24 votes

All Intel chips open to new Spoiler non-Spectre attack: Don't expect a quick fix

7 comments

  1. [3]
    Luna (edited ) Link
    If anyone else is confused like I was at first, Spoiler is the name of the attack, this isn't a spoiler warning or anything. I tried removing the "spoiler" tag, but "spoiler attack" also gets the...

    If anyone else is confused like I was at first, Spoiler is the name of the attack, this isn't a spoiler warning or anything. I tried removing the "spoiler" tag, but "spoiler attack" also gets the spoiler tag, so I put the "spoiler" tag back.

    This attack can be used to gain information about page mappings and make Rowhammer attacks extremely fast. Unlike Spectre, there seems to be no software mitigation (except for browsers, which can do some mitigation for JS attacks, but a non-browser based attack cannot be prevented), and according to the paper's author, "I don't think we will see a patch for this type of attack in the next five years". Someone correct me if I'm wrong about this, but basically this makes it easier for (once thought to be) isolated processes to modify the memory of other processes, even kernel space, and a well-crafted attack could allow for hypervisor escape and privilege escalation. (And this can all be executed through JavaScript.)

    The paper states all Intel Core-brand CPUs are vulnerable. AMD is not vulnerable...although they only tested it with a Bulldozer CPU, so the status of Ryzen is unknown. They tested an ARMv8 processor and found it was not vulnerable.

    Other sources: The Register, Hot Hardware, TechRadar, original paper (PDF warning), Phoronix

    Edit: added Phoronix

    5 votes
    1. [2]
      haykam821 Link Parent
      @Deimos Looks like this post is incorrectly a spoiler. Is there a way to exempt spoiler attack from whatever code detects whether a tag is spoilery, possibly?

      @Deimos Looks like this post is incorrectly a spoiler. Is there a way to exempt spoiler attack from whatever code detects whether a tag is spoilery, possibly?

      2 votes
      1. Deimos (edited ) Link Parent
        Ha, yeah, looks like the way it checks for the spoiler tag is wrong. I'll fix that, thanks (and I'm just going to remove the tag for now, it's in the title so it will still be easily findable...

        Ha, yeah, looks like the way it checks for the spoiler tag is wrong. I'll fix that, thanks (and I'm just going to remove the tag for now, it's in the title so it will still be easily findable through search or other options).

        Edit: fixed

        3 votes
  2. [2]
    ainar-g Link
    I can't wait to read Theo de Raadt's rant about this. It's going to be juicy. This further cements my decision that my next laptop will either be AMD-powered, or something non-x86 altogether.

    I can't wait to read Theo de Raadt's rant about this. It's going to be juicy.

    This further cements my decision that my next laptop will either be AMD-powered, or something non-x86 altogether.

    4 votes
    1. spctrvl Link Parent
      I've been watching that space for a while. There's some small manufacturers like pine that're putting out decent, relatively open (if underpowered) systems, but the mainstream manufacturers'...

      This further cements my decision that my next laptop will either be AMD-powered, or something non-x86 altogether.

      I've been watching that space for a while. There's some small manufacturers like pine that're putting out decent, relatively open (if underpowered) systems, but the mainstream manufacturers' windows ARM laptops are pretty locked down, with secure boot not required to be togglable like on the x86 models.

      I suppose having to run windows isn't necessarily a deal breaker, but it makes me worried that the openness of the IBM PC architecture was a fluke, and transitions away from that architecture are going to result in the proliferation of Tivoized hardware/software ecosystems like we ended up getting with Android. But the open hardware movement is also gaining steam, so I guess it remains to be seen.

      5 votes
  3. [2]
    asoftbird Link
    I thought the two yellow spoiler tag labels were added to draw attention for a really really bad major security leak(am aware it's an error). What does this exploit mean to layman/regular users...

    I thought the two yellow spoiler tag labels were added to draw attention for a really really bad major security leak(am aware it's an error).

    What does this exploit mean to layman/regular users like me, and should I be worried?

    2 votes
    1. Luna Link Parent
      This attack can be executed in your browser, although the only (currently) known mitigation is with browser restrictions, so it may or may not be a problem in the future, depending on if Google,...

      This attack can be executed in your browser, although the only (currently) known mitigation is with browser restrictions, so it may or may not be a problem in the future, depending on if Google, Mozilla, etc. restrict the functionality of their browsers in response to this (which risks breaking some websites). If a program not running in a browser tries to do this, there's currently no way to prevent it.

      How much you have to worry about this will depend on how easy it is to target attacks, as rowhammering* random memory locations might be modifying unused space, might cause random program glitches or crashes, or could cause your OS to crash if it modifies kernel memory. It could allow a program to escalate itself to system permissions and completely take over your system, but this is all entirely theoretical at this point. Cloud providers, on the other hand, have a lot more to worry about - if your private instance is able to modify the data of other private instances on the same machine, that could cause serious trouble, and since memory modifications aren't really trackable, you will probably never know your application crashed or dumped your customer files for all to see because of an attack like this. Considering that Intel probably will have to fix this in hardware (according to the author, there is no software mitigation, unlike Spectre), it may take years before this is fixed, and I'm sure it will become much easier to target attacks before this is all finally resolved.

      I'm not a security expert, though, so someone feel free to correct me if I'm wrong.

      *Rowhammer attacks are repeatedly hitting specific memory locations where eventually some voltage will leak out, changing one or more of the cells around it. Think of it like a Jenga tower - you tap repeatedly on one block, but chances are you will accidentally affect another block. In a Rowhammer attack, you're intentionally trying to knock out or nudge other blocks. Some blocks will do nothing when (re)moved, others will make it much harder to remove other blocks (undefined/buggy program behavior), and others will cause the tower to collapse (program or system crashes).

      6 votes