Melting Down PatchGuard: Leveraging KPTI to Bypass Kernel Patch Protection

October 30, 2018 ~ hucktech ~ Leave a comment

A patch for meltdown by MSFT opened patchguard for hooking syscalls.
Great research by @UdiYavo from @ensilo.https://t.co/bXjfGLsC90

— Gil Dabah (@_arkon) October 27, 2018

by Omri Misgav & Udi Yavo on October 26, 2018 –

The mitigation for Meltdown created a new part in the kernel which PatchGuard left unprotected, making hooking of system calls and interrupts possible, even with HVCI enabled.[…]

https://blog.ensilo.com/meltdown-patchguard

ACM SIG Arch: Reflections on trusting SGX

October 1, 2018 ~ hucktech ~ Leave a comment

Reflections on trusting SGX
by Mark Silberstein
Sep 25, 2018

The security community will remember the year of 2018 as the year of speculative execution attacks. Meltdown and Spectre, the recent Foreshadow (L1TF in Intel’s terminology), and their variants demonstrate how the immense processor design complexity, perpetual drive for higher performance, and subtle hardware-software interactions — all collude to create a major system security earthquake that is shaking the whole industry. Foreshadow stands out in that it wreaks havoc on Intel SGX, Intel’s recent instruction set extension for building trusted execution environments, which has been envisioned as a stronghold of security in future computing systems. In this blog I highlight the important differences between Foreshadow and other speculative execution attacks, and raise a few questions that require much more than just a technical solution.[…]

https://www.sigarch.org/reflections-on-trusting-sgx/

BlueHat Israel video: Beyond Belief: The Case of Spectre and Meltdown

September 13, 2018 ~ hucktech ~ Leave a comment

"Beyond Belief:
The Case of Spectre and Meltdown",
D. Gruss, M. Lipp & M. Schwarz, TU Graz, Mystery Keynote, BlueHat IL, Microsoft, Jan 24 2018 https://t.co/iu1iIG0YG4
PDF https://t.co/wOafg3X094
D. Gruss https://t.co/VUUhohNXrf
Meltdown and Spectre https://t.co/drnSuTMCRb pic.twitter.com/qZHa7tqPOT

— OGAWA, Tadashi (@ogawa_tter) February 3, 2018

http://www.bluehatil.com/files/Beyond%20Belief%20-%20The%20Case%20of%20Spectre%20and%20Meltdown.pdf

https://gruss.cc/

https://meltdownattack.com/

US CERT update on Meltdown and Spectre

September 12, 2018 ~ hucktech ~ Leave a comment

ICS-CERT issued updated alert ICS-ALERT-19-011-01 Meltdown and Spectre Vulnerabilities (Update I) to the ICS-CERT website – https://t.co/8AvQW0angx #NCCIC #cyber #cybersecurity #infosec #ICS

— ICS-CERT (@ICSCERT) September 11, 2018

https://ics-cert.us-cert.gov/alerts/ICS-ALERT-18-011-01

Spectre & Meltdown vulnerability/mitigation checker for Linux

August 26, 2018 ~ hucktech ~ Leave a comment

"Check for Spectre, Meltdown, and L1 Terminal Fault Vulnerabilities with Spectre-meltdown-checker Script" https://t.co/cL87yg3ED4 #tech #feedly

— ladore (@ladore) August 26, 2018

A shell script to tell if your system is vulnerable against the several “speculative execution” CVEs that were made public in 2018.

CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
CVE-2018-3640 [rogue system register read] aka ‘Variant 3a’
CVE-2018-3639 [speculative store bypass] aka ‘Variant 4’
CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 [L1 terminal fault] aka ‘Foreshadow & Foreshadow-

https://www.cnx-software.com/2018/08/17/check-spectre-meltdown-l1-terminal-fault-linux/amp/

https://github.com/speed47/spectre-meltdown-checker/

USENIX Security presentation on Meltdown uploaded

August 14, 2018 ~ hucktech ~ Leave a comment

Join our talk on "#Meltdown: Reading Kernel Memory from User Space" @USENIXSecurity on Thursday (#day2) – Find our updated paper here: https://t.co/xdb4LjCCe4 /cc @misc0110 @lavados @gonzodaruler @anders_fogh @tehjh @StefanMangard @yuvalyarom #usesec18 pic.twitter.com/rqrOMJJBiX

