Overclock.net banner

1 - 8 of 8 Posts

·
sudo apt install sl
Joined
·
7,306 Posts
Discussion Starter #1 (Edited)
Source: https://www.phoronix.com/scan.php?page=news_item&px=Reviving-Foreshadow-Bad

Security researchers from Graz University of Technology and CISPA Helmholtz are out with their latest findings on CPU speculative execution vulnerabilities, namely taking another look at L1TF/Foreshadow. Their findings are bad news not only for Intel but potentially other CPU vendors as well.

Their interesting research most recently has been looking at the prefetching effect observed in previous micro-architectural attacks only to find that the attribution to the CPU prefetching mechanism is incorrect. Instead the issue turns out to be speculative dereferencing of user-space registers in the kernel, according to this latest research.
More patching, yay!

https://arxiv.org/abs/2008.02307

10 CONCLUSION

We confirmed the empirical results from several previous works [22,
57, 94, 103] while showing that the underlying root cause was misattributed in these works, resulting in incomplete mitigations [11,
21, 57, 68, 94, 96]. Our experiments clearly show that speculative
dereferencing of a user-space register in the kernel causes the leakage. As a result, we were able to improve the performance of the
original attack and show that CPUs from other hardware vendors like AMD, ARM, and IBM are also affected. We demonstrated that
this effect can also be exploited via JavaScript in browsers, enabling
us to leak the physical addresses of JavaScript variables. To systematically analyze the effect, we investigated its leakage capacity by
implementing a cross-core covert channel which works without
shared memory. We presented a novel technique, Dereference Trap,
to leak the values of registers used in SGX (or privileged contexts)
via speculative dereferencing. We demonstrated that it is possible
to fetch addresses from hypervisors into the cache from the guest
operating system by triggering interrupts, enabling Foreshadow
(L1TF) on data from the L3 cache. Our results show that, for now,
retpoline must remain enabled even on recent CPU generations
to fully mitigate high impact microarchitectural attacks such as
Foreshadow.

We run the same experiment on a Raspberry Pi 3 (ARM CortexA53,Ubuntu 18.04, kernel 4.15.0), an in-order CPU with no branch
prediction [4]. Thus, this CPU is not susceptible to any Spectre-type
attacks.
Running the same code for 1 hour, we do not observe any
cache fetches. Therefore, as no leakage appears on an in-order CPU
without branch prediction, the effect must be related to Spectre.
The hypothesis that the effect is hardware-specific to Intel CPUs
is incorrect; any CPU susceptible to Spectre-BTB is vulnerable to
speculative dereferencing in the kernel if the mitigations are not
enable
Wish they tested newer architectures like Ice Lake, Zen+/2.

Here's the chips they evaluated along with the kernel versions.

Intel i5-8250U Linux Mint 19 4.15.0-52
Intel i7-8700K Ubuntu 18.04 4.15.0-55
ARM Cortex-A57 Ubuntu 16.04.6 4.4.38-tegra
AMD Threadripper 1920X Ubuntu 17.10 4.13.0-46
 

·
Registered
Joined
·
354 Posts

·
sudo apt install sl
Joined
·
7,306 Posts
Discussion Starter #3
Don't know why they wouldn't test with Windows 10. After all, it has a heavy end user base globally speaking for desktop.
Out of those 4 cpu tested. 2 used in desktops & Windows wins hands down with popularity
https://gs.statcounter.com/os-market-share/desktop/worldwide
They did test Windows 10 1803 and were able to replicate it. These attacks will most likely be used on Linux machines due to being more popular for servers/research workstations.

On Windows 10 (build 1803.17134), there is no direct physical
mapping we can use to fetch addresses into the cache and verify
the mapping. We fill all general-purpose registers with a kernel
address and perform the syscall SwitchToThread. Afterwards, we
perform Flush+Reload in a kernel driver to verify the speculative
dereferencing in the kernel. We observe about 15 cache fetches per
second for our kernel address.
 

·
Registered
Joined
·
354 Posts
They did test Windows 10 1803 and were able to replicate it. These attacks will most likely be used on Linux machines due to being more popular for servers/research workstations.
I know of medical research places that use Windows desktop systems, however they may be the exception.
But yes indeed, however 1903 & 2004 are the more common versions of windows 10 today overall.

On another note, even if malware gets through the CPU exploit. There is also MS VBS system comes into play.
https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs

& also this with AMD's PRO products..
https://www.amd.com/en/technologies/pro-security
 

·
Registered
Joined
·
3,651 Posts
A few decades from now we'll find out it's all a ploy to make the world dependent on Raspberry Pi's.
 

·
LTSC for life crew
Joined
·
2,873 Posts
A few decades from now we'll find out it's all a ploy to make the world dependent on Raspberry Pi's.
When the new 8 gig Pi was released not too long ago, I read that the Pi is close to break even for production cost compared to sale price and sometimes can even be made at a loss if material prices change. Seems if they were going to take over the world they'd run the Pi foundation out of business in the process. :h34r-smi
 

·
Premium Member
Joined
·
6,583 Posts
SO it looks like to fix this the CPUs must increase register space and maintain whatever privilege level register data is currently being dropped? Doesnt sound TOO bad for being able to fix in future generations.
 

·
Premium Member
Joined
·
10,765 Posts
SO it looks like to fix this the CPUs must increase register space and maintain whatever privilege level register data is currently being dropped? Doesnt sound TOO bad for being able to fix in future generations.
Well, aren't you all glass half full today. :)
 
1 - 8 of 8 Posts
Top