[TPU] CacheOut is the Latest Speculative Execution Attack for Intel Processors - Overclock.net - An Overclocking Community
Forum Jump: 

[TPU] CacheOut is the Latest Speculative Execution Attack for Intel Processors

Reply
 
Thread Tools
post #1 of 41 (permalink) Old 01-28-2020, 04:49 AM - Thread Starter
New to Overclock.net
 
Imouto's Avatar
 
Join Date: Mar 2012
Posts: 2,137
Rep: 231 (Unique: 109)
[TPU] CacheOut is the Latest Speculative Execution Attack for Intel Processors

Quote:
Another day, another speculative execution vulnerability found inside Intel processors. This time we are getting a new vulnerability called "CacheOut", named after the exploitation's ability to leak data stored inside CPU's cache memory. Dubbed CVE-2020-0549: "L1D Eviction Sampling (L1Des) Leakage" in the CVE identifier system, it is rated with a CVSS score of 6.5. Despite Intel patching a lot of similar exploits present on their CPUs, the CacheOut attack still managed to happen.
TPU
Official info website

From the CacheOut website:

Am I affected by this vulnerability?

Probably yes, unless you happen to have a CPU released after Q4 2018.
For a select number of processors released after Q4 2018, Intel inadvertently managed to partially mitigate this issue while addressing a previous issue called TSX Asynchronous Abort (TAA). See Section 9 in our our paper.
A list of affected products can be found here.

- AMD is not affected by CacheOut, as AMD does not offer any feature akin to Intel TSX on their current offering of CPUs.
- No, CacheOut cannot be exploited from a web browser, as web browsers currently don't expose the Intel TSX functionality to JavaScript.
- CacheOut is related to, and inspired by, previous work in speculative execution, including Spectre and Meltdown. Moreover, CacheOut bypasses the hardware mitigations released by Intel in response to Meltdown, thereby necessitating additional software fixes.
- Microarchitectural Data Sampling (MDS) shows that an attacker can sample in-flight data from various microarchitectural buffers. As a response to this, Intel recommends that operating system vendors overwrite the contents of these buffers. However, CacheOut demonstrates that this mitigation is incomplete, as we can force the victim's data out of the L1-D Cache into the microarchitectural buffers after the operating system clears them. We then subsequently leak the contents of the buffers and obtain the victim's data.

- We would like to thank Intel for working with us during the responsible disclosure.
- This research was supported by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory (AFRL) under contract FA8750-19-C0531, by an Australian Research Council Discovery Early Career Researcher Award (project number DE200101577), and by generous gifts from Intel and AMD.

#EnthusiastLivesMatter

Last edited by Imouto; 01-28-2020 at 04:52 AM.
Imouto is offline  
Sponsored Links
Advertisement
 
post #2 of 41 (permalink) Old 01-28-2020, 06:18 AM
New to Overclock.net
 
bluechris's Avatar
 
Join Date: Feb 2015
Location: Athens - Greece
Posts: 229
Rep: 2 (Unique: 2)
There is no end in this right? So they fixed the cpu's that released after 2018q4 but till now they have done nothing more than 1 year to patch it for the rest cpu's.
What are they doing in Intel really?

CPU
Ryzen 3600
Motherboard
Gigabyte Aorus Pro
GPU
Nvidia GT710 Pci X1
RAM
Trident Z DDR4-3200MHz CL14-14-14-34 1.35V 64GB (4x16GB)
Hard Drive
HGST Ultrastar 7K4000 4TB 7200 RPM 512n SAS 6Gb/s 3.5-Inch 64MB HDD Enterprise Hard Drive HUS724040ALS640
Hard Drive
Samsung 860 Evo 1TB
Hard Drive
ADATA XPG SX8200 PRO 256GB M.2 2280
Power Supply
Corsair HX750i High-Performance ATX Power Supply — 750 Watt 80 Plus® PLATINUM Certified PSU
Cooling
Noctua NH-D15 chromax black
Cooling
Noctua NF-F12 PWM
Cooling
NOCTUA NF-A8 FLX FAN 80MM
Case
Corsair Carbide Air 740
Operating System
VMware ESXi 6.7 Update 3
Other
Asus HYPER M.2 X16 CARD V2
Other
HPE Smart Array P440/4GB FBWC 12Gb 1-port Int SAS Controller
▲ hide details ▲
bluechris is offline  
post #3 of 41 (permalink) Old 01-28-2020, 06:25 AM
ٴٴٴ╲⎝⧹˙͜>˙⧸⎠╱
 
TK421's Avatar
 
Join Date: May 2011
Posts: 5,668
Rep: 162 (Unique: 127)
Quote: Originally Posted by bluechris View Post
There is no end in this right? So they fixed the cpu's that released after 2018q4 but till now they have done nothing more than 1 year to patch it for the rest cpu's.
What are they doing in Intel really?

