As a researcher hacked his own computer and became convinced of the reality of the most serious vulnerability in the history of processors
Daniel Grass barely slept that night when he hacked into his own computer and confirmed the possibility of exploiting the vulnerability to which most microprocessors, released over the past two decades by the hardware giant Intel, are vulnerable.
Then a 31-year-old researcher in the field of information security and a postdoc at the Graz Technical University penetrated the holy of holies of the CPU and extracted confidential information from there.
')
Until that moment, Grass and his colleagues Moritz Lipp and Michael Schwartz believed that such an attack on the memory of the processor core, which should be inaccessible to the user, is possible only in theory.
“ When I saw how the web addresses from Firefox, which should only be accessible to me, were read from the memory of the program I wrote, it incredibly shocked me ,” said Grass in an interview he gave Reuters via email, describing how he managed to reveal sensitive data that should have been protected.
Grass, Lipp and Schwartz, at the beginning of December, working at the weekends, each at home, conducted a furious correspondence with each other in order to verify the result obtained.
“ We checked everything for hours, not trusting the result, until we ruled out the slightest possibility of error ,” said Grass, who couldn’t calm down at that time and even get some sleep even after he turned off the computer.
Grass and his colleagues have just confirmed the reality of the existence of what he considers "one of the most serious errors ever found in processors."
The vulnerability, now called Meltdown, was revealed Wednesday. It affects most processors manufactured by Intel since 1995.
Separately, another "hole" was found, called Specter. This vulnerability also makes kernel memory available in most computers and mobile devices running on processors created by Intel, AMD and ARM.
Both are capable of giving attackers access to anything — even passwords, even photos stored on desktops, laptops, cloud servers, or smartphones. It is not known whether hackers could have carried out such incursions into systems earlier, since neither Meltdown nor Specter left any marks.
Intel announced that it began to provide software and firmware updates to mitigate the effects of the problem. ARM also stated that it is working, together with AMD and Intel, on the corresponding patches.
The find was originally written by the technical online magazine The Register. As a result, the vulnerability material was published a week earlier than the manufacturers had planned, that is, before they had time to develop protective tools to completely eliminate the problem.
The team from Graz at that time was already working on a tool to protect the systems from attempts to steal secret data from the core memory.
In a document published in June of last year, they named it KAISER (Kernel Address Effectively Removed).
As the name implies, KAISER is aimed at protecting the core memory from attack using a side effect, which exploits a feature of the architecture of modern processors that increases their speed.
This feature lies in the fact that the processor supports the extraordinary execution of tasks that are not processed in the sequence in which the processor receives them. If, with speculative code execution, the correct sequence of actions is performed, time is saved. If the assumption is incorrect, the results of the extraordinary task are discarded and time is not lost.
In addition, the researcher Anders Fogh published an article about the possibility of an attack on the memory of the kernel through the violation of the mode of operation of the proactive code execution mechanism. However, in practice, he could not implement it.
Only after a successful hacking attempt by a researcher of his own computer took place in December, did the importance of the earlier work of the Graz team become apparent. It turned out that KAISER provides effective protection against the Meltdown vulnerability.
The team quickly contacted Intel and found out that other researchers, partly inspired by the Handicap material, made similar discoveries.
They worked on the terms of responsible disclosure, which means that researchers inform affected companies about their findings in order to give them time to prepare patches to fix the deficiencies found.
According to Grasse, independent researchers Paul Kocher and his team from Cyberus Technology were the key players here, while Yann Horn from Google Project Zero came to similar conclusions on his own.
“ We, in mid-December, joined forces with the team of Paul Kocher and employees of Cyberus Technology to work on two solid publications on Meltdown and Specter ,” said Grass.
Grass did not even know about the work that Horn did.
“ It ’s very impressive that Yann Horn created it all on his own ,” he said. " We developed a very similar attack, but in our case we are talking about a team of 10 researchers ." A group of researchers reported that patches aimed at protecting against the Meltdown vulnerability, based on KAISER, were prepared for operating systems from Microsoft and Apple, as well as for Linux.
There is still no solution to address Specter’s vulnerability, which allows deceiving programs to access confidential data. However, it is more difficult for attackers to exploit this vulnerability.
When Grass was asked which of the two vulnerabilities was more dangerous, he replied: “ The problem of today is Meltdown. Next come Specter. This vulnerability is more difficult to exploit, but it is also more difficult to fix. As a result, in the long run, I would bet on Specter . ”
Dear readers! What do you think will change in the world of information technology after the disclosure of vulnerabilities Meltdown and Specter?
