AV:L/AC:M/Au:S/C:C/I:N/A:N
Temporal 3.4 E:POC/RL:OF/RC:C
Environmental 5.1 CDP:ND/TD:H/CR:H/IR:ND/AR:ND
Where did you read 1.5?
Re: (Score:1)
They updated it. Was a 1.5 earlier.
http://web.archive.org/web/201... [archive.org]
Re: (Score:2)
OK, the bug is big. Impact is going to be big. But who's gonna be punished by the market? Who can I short? Will users of Cloud services demand their processes to be hosted on exclusive servers not shared with others? Would it raise cloud costs? Would they punish Intel?
I read an article that said the Intel CEO dumped a bunch of stock last yer, so it's probably too late to short them.
Re: (Score:2)
Intel's CEO dumps a bunch of stock every year, he only ever holds on to the minimum he is required to. Also when he does so the stock price doesn't move since he doesn't have stupidly high volumes like say Jeff Bezos.
Re: (Score:2)
Trezor, and other makers of hardware Bitcoin/Crypto wallets for one should go up.
All software wallets can be assumed compromised at this point.
Re: (Score:2)
The punishment should be for you never to buy Intel again and to look for a cloud service that offers what you are asking (which I doubt is really out there since it would make cloud services ridiculously expensive - each user getting their own processor. You might as well leave the cloud at that point.)
Woah (Score:5, Insightful)
Does EVERYTHING have to be in a bold font?
Please fix!
Re: (Score:2)
Does EVERYTHING have to be in a bold font?
It's just the front page, no?
And it would make some people's posts slightly less obnoxious, as you won't see when they abuse the bold tag.
Is it just me? or ... (Score:5, Insightful)
Re: (Score:3)
I'm seeing all text in bold too. We can't ask too much of a nerd website if they can't even handle UTF-8 correctly.
Re: (Score:2)
I'm also seeing everything in bold, since sometime today.
Re: (Score:2)
Software Shouldn't Suck
I think your sig needs another line: Hardware Shouldn't Suck
Re: (Score:2)
I hacked your PC and inserted some bold text do test this vulnerability. Are you by chance running an Intel processor?
Re: (Score:2)
Every is seeing too much of bold fonts? Did someone forget a closing bold tag in some style sheet?
Yeah, the entire article section had been enclosed within <strong> tags for some reason. I edited the source in Firefox and changed "<strong>" to the meaningless "<string>", just to make it bearable to read the page.
But thankfully, a few page refreshes afterwards, and they'd already fixed it. Maybe someone had thought <strong> would somehow toughen their security.
Anyway, c'mon guys... stop editing the live site! ;)
So... (Score:2)
Is that yet another flaw or a duplicate name for one of the other two bugs we were already talking about in previous threads?
In other news, is the Motorola 68K series immune to these two/three problems? (Amiga, Atari ST, classic Macs)
Re: (Score:2)
Synergy, eh?
Bingo!
Re: (Score:2)
I seriously doubt the 68000 series has this issue.... Security was designed in from the start on these processors, even if it wasn't actually implemented until later. Between the 68000 and the 68030 there wasn't any need to change anything to run your program and only ONE instruction had to be modified (it had a different set of flags returned where one bit now was variable, instead of fixed).
The security architecture of Intel's solution was implemented after the fact. It had to pay homage to legacy instr
Re: (Score:1)
I don't think they do predictive branching.
Re: (Score:2)
Can you trust your software? (Score:1, Insightful)
If you're not running malicious programs on your computer, you're not vulnerable to these attacks. It's much tougher to sneak malicious functionality into open source software. If the source code is available, it's far more likely someone would notice the malicious behavior than if the software is closed source. It seems like the processor and other hardware hasn't been explored as an attack surface to nearly the same extent as software. I expect there will be more bugs like these, and it's a matter of time
Re: (Score:1)
Did you even read the text from the AC you replied to? Different AC here, but s/he said:
(like a lot of JavaScript that could exploit Spectre-like vulnerabilities
The point being to avoid untrustworthy code, which javascript from random 3rd party domains included by whatever web site you happen to visit, well... IS.
Time and time again we see this. Disabling JS by default is necessary to use the web securely.
Worthless submission (Score:1)
The article teases you with "how he did it" and answers with "he did it." You want to know how Meltdown or Specter work? Read the papers: https://meltdownattack.com/
Soft (Score:2)
Good thing they clarified who ARM are by referencing a group I have vaguely heard of once or twice.