— Moritz Lipp (@mlqxyz) August 14, 2018

https://mlq.me/download/meltdown.pd

Two Spectre, Meltodown, and Rowhammer talks from Blackhat

August 12, 2018 ~ hucktech ~ Leave a comment

You can find the slides of our #BHUSA talk "#Meltdown: Basics, Details, Consequences" @ @BlackhatEvents here: https://t.co/IHQRqc24is /cc @misc0110 @lavados #BHUSA #BHUSA2018 pic.twitter.com/f5QAi2ws3b

— Moritz Lipp (@mlqxyz) August 11, 2018

https://mlq.me/download/bhusa2018_meltdown_slides.pdf

And the slides of our #BHUSA #rowhammer talk "Another Flip in the Row" @ @BlackhatEvents can be found here: https://t.co/7g8BuWBhS5 /cc @misc0110 @mlqxyz #BHUSA18 #BHUSA2018 pic.twitter.com/8U23HKhOrA

— Daniel Gruss (@lavados) August 11, 2018

https://gruss.cc/files/us-18-Gruss-Another-Flip-In-The-Row.pdf

Microsoft Blackhat speculative execution slides posted

August 11, 2018 ~ hucktech ~ Leave a comment

Slides posted for the #BHUSA presentation by @anders_fogh & @CTurtE on systematizing and mitigating speculative execution side channels vulnerabilities: https://t.co/4OoqLupyRT

— Matt Miller (@epakskape) August 10, 2018

https://github.com/Microsoft/MSRC-Security-Research/blob/master/presentations/2018_08_BlackHatUSA/us-18-Fogh-Ertl-Wrangling-with-the-Ghost-An-Inside-Story-of-Mitigating-Speculative-Execution-Side-Channel-Vulnerabilities.pdf

Huawei: Security Advisory – Side-Channel Vulnerability Variants 3a and 4

July 17, 2018 ~ hucktech ~ Leave a comment

SA No:huawei-sa-20180615-01-cpu
Initial Release Date: Jun 15, 2018
Last Release Date: Jul 17, 2018

Intel publicly disclosed new variants of the side-channel central processing unit (CPU) hardware vulnerabilities known as Spectre and Meltdown. These variants known as 3A （CVE-2018-3640）and 4 （CVE-2018-3639), local attackers may exploit these vulnerabilities to cause information leak on the affected system. (Vulnerability ID: HWPSIRT-2018-05139 and HWPSIRT-2018-05140).[…]

https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180615-01-cpu-en

Aleph Security: Overcoming (some) Spectre browser mitigations

June 26, 2018 ~ hucktech ~ Leave a comment

We looked into the Spectre browser mitigations and this is what we found.https://t.co/Sn2cGcZNzo

— Aleph Research (@alephsecurity) June 26, 2018

https://github.com/alephsecurity/spectreBrowserResearch

https://alephsecurity.com/2018/06/26/spectre-browser-query-cache/

FreeBSD 11.2R released, with speculative execution and UEFI updates

June 9, 2018 ~ hucktech ~ Leave a comment

The latest version of FreeBSD is out, and has a few speculative execution and UEFI changes, including:

https://www.freebsd.org/releases/11.2R/relnotes.html

[arm64] The bsdinstall(8) installer has been updated to default to UEFI-only boot. [r322254]
(Sponsored by The FreeBSD Foundation)

The efibootmgr(8) utility has been added, which is used to manipulate the EFI boot manager. [r332126]
(Sponsored by Netflix)
https://www.freebsd.org/cgi/man.cgi?query=efibootmgr&sektion=8&manpath=freebsd-release-ports

The cpucontrol(8) utility has been updated to include a new flag, -e, which is used to re-evaluate reported CPU features after applying firmware updates. [r327871]
Note: The cpucontrol(8) -e flag should only be used after microcode update have been applied to all CPUs in the system, otherwise system instability may be experienced if processor features are not identical across the system.
https://www.freebsd.org/cgi/man.cgi?query=cpucontrol&sektion=8&manpath=freebsd-release-ports

