Hacker News new | past | comments | ask | show | jobs | submit login
Side channel that leaked data from Intel CPUs patched by silent Windows update (arstechnica.com)
139 points by headalgorithm 74 days ago | hide | past | web | favorite | 58 comments

I know these problems are serious, but I feel there is a fun and reassuring aspect to them. Back in the 90s and early 2000s we thought anything can be hacked by any clever person. Then the 2010s happened and almost all software, even Windows, became near unassailable fortresses, especially systems like iOS with their tight control of the OS. Sure, a 0day drops every now and then, but we all know that it's basically impossible to attack a modern well configured system.

These hardware bugs turn that idea on its head, suddenly the whole ghost in the shell hacker style dream is again a possibility. A motivated person or group of persons might go and hack any system out there. And that's really a bit reassuring, it's a little bit scary to think about how our lives might be ruled by these systems that are unassailable. I'd like to at least stand a chance when technology turns on us.

> we all know that it's basically impossible to attack a modern well configured system

Where in the world did this fantastic idea come from?




How many of those kernel bugs translate to meaningful RCE's in generally available stable software? Maybe I'm out of the loop, but as that presentation says nowadays a big 0day will have a logo and national headlines, that also underlines how rare they are.

To me the history of Pwn2Own exactly shows the trend I'm talking about. Going from very successful editions to increasingly less successful editions as the years go by to the point where the competition barely even exists anymore.

And then that baseband firmware exploit, that's the dream. You could hack any device with that almost regardless of what software runs on top. I put that in the same class as the Intel chip vulnerabilities.

Pwn2Own fell out of the spotlight over time because they managed to piss off sponsors and teams alike, not because any material improvement occurred in software security, involving systems that for the most part continue to be millions of lines of C just like they were in the 90s. Security processes have improved tremendously in recent times, but software security in general has advanced only incrementally at best, such that individuals can still succeed at breaking the majority of software, and are able to do so with such reliability that the practice is done as a sporting event.

Per the slides over 150 of those kernel bugs resulted in code execution, and that is already a lowball count of the true number. Upstream Linux, being possibly the most visible and well-resourced OS codebase around, even by 2019 does not have the tools necessary just to automatically find the bugs we already know exist.

> Pwn2Own fell out of the spotlight over time because they managed to piss off sponsors and teams alike

I don't suppose there's any more information - it sounds like an interesting tale.

Well the first Chrome RCE attack leveraged a Windows kernel exploit, so that seems like a reasonable one to point to.

Keep in mind that all these speculative execution exploits rely on being able to already execute code on the target, they can only read data somewhat slowly, and where the data you want to read is in a 64-bit address space is not easy to find.

The media loves to blow things out of proportion, but all the specexec attacks are really not as big a deal as e.g. remote code execution. In some ways, they are the real-world equivalent of "you can sometimes hear things your neighbours say, with a sensitive microphone and lots of patience."

How lucky then that we all live in the cloud now and running code on other people's computers is the only place anybody runs code anymore.

In addition to that all sorts of vendors run their code on our systems to provide us with their features. And then there's the idea that some of these bugs have been demonstrated to be exploitable from within a JavaScript VM!

There's a lot more attention to this threat than there would be if the cloud wasn't ubiquitous. Could be a net positive.

This is somewhere between misleading and wrong -- Spectre-ish attacks can be conducted by JavaScript when you visit a random web page. It's mostly appropriately-proportioned.

What is JavaScript except code being remotely executed?

It's code being executed in a well-tested sandbox that should not be able to steal your machine's secrets, so it's appropriate to freak out over the fact that these attacks allowed it to do that.

It's code that can run for arbitrary amounts which can't be killed without killing the browser and affecting _other_ services to.

It's user hostile code executed by foreign entities on devices that you are supposed to "own"

In recent browsers you can certainly kill just one tab's JavaScript without taking out anything else.

It doesn't feel very different to printing a PostScript file to me. You're giving someone access to run their "arbitrary code" in a VM on your system with very limited permissions.

JavaScript can run code on your computer, and used to be possible to get accurate timings out of it.

Only if you allowed the website to run its JavaScript. There are tools to restrict and more people should use those tools.

They make many useful websites unusable though. And when you whitelist you're then vulnerable, because there's no way to know some Javascript doesn't contain an exploit (do you run anti-virus on the web pages you visit?)

Any downloaded executable might contain a virus. That does not mean that I'm not going to download anything from the Internet. But also I'm not going to run every executable that happened to load in my browser. Good websites take a great care to protect their users from malicious scripts. So you should use your own judgement to decide whether you trust that website or not. I definitely don't trust some random website that I've opened by following some links. So I'll browse it without JS and if it does not work, I'll think twice whether I want to risk opening it. But if I'm opening something like stackoverflow, probably I'm safe and they won't run side channel attacks on my computer.