AMD bug only affects THE SAME PROCESS, unlike Inte (Score:2, Informative)
Intel PR monkeys are trying to take AMD down with them, let's make this clear:
For the 3 bugs, the biggest one only affect Intel CPUs, for bug 2 and 3:
AMD bug only affects THE SAME PROCESS, unlike Intel, which allows exploits to cross processes:
https://googleprojectzero.blog... [blogspot.com]
As shown, AMD was only vulnerable to "the ability to read data inside mis-speculated execution within the same process, without crossing any privilege boundaries."
Re: AMD bug only affects THE SAME PROCESS, unlike (Score:3, Interesting)
What they are referring to is Meltdown, which is specifically a privilege escalation exploit that allows a user process to access kernel memory from within it's own virtual memory space. Spectre, on the other hand, tricks another process to leak it's protected memory.
Even then, the Spectre paper specifically mentions how it may be possible to use it to access privileged memory by targeting an interr
Re: AMD bug only affects THE SAME PROCESS, unlike (Score:4, Informative)
Re: (Score:2)
Given that JavaScript runs in the browser process, that's still dangerous. Even with process-per-tab isolation, JavaScript that exploits Spectre could potentially steal:
Intel ME (Score:2)
Does this brings up a another issue ? As fixes roll out what about Intel ME ? That is suppose to be on a somewhat modern 32 bit Intel processor. So I would think that ME will have these same issues.
How would that get patched ? Can ME even access kernel memory on the main chip like meltdown can on VM ?
Hope this does not keep you awake at night :)
Re:Intel ME (Score:5, Insightful)
Three independent teams found bug at same time (Score:5, Interesting)
Which begs the question - how long has the NSA known about this too?
Re: (Score:2)
Re: (Score:2)
Why?
Re: (Score:2, Informative)
I encountered an only slightly older blog post where somebody demonstrates that speculative execution causes cache line reads. He claims no security hole and that the negative result is interesting because of how close he got. On reading it I had enough to develop the rest.
Anders Fogh deserves the real credit. https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/
Re: (Score:1)
Hey, don't go insulting the Supreme Intelligence, a.k.a. Google and their Engineers. Surely we must believe they invented everything and found everything. Or maybe those random eastern European researchers used gmail to communicate, and Google found it there.. :)
Re: (Score:3)
https://slashdot.org/~110010001000 protested:
It isn't possible all these people independently "discovered" a 20 year old flaw at the same time. Think about it. Google supposedly discovered it six months ago. I don't believe it.
Apparently you haven't heard of steam engine time [urbandictionary.com]. If Newton and Liebnitz could (more or less) simultaneously, independently invent "the calculus", why can't three disparate security research teams (more or less) simultaneously, independently discover the same security bug?
Note, as another example from a third field, that both Jennifer Doudna's and Zhang Feng's teams (more or less) simultaneously, independently discovered the CRISPR gene-splicing techni
Re: (Score:2)
Re: (Score:1)
NSA ANT catalog https://en.wikipedia.org/wiki/... [wikipedia.org]
PRISM (surveillance program) https://en.wikipedia.org/wiki/... [wikipedia.org]
Room 641A https://en.wikipedia.org/wiki/... [wikipedia.org]
Most of what was released talks to malware, OS support, hardware additions.
What is missing is the Equation Group https://en.wikipedia.org/wiki/... [wikipedia.org] effort
Very little about "How" (Score:1)
For an article with a title containing "How a researcher hacked his own computer and found 'worst' chip flaw", there is very little detail about "How the Researcher Hacked His Own Computer" - other than the words "Daniel Gruss didn’t sleep much the night he hacked his own computer".
Bet the NSA is pissed this went public (Score:3)
How much you want to bet that this was one of their dirty tricks...
Re: (Score:2)
Peek behind the curtain (Score:1)
Does this mean that users can use Meltdown and Spectre to peek behind the Windows 10 curtain, and see what telemetry it collects?
"kernel" (Score:2)
What is this "kernel" memory you speak of?
Re: (Score:2)
It means the cheap Indian/Chinese workers don't have the cultural bias towards creativity that 'western' workers do; and are less likely to find and report unexpected behavior because they don't want to make their superiors look bad.
I worked for a month for an India based software co, and the bosses *deleted unfixed bugs from the database* in order to appear better. I got away from that company ASAP.
Re: (Score:2)
It means the cheap Indian/Chinese workers don't have the cultural bias towards creativity that 'western' workers do; and are less likely to find and report unexpected behavior because they don't want to make their superiors look bad.
I worked for a month for an India based software co, and the bosses *deleted unfixed bugs from the database* in order to appear better. I got away from that company ASAP.
The other possibility is that they are equally creative, but don't have the confidence to raise the flag, since they don't have the protection of being a white American citizen? Or that "this may be the work of the CIA", so lets pretend we don't know about this?