Then a 31-year-old researcher in the field of information security and a postdoc at the Graz Technical University penetrated the holy of holies of the CPU and extracted confidential information from there.
')
Until that moment, Grass and his colleagues Moritz Lipp and Michael Schwartz believed that such an attack on the memory of the processor core, which should be inaccessible to the user, is possible only in theory.
“ When I saw how the web addresses from Firefox, which should only be accessible to me, were read from the memory of the program I wrote, it incredibly shocked me ,” said Grass in an interview he gave Reuters via email, describing how he managed to reveal sensitive data that should have been protected.
Grass, Lipp and Schwartz, at the beginning of December, working at the weekends, each at home, conducted a furious correspondence with each other in order to verify the result obtained.
“ We checked everything for hours, not trusting the result, until we ruled out the slightest possibility of error ,” said Grass, who couldn’t calm down at that time and even get some sleep even after he turned off the computer.
Grass and his colleagues have just confirmed the reality of the existence of what he considers "one of the most serious errors ever found in processors."
The vulnerability, now called Meltdown, was revealed Wednesday. It affects most processors manufactured by Intel since 1995.
Separately, another "hole" was found, called Specter. This vulnerability also makes kernel memory available in most computers and mobile devices running on processors created by Intel, AMD and ARM.
Both are capable of giving attackers access to anything — even passwords, even photos stored on desktops, laptops, cloud servers, or smartphones. It is not known whether hackers could have carried out such incursions into systems earlier, since neither Meltdown nor Specter left any marks.
Intel announced that it began to provide software and firmware updates to mitigate the effects of the problem. ARM also stated that it is working, together with AMD and Intel, on the corresponding patches.
Finding a solution to the problem
The find was originally written by the technical online magazine The Register. As a result, the vulnerability material was published a week earlier than the manufacturers had planned, that is, before they had time to develop protective tools to completely eliminate the problem.
The team from Graz at that time was already working on a tool to protect the systems from attempts to steal secret data from the core memory.
In a document published in June of last year, they named it KAISER (Kernel Address Effectively Removed).
As the name implies, KAISER is aimed at protecting the core memory from attack using a side effect, which exploits a feature of the architecture of modern processors that increases their speed.
This feature lies in the fact that the processor supports the extraordinary execution of tasks that are not processed in the sequence in which the processor receives them. If, with speculative code execution, the correct sequence of actions is performed, time is saved. If the assumption is incorrect, the results of the extraordinary task are discarded and time is not lost.
In addition, the researcher Anders Fogh published an article about the possibility of an attack on the memory of the kernel through the violation of the mode of operation of the proactive code execution mechanism. However, in practice, he could not implement it.
Responsible Disclosure
Only after a successful hacking attempt by a researcher of his own computer took place in December, did the importance of the earlier work of the Graz team become apparent. It turned out that KAISER provides effective protection against the Meltdown vulnerability.
The team quickly contacted Intel and found out that other researchers, partly inspired by the Handicap material, made similar discoveries.
They worked on the terms of responsible disclosure, which means that researchers inform affected companies about their findings in order to give them time to prepare patches to fix the deficiencies found.
According to Grasse, independent researchers Paul Kocher and his team from Cyberus Technology were the key players here, while Yann Horn from Google Project Zero came to similar conclusions on his own.
“ We, in mid-December, joined forces with the team of Paul Kocher and employees of Cyberus Technology to work on two solid publications on Meltdown and Specter ,” said Grass.
Grass did not even know about the work that Horn did.
“ It ’s very impressive that Yann Horn created it all on his own ,” he said. " We developed a very similar attack, but in our case we are talking about a team of 10 researchers ." A group of researchers reported that patches aimed at protecting against the Meltdown vulnerability, based on KAISER, were prepared for operating systems from Microsoft and Apple, as well as for Linux.
There is still no solution to address Specter’s vulnerability, which allows deceiving programs to access confidential data. However, it is more difficult for attackers to exploit this vulnerability.
When Grass was asked which of the two vulnerabilities was more dangerous, he replied: “ The problem of today is Meltdown. Next come Specter. This vulnerability is more difficult to exploit, but it is also more difficult to fix. As a result, in the long run, I would bet on Specter . ”
Dear readers! What do you think will change in the world of information technology after the disclosure of vulnerabilities Meltdown and Specter?
Source: https://habr.com/ru/post/346350/
All Articles