FreeBSD-SA-18:03.speculative_execution 14 March 2018. Speculative Execution Vulnerabilities
Note: This advisory addresses the most significant issues for FreeBSD 11.x on amd64 CPUs. We expect to update this advisory to include i386 and other CPUs.
https://www.freebsd.org/security/advisories/FreeBSD-SA-18:03.speculative_execution.asc

Graz: School on Security and Correctness in the IoT 2018

June 7, 2018 ~ hucktech ~ Leave a comment

There is a summer school on security of IoT and it's backends in Graz @tugraz from September 3 – 9. https://t.co/UUpj4K08XD
Among the speakers we have @gianluca_string @SrdjanCapkun @asabelfeld @matteo_maffei and me and quite a few people that I couldn't find on Twitter.

— Daniel Gruss (@lavados) June 7, 2018

Looking forward to showing some attendees the best places to get a beer in Graz and chat about interesting research ideas.
Also if you just started with your #PhD you can chat with @misc0110 and @mlqxyz and me on how we approach paper writing.

— Daniel Gruss (@lavados) June 7, 2018

The school covers attacks, countermeasures and formal methods to analyze the security of implementations. There will be two labs/trainings with tutorials on runtime attacks and side-channels including the recent attacks #meltdown and #spectre.
And it's a good way to connect.

— Daniel Gruss (@lavados) June 7, 2018

Welcome to our second School on Security & Correctness in the Internet of Things 2018, held from 3.-9. September. It is hosted by the research center “Dependable Internet of Things“, located at Graz University of Technology. This school targets graduate students interested in security aspects of tomorrow’s IoT devices. Current advances in technology drive miniaturization and efficiency of computing devices, opening a variety of novel use cases like autonomous transportation, smart cities and health monitoring devices. However, device malfunction could potentially threaten human welfare or even life. Malfunction might not only be caused by design errors but also by intentional impairment. As computing devices are supposed to have high and permanent network connectivity, an attacker finding a vulnerability might easily target millions of devices at once. Moreover, integration of computing devices in everyday items exposes them to a potentially hostile physical environment. A central requirement of tomorrow’s IoT is the ability to execute software dependably on all kinds of devices. IoT devices need to provide security in the presence of network attacks as well as against attackers having physical access to the device. During the five-day school, participants will gain awareness of these IoT-related challenges. Introductory classes are supplemented by advanced courses in the area of system security, cryptography as well as software and hardware side-channels. During spare time participants are invited to enjoy the city of Graz and attend organized events.

https://www.securityweek.at/school/

Intel: Q2 2018 Speculative Execution Side Channel Update

June 4, 2018 ~ hucktech ~ Leave a comment

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

INTEL-SA-00115

*Original release:*	*05/21/2018*
*Last revised:*	*05/21/2018*

https://software.intel.com/side-channel-security-support

Red Hat update on Spectre/Meltdown

June 1, 2018 ~ hucktech ~ Leave a comment

See the blog document, not just the short video. 😉

Speculative Store Bypass explained by @RedHatSecurity: what it is, how it works: https://t.co/UimXj7dlLm #infosec #cybersecurity @RedHatSecurity #ssbd pic.twitter.com/OYaKfnh73h

— Red Hat, Inc. (@RedHat) May 29, 2018

https://www.redhat.com/en/blog/speculative-store-bypass-explained-what-it-how-it-works?sc_cid=701f2000000tyBjAAI

Chromium: Post-Spectre Threat Model Re-Think

May 30, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/fugueish/status/1001605230583136256