Only saving grace is that most home users aren't in danger of this.

nͫٴiͤٴcͫٴeͤ੮Һ૯ ცɿ૭ ૭คעٴٴٴٴٴٴٴٴٴٴٴٴٴٴٴٴٴٴٴٴٴ ٴٴٴٴٴٴٴٴٴٴٴٴٴٴٴٴٴ ٴٴٴٴٴٴٴٴٴٴٴٴٴٴٴٴٴٴٴ ٴٴ
█▀█ █▄█ ▀█▀ ▀█▀



TK421 is offline  
Sponsored Links
Advertisement
 
post #4 of 41 (permalink) Old 01-28-2020, 06:32 AM
Otherworlder
 
epic1337's Avatar
 
Join Date: Feb 2011
Posts: 7,434
Rep: 222 (Unique: 128)
i'm not surprised, the core architecture line had already revealed how severely insecure it is.
hence no matter how many times they patch it, its just a matter of what new angle of attack they can use.

trolling an adult is very dangerous, don't try it at home nor at work. you don't want to play tag with a rabid man.
epic1337 is offline  
post #5 of 41 (permalink) Old 01-28-2020, 07:06 AM
New to Overclock.net
 
EniGma1987's Avatar
 
Join Date: Sep 2011
Posts: 6,415
Rep: 342 (Unique: 252)
They also have this going on at the same time:
https://www.wired.com/story/intel-zo...ive-execution/
Looks like they use similar or the same methods of accessing L1, and the CacheOut flaw can then be additionally exploited by Intel's failure to actually patch Zombieload correctly.


Last edited by EniGma1987; 01-28-2020 at 07:11 AM.
EniGma1987 is offline  
post #6 of 41 (permalink) Old 01-28-2020, 07:58 AM - Thread Starter
New to Overclock.net
 
Imouto's Avatar
 
Join Date: Mar 2012
Posts: 2,137
Rep: 231 (Unique: 109)
Quote: Originally Posted by bluechris View Post
There is no end in this right? So they fixed the cpu's that released after 2018q4 but till now they have done nothing more than 1 year to patch it for the rest cpu's.
What are they doing in Intel really?
No, there isn't as the product is flawed at its very foundation. Intel didn't fix newer CPUs, they partially mitigated certain types of attacks by turning off by default features such as TSX. If you activate them you are as exposed as anyone with an older CPU. I wouldn't say that's a "fix".

#EnthusiastLivesMatter
Imouto is offline  
post #7 of 41 (permalink) Old 01-28-2020, 08:37 AM
New to Overclock.net
 
bluechris's Avatar
 
Join Date: Feb 2015
Location: Athens - Greece
Posts: 229
Rep: 2 (Unique: 2)
Quote: Originally Posted by Imouto View Post
No, there isn't as the product is flawed at its very foundation. Intel didn't fix newer CPUs, they partially mitigated certain types of attacks by turning off by default features such as TSX. If you activate them you are as exposed as anyone with an older CPU. I wouldn't say that's a "fix".
What i know personally in my work as an IT is that the last 1 and a half year i have lost in our server room after bios updates and esxi patching at least 15 to 20% speed. I have 4 x dl380 g9 and 3 x dl380g8 all with dual cpu's, 128gb ram each and 1 dual fc to an hp array with esxi.
I did as a test puted the pc in my sig that i have build as my homelab server in work and damn me the thing is flying in everything.
I spoke to my boss and he agreed to build 4 x tr40 custom servers and we will sell all the HP ones.
I really don't know what Intel is thinking and kicking loyal customers like this. Constant speed loss, lower performance in hedt and this security holes that the way to be secure is to cut off from systems HT or anything.
I have no words really.

CPU
Ryzen 3600
Motherboard
Gigabyte Aorus Pro
GPU
Nvidia GT710 Pci X1
RAM
Trident Z DDR4-3200MHz CL14-14-14-34 1.35V 64GB (4x16GB)
Hard Drive
HGST Ultrastar 7K4000 4TB 7200 RPM 512n SAS 6Gb/s 3.5-Inch 64MB HDD Enterprise Hard Drive HUS724040ALS640
Hard Drive
Samsung 860 Evo 1TB
Hard Drive
ADATA XPG SX8200 PRO 256GB M.2 2280
Power Supply
Corsair HX750i High-Performance ATX Power Supply — 750 Watt 80 Plus® PLATINUM Certified PSU
Cooling
Noctua NH-D15 chromax black
Cooling
Noctua NF-F12 PWM
Cooling
NOCTUA NF-A8 FLX FAN 80MM
Case
Corsair Carbide Air 740
Operating System
VMware ESXi 6.7 Update 3
Other
Asus HYPER M.2 X16 CARD V2
Other
HPE Smart Array P440/4GB FBWC 12Gb 1-port Int SAS Controller
▲ hide details ▲
bluechris is offline  
post #8 of 41 (permalink) Old 01-28-2020, 08:59 AM
LTSC Consiglieri
 
