Secure Digital Life #51
Recorded on February 6, 2018 at G-Unit Studios in Rhode Island!
Topic: The Little Processor who could not...
So this happened:
- Two main CPU manufacturers, Intel and AMD
- Intel got served by Google finding a flaw built into their processors
- Apparently, this affects all Intel processors for pretty much ever (say 20 years)
- Caching is where you set aside some space so that you can either quickly recall things, OR you may want to calculate things in advance for different outcomes
- At the Truck Stop where I worked, I had a list of things written down that had discounts on it. Almost all the trucks used about the same amount of fuel but different companies paid different prices. That means that one truck got a discount of 2.5 % of the price so I always computed all the common amounts like 100 and 200 gallons at the discount and wrote it down in advance
- So the two types of things here are 1 the card with the amount on it two the calculation of the possible amounts -- processors may start calculating all possible or likely possible outcomes before the need arises to be quick - This is caching and speculative execution and these are critical to Spectre
- Another issue is Protected Memory
- AMD has a similar flaw in the TPM (trusted processing module)
- Protected memory is a space that is a bank vault for any given process. This way a process can put it's really secret things (like keys) in this space and ensure that other
- processes can't get to it.
- A side channel attack? This is when you "know" where something is stored in memory and as such can redirect or recover from that memory location.
- So what are Spectre and Meltdown?
- Basically, they are types of stack overflows which allow side channel attacks to be executed and as such, you can see things you shouldn't.
So, what are they:
- (CVE-2017-5753) -- a bounds check bypass
- (CVE-2017-5715) -- branch target injection
Meltdown: (CVE-2017-5754) == rogue data cache load
So, what are these things:
- a bounds check bypass -- this means that when something is using speculative calculation, it actually may access protected space before we have checked it's security clearance. (this is the guy who walks in the exit accidentally and sees the alien corpse) Basically, the information could be changed or used in various ways to exploit the kernel, etc.
Basically, this allows you to see things you shouldn't be able to see.
- The second part of Spectre is using this speculative execution and influencing it using another process. So, if we can cause the predictor to modify it's behavior, we may be able to reveal information in the cache that would otherwise be secured.
- So back to the truckstop:
- I didn't want people to see my list so I taped it to the shelf under the counter. The bounds check bypass would be someone leaning over the counter and accidentally seeing my list. branch target injection would be more of a social engineering hack where the driver asks the price for Truck X when the driver is driving Truck Y.
- is basically redirecting (like the linked list overflows) code so that the side channel attack can be executed to get all sorts of data from protected space (again with these predictors) that you
shouldn't be able to see.
In summary: - Meltdown is BAD but fixable, Spectre requires a lot of knowledge about how something works (but people have that) and is much harder to patch.
- What will happen: Well, these exploits will likely surface as the basis of attacks for some time since pretty much every intel process is vulnerable to them.
- What should you do:
- Patching: When patches arrive, you should probably apply them to end user systems, servers, well you should evaluate the impact and the risk, but you probably want to patch them - Should you worry: Spectre requires malware to be installed so keep your antimalware (malwarebytes.com) and anti-virus up to date and use good hygiene to avoid installing risky things. - Should I replace my motherboard with AMD? -- AMD has a similar vulnerability that Google found as well.