In light of Spectre/Meltdown, we needed to re-think our threat model and defenses for Chrome renderer processes. Spectre is a new class of hardware side-channel attack that affects (among many other targets) web browsers. This document describes the impact of these side-channel attacks and our approach to mitigating them. The upshot of the latest developments is that the folks working on this from the V8 side are increasingly convinced that there is no viable alternative to Site Isolation as a systematic mitigation to SSCAs [speculative side-channel attacks]. In this new mental model, we have to assume that user code can reliably gain access to all data within a renderer process through speculation. This means that we definitely need some sort of ‘privileged/PII data isolation’ guarantees as well, for example ensuring that password and credit card info are not speculatively loaded into a renderer process without user consent. […] In fact, any software that both (a) runs (native or interpreted) code from more than one source; and (b) attempts to create a security boundary inside a single address space, is potentially affected. For example, software that processes document formats with scripting capabilities, and which loads multiple documents from different sources into the same process, may need to take defense measures similar to those described here.[…]

https://chromium.googlesource.com/chromium/src/+/master/docs/security/side-channel-threat-model.md

Spectre Variant 4 released

May 22, 2018May 22, 2018 ~ hucktech ~ Leave a comment

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

https://www.us-cert.gov/ncas/alerts/TA18-141A

https://www.us-cert.gov/ncas/alerts/TA18-004A

https://blogs.technet.microsoft.com/srd/2018/05/21/analysis-and-mitigation-of-speculative-store-bypass-cve-2018-3639/

So here is #spectre variant 4. The processor speculates that your write operation does not change anything and continues with the outdated (possibly non-sanitized) value from L1.https://t.co/ZcjaTSrLNW

— Daniel Gruss (@lavados) May 21, 2018

#spectreng Details on 2 / 8 vuls: v3a (Rogue SRR, CVE-2018-3640) https://t.co/MhKvqALGcu & v4 (SSB, CVE-2018-3639) https://t.co/lpohRw2GFP [Intel, ARM, IBM POWER; ucode patches in beta but no update dates announced, disabling v4 Memory Disambiguation incurs 2-8% perf overhead] pic.twitter.com/voILONMMeY

— Daniel Bilar (@daniel_bilar) May 22, 2018

Variant 4 and 3a have dropped, with the appropriate Intel Whitepaper updates. The RSRE one is the coolest one to me. https://t.co/56AbOoK159 https://t.co/2JYWWzAC5g

— Alex Ionescu (@aionescu) May 21, 2018

speculative execution, variant 4: speculative store bypass https://t.co/z1ZlS1HNxU

— Project Zero Bugs (@ProjectZeroBugs) May 21, 2018

A small observation: the current set of speculative execution fixes are replicating at an architectural level what extensions are at the ISA level.

Byzantine Security, one level down.

— Arrigo Triulzi (@cynicalsecurity) May 22, 2018

Speculative Execution is fundamentally broken in its current trust model.

— Arrigo Triulzi (@cynicalsecurity) May 22, 2018

Polymorphic Linux: stops zero-day attacks like Spectre and Meltdown

May 17, 2018 ~ hucktech ~ Leave a comment

So there's a company called https://t.co/lePlu0FOoo and:

a) They claim their code would protect against Meltdown
b) They're called Polyverse

and I can't decide which of these things is worse

— Matthew Garrett (@mjg59) May 17, 2018

Want to try #Polymorphic #Linux? curl https://t.co/6S7Y4YRqpU | sh -s czcw7pjshny8lzzog8bgiizfr that's literally it. Get protected now.

— Polyverse (@Polyverse_io) April 10, 2018

https://blog.polyverse.io/immunize-against-spectre-78c53985fb01

https://polyverse.io/

QEMU v2.12.0 released (with Spectre/Meltdown update)

May 10, 2018May 10, 2018 ~ hucktech ~ Leave a comment

QEMU version 2.12.0 released
24 Apr 2018
This release contains 2700+ commits from 204 authors.

* Spectre/Meltdown mitigation support for x86/pseries/s390 guests.
* Better IPMI support for Platform Events and SEL logging in internal BMC emulation
* SMBIOS support for “OEM Strings”, which can be used for automating guest image activation without relying on network-based querying

