
Side channel that leaked data from Intel CPUs patched by silent Windows update - headalgorithm
https://arstechnica.com/information-technology/2019/08/silent-windows-update-patched-side-channel-that-leaked-data-from-intel-cpus/
======
tinco
I know these problems are serious, but I feel there is a fun and reassuring
aspect to them. Back in the 90s and early 2000s we thought anything can be
hacked by any clever person. Then the 2010s happened and almost all software,
even Windows, became near unassailable fortresses, especially systems like iOS
with their tight control of the OS. Sure, a 0day drops every now and then, but
we all know that it's basically impossible to attack a modern well configured
system.

These hardware bugs turn that idea on its head, suddenly the whole ghost in
the shell hacker style dream is again a possibility. A motivated person or
group of persons might go and hack any system out there. And that's really a
bit reassuring, it's a little bit scary to think about how our lives might be
ruled by these systems that are unassailable. I'd like to at least stand a
chance when technology turns on us.

~~~
userbinator
Keep in mind that all these speculative execution exploits rely on being able
to already execute code on the target, they can only read data somewhat
slowly, and where the data you want to read is in a 64-bit address space is
not easy to find.

The media loves to blow things out of proportion, but all the specexec attacks
are really not as big a deal as e.g. remote code execution. In some ways, they
are the real-world equivalent of "you can sometimes hear things your
neighbours say, with a sensitive microphone and lots of patience."

~~~
tedunangst
How lucky then that we all live in the cloud now and running code on other
people's computers is the only place anybody runs code anymore.

~~~
tinco
In addition to that all sorts of vendors run their code on our systems to
provide us with their features. And then there's the idea that some of these
bugs have been demonstrated to be exploitable from within a JavaScript VM!

------
edwintorok
As mentioned in the article more technical details can be found in the linked
article: [https://www.bitdefender.com/business/swapgs-
attack.html](https://www.bitdefender.com/business/swapgs-attack.html)

Worth pointing out that Xen is not vulnerable to the swapgs attack due to a
lucky design decision from a decade ago:
[https://lists.xenproject.org/archives/html/xen-
devel/2019-08...](https://lists.xenproject.org/archives/html/xen-
devel/2019-08/msg00507.html)

------
makomk
Even though it's supposedly not feasable to exploit on Linux, there are fixes
in the upstream kernel now and the changelog entries have some technical
details. If I'm understanding this correctly, AMD systems don't speculatively
execute GS-based accesses after speculatively excuting SWAPGS like Intel ones
do, but that isn't enough to fully fix the problem on Linux because there's a
conditional branch over the SWAPGS instruction which can be speculatively
executed. Since that execution path doesn't have a SWAPGS all processors will
quite happily continue speculatively executing code that fetches data via GS.

~~~
menzoic
What does speculative mean in this context?

~~~
viraptor
CPU speculating that it knows what the state will be after SWAPGS and
continuing to load instructions into pipeline and partially executing them. In
case of either a different branch bring taken, or SWAPGS causing a fault the
pipeline will be rolled back, but side effects of the partial execution (like
loads into cache) will not be.

------
proactivesvcs
It seems rather unfair to make the statement that "Microsoft silently patched
the vulnerability during last month's update Tuesday" where the phrase
"patched the vulnerability" links to Microsoft's CVE article on the problem.

~~~
wademealing
I agree its unfair.

Microsoft also played ball with Linux vendors alerting them to this vector.
This allowed them to get the swapGS fixes tested and sane.

This interaction with the opensource community has significantly increased my
respect for Microsoft.

------
jnordwick
Whitepaper is behind a wall, so I can't read it, but I assume it is another in
the large and growing class of explits that cannot practically be exploited
like Spectre or the load-store buffer that didn't stand a snowballs chance in
Hell or creating a workable exploit that didn't' require immense cooperation
from the target (literally accessing the same address in a loop and and
nothing else).

Still no spectre exploit (or even attempt) found in the wild. There should
have been something by now.

If anybody has access to the POC code I would love to see it. Until (and
probably after I see how laughable it is), I'll assume this is just a press
release by some security company.

~~~
wademealing
I believe that this (SWAPGS) vector is impractical but previous spectre proof
of concepts exists if you look hard enough.

~~~
jnordwick
I have never seen one that would work in the wild. I don't think it is
possible. We've had plenty of time to see something somewhere, but nothing. I
gone through the papers, read other code, I've seen nothing that didn't
require help from the target.

I don't accept the general hand waving "they keep getting better" because they
haven't.

Most of these the exfiltration rate is so slow that simply xor'ing the secret
with a random seed that changes locations or moving the memory around itself
would prevent any attack.

~~~
edwintorok
Meltdown rate was quite a bit higher than the other exploits.

~~~
jnordwick
meltdown is different and clearly a microcode bug that is easily fixed. i
don't include it with the other side-channel "attacks" that seem to come out
every other week.

------
Multicomp
So I have not yet installed the July 'security only' update because it
contains W10 style telemetry (I'm on Windows 7 group B for the fellow
AskWoody-ians) which I abhor even more than being vulnerable to a hack.

Any way to get the good without the reprehensible?

------
jaclaz
Noone is concerned by the concept of "silent" Windows update?

------
jotm
What's the performance hit on this one?

------
GrumpyNl
What i understand is , you are already hacked when they perform this hack.
They already have access to your system.