skupples's Avatar
 
Join Date: Apr 2012
Location: Fort Lauderdale
Posts: 22,326
Rep: 649 (Unique: 349)
Quote: Originally Posted by epic1337 View Post
i'm not surprised, the core architecture line had already revealed how severely insecure it is.
hence no matter how many times they patch it, its just a matter of what new angle of attack they can use.
and this is why ~15 months ago we decided that all new hardware would be AMD based. End user, and infrastructure alike.

R.I.P. Zawarudo, may you OC angels' wings in heaven.
If something appears too good to be true, it probably is.
Best R0ach Quote of all time : TLDR: Haswell might be the last legit gaming platform unless mice get their own non-USB interface on some newer architecture.
skupples is offline  
post #9 of 41 (permalink) Old 01-29-2020, 08:23 AM
Iconoclast
 
Blameless's Avatar
 
Join Date: Feb 2008
Posts: 30,139
Rep: 3140 (Unique: 1873)
Quote: Originally Posted by bluechris View Post
I really don't know what Intel is thinking and kicking loyal customers like this. Constant speed loss, lower performance in hedt and this security holes that the way to be secure is to cut off from systems HT or anything.
I have no words really.
The foundation for most of these exploits was laid years, even decades, ago. What is Intel supposed to do? It's not they can afford to refrain from adding features and instructions that leverage or augment speculative execution, which is the basis for nearly every high-performance general purpose CPU released since 1995. Nor is it practical to comprehensively audit every one of these features internally. Most of these exploits wouldn't have been discovered at all if the features involved didn't have a broad presence in actual products to provide the incentive and raw demographics to find them.

They can't fix what they don't know about and they can't know about most of these vulnerabilities until they are discovered in the wild, long after products with them have entered service.

All they can do is try to foresee issues as best they can and patch vulnerabilities that are found as quickly as practical. As bad patches can be worse than no patches, sometimes disabling features is the only practical workaround for vulnerable parts.

The only customers Intel has 'kicked' are those who got the odd bit of defective microcode, or owners of platforms for which Intel could patch, but won't, due to age or other trade-offs.

...rightful liberty is unobstructed action according to our will within limits drawn around us by the equal rights of others. I do not add 'within the limits of the law,' because law is often but the tyrant's will, and always so when it violates the right of an individual. -- Thomas Jefferson
Blameless is offline  
post #10 of 41 (permalink) Old 01-29-2020, 09:22 AM
New to Overclock.net
 
Liranan's Avatar
 
Join Date: Nov 2010
Location: Soviet China... Oh wait..
Posts: 8,766
Rep: 616 (Unique: 300)
Quote: Originally Posted by TK421 View Post
Only saving grace is that most home users aren't in danger of this.
Who cares about desktop users? These vulnerabilities affect servers and mainframes.

Quote: Originally Posted by bluechris View Post
What i know personally in my work as an IT is that the last 1 and a half year i have lost in our server room after bios updates and esxi patching at least 15 to 20% speed. I have 4 x dl380 g9 and 3 x dl380g8 all with dual cpu's, 128gb ram each and 1 dual fc to an hp array with esxi.
I did as a test puted the pc in my sig that i have build as my homelab server in work and damn me the thing is flying in everything.
I spoke to my boss and he agreed to build 4 x tr40 custom servers and we will sell all the HP ones.
I really don't know what Intel is thinking and kicking loyal customers like this. Constant speed loss, lower performance in hedt and this security holes that the way to be secure is to cut off from systems HT or anything.
I have no words really.
The NSA have all the answers you seek.

Quote:
Quote:
Originally Posted by faraz1729 go_quote.gif
Haha, Liranan, you creep.

Tacitus - The more corrupt the state, the more numerous the laws

Only when the last tree has died and the last river been poisoned and the last fish been caught will we realise we cannot eat money. - Cree Indian Proverb
Liranan is offline  
Reply

Quick Reply
Message:
Options

Register Now

In order to be able to post messages on the Overclock.net - An Overclocking Community forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.
User Name:
If you do not want to register, fill this field only and the name will be used as user name for your post.
Password
Please enter a password for your user account. Note that passwords are case-sensitive.
Password:
Confirm Password:
Email Address
Please enter a valid email address for yourself.
Email Address:

Log-in



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page


Forum Jump: 

Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off