[…]A previous post detailed how QEMU/KVM might be affected by Spectre/Meltdown attacks, and what the plan was to mitigate them in QEMU 2.11.1 (and eventually QEMU 2.12). QEMU 2.11.1 is now available, and contains the aforementioned mitigation functionality for x86 guests, along with additional mitigation functionality for pseries and s390x guests (ARM guests do not currently require additional QEMU patches). However, enabling this functionality requires additional configuration beyond just updating QEMU, which we want to address with this post.[…]

https://www.qemu.org/2018/04/24/qemu-2-12-0/

Microsoft: C++ Developer Guidance for Speculative Execution Side Channels

May 9, 2018 ~ hucktech ~ Leave a comment

C++ developer guidance from Microsoft related to speculative execution side channels, specifically on identifying & mitigating potentially vulnerable code patterns related to Spectre variant 1. Shoot me a DM with any feedback/suggestions! https://t.co/M8lHLl0ody

— Matt Miller (@epakskape) May 8, 2018

C++ Developer Guidance for Speculative Execution Side Channels
05/03/2018
Matt Miller Colin Robertson Mike B

This article contains guidance for developers to assist with identifying and mitigating speculative execution side channel hardware vulnerabilities in C++ software. These vulnerabilities can disclose sensitive information across trust boundaries and can affect software that runs on processors that support speculative, out-of-order execution of instructions. This class of vulnerabilities was first described in January, 2018 and additional background and guidance can be found in Microsoft’s security advisory. The guidance provided by this article is related to the class of vulnerabilities represented by CVE-2017-5753, also known as Spectre variant 1. This hardware vulnerability class is related to side channels that can arise due to speculative execution that occurs as a result of a conditional branch misprediction. The Visual C++ compiler in Visual Studio 2017 (starting with version 15.5.5) includes support for the /Qspectre switch provides a compile-time mitigation for a limited set of potentially vulnerable coding patterns related to CVE-2017-5753. The documentation for the /Qspectre flag provides more information on its effects and usage.[…]

https://docs.microsoft.com/en-us/cpp/security/developer-guidance-speculative-execution

[…]An accessible introduction to speculative execution side channel vulnerabilities can be found in the presentation titled The Case of Spectre and Meltdown by one of the research teams that discovered these issues.[…]

more on Spectre/Meltdown

May 3, 2018 ~ hucktech ~ Leave a comment

A few new Spectre/Meltdown-related things in the news:

#spectreNG Report: 8 new next-gen #spectre type vuls CVEs – 4 high, 4 medium – identified in Intel processors (likely ARM too) [VM to cloud host scenarios, SGX vulnerable; CVE details embargo'ed till May 7; two patch releases planned for May/August] https://t.co/ug1mbJAtJx pic.twitter.com/IlRXRMO9yn

— Daniel Bilar (@daniel_bilar) May 3, 2018

https://www.heise.de/ct/artikel/Super-GAU-fuer-Intel-Weitere-Spectre-Luecken-im-Anflug-4039134.html

Excellent work by one of our student teams:
Probably now the fastest microarchitectural covert channel (Flush+Reload): https://t.co/IFdNA6OW6h
3.56MByte/s and 0 errors over 160MB transmitted random data.

Imagine #Meltdown and #Spectre attacks using that implementation 😉#tugraz

— Daniel Gruss (@lavados) May 3, 2018

SpectreNG speculations¹ are rife.

The “VM escape” one is, arguably, the most fun to consider given the slight dependence on cloudy clouds.

__
¹ https://t.co/5kMqaBN3Oi [German]

— Arrigo Triulzi (@cynicalsecurity) May 3, 2018

“Incidentally, Intel's Software Guard Extensions (SGX), which aim to protect sensitive data on cloud servers, are also not Specter-Safe ¹.” ²

__
¹ https://t.co/OYeiaJaxKi [German]
² https://t.co/5kMqaBN3Oi

— Arrigo Triulzi (@cynicalsecurity) May 3, 2018

Really nice article from @a_greenberg covering our project @c_giuffrida @herbertbos @gober @vu5ec https://t.co/e8BfmRqfA5

— Pietro Frigo (@pit_frg) May 3, 2018

Dutch researchers have shown for the first time that Rowhammer, a technique that induces targeted electric charge leaks in computer memory, can be used to hack Android phones over the internet. https://t.co/BuYxGhGsFI

— Andy Greenberg (@a_greenberg) May 3, 2018

https://www.wired.com/story/rowhammer-remote-android-attack/

https://www.arm.com/products/security-on-arm/security-ip/side-channel-mitigation