I think the amount of people damaged by hacks exceeds the numbers saved in your scenario by several orders of magnitude. In fact your post is one of the first I’ve ever read that sees software and hardware vulnerabilities as a good thing.

I'm not saying they are a good thing per se, just a reassuring thing. It means we still need to be in control of our systems, and can't blindly let our systems control us, because indeed they are fallible. It's of course rather philosophical.

There's also a big difference between these sort of vulnerabilities, and the sort of problems that enable for example ransomware, which is a serious issue that has a more difficult solution than simply designing more robust hardware.

Anyway, if you're intrigued maybe check out Ghost in the Shell sometime (not the one with Scarlett Johansson, although it is enjoyable, it's not really the same thing), if it needs to be Hollywood, then maybe the Hackers movie would also work a bit (with Angelina Jolie).

There is definitely an argument to be made. Discovery of these bugs improves software. If not for Blaster/Welchia years ago, Microsoft would not have empathized security or quality in their products for years.

"2010...Windows... became near unassailable fortresses"

Did anyone read this and not laugh out loud?

"These hardware bugs turn that idea on its head, suddenly the whole ghost in the shell hacker style dream is again a possibility"

No, it was always a possibility.

Something interesting did happen around that time. Looking at all CVEs as an aggregate, it appears 2008ish is about when there was an inflection, perhaps a shift from OS to injection/validation/appsec?


I left msft in 2007 and at that time they were in full "security is important" mode. Due to backcompat it's of course hard (impossible?) to remove local exploits, but RCE is a lot harder. For example I don't know the last time I heard about a windows RCE. Edge/IE sure, but not windows. Windows Defender is a very good security product, and Windows Update "just works".

>unassailable fortresses, especially systems like iOS

It hasn't been particularly hard to jailbreak iOS or root Android devices if you have physical access. We've seen several hilarious examples of exploits over the years regarding lock screen bugs or magic SMS parsing bugs.

It's more like in the 90s and 2000s software-exploit based attacks were fairly easy. These days you have to adopt and use logical,social and configuration vulnerabilities that have always been common as well.

Imagine the damage those ransomware people could have done back then.. Whole countries were open for disruption.

Given that Morris Worm is 30 years old and we keep using UNIX derived OSes, those ransomware people have plenty of opportunities still.

But surely there are a much smaller number of Unix computers running sendmail these days? And sendmail is a lot more secure now than it was 30 years ago. Doesn't seem like a fair comparison IMHO...

Enjoy the Google talks from Linux Kernel Summit 2018.


68% of Linux kernel exploits in 2018 were caused by C's lack of features to handle memory corruption.

> we all know that it's basically impossible to attack a modern well configured system.

you must be living in a different world...

> Then the 2010s happened and almost all software, even Windows, became near unassailable fortresses

Maybe from remote attacks, but nothing can defend against a good ol' keylogger, not even 2FA.

A proper 2FA implementation would surely defend against keyloggers? Unless your concern is leaking information?

> Back in the 90s and early 2000s we thought anything can be hacked by any clever person.

We did?

Yes.. Windows XP had an unending list of vulnerabilities, software patch policies were often horrible, hardware with outdated software was everywhere. Back then if you would call yourself a hacker or a hack group it would mean you had multiple 0day exploits under your sleeve for operating systems, browsers and web apps.

Even if you were just a lowly scriptkiddie, because of the bad update policies you could just go to an exploit website, like metasploit is now, and try out the list of old exploits on any target you were interested in. A friend of mine had 40.000 routers in some Scandinavian country because their ISP shipped them to customers with a 4 year old BSD release that had known vulnerabilities in it.

Maybe I am just pedantic but "many things" != "anything" and the existence of vulnerable systems does not invalidate the existence of secure systems.

Gotta admit, it was fun "hacking" all the WPS-enabled access points around me.

Pretty much. Security wasn't really seen as something developers worried about back then. Maybe it was because there were less bad actors due to it being much harder to make a buck through hacking. I remember setting up a server with an extremely weak SSH password around 2003 and it went for months without receiving any sort of traffic at all, much less login attempts. Nowadays if you set up a server with port 22 open you'll get dozens of hits per day from various bots scanning the entire IPV4 range and trying dictionary attacks to get in. Going through Fail2ban logs can be pretty entertaining.

I was thinking that might have been true back in the 80s. Hell, I still feel that way about anything analog. It's just nothing is really analog any more. Once things went digital and encryption was implemented, things just became more of a social engineering type of hack to get people to give you the information to walk in the front door. It's not that you hacked the Gibson or anything. Also, modern systems just don't have the cool 3D interfaces that all of the systems from the 80s/90s had ;-)

It wasn't really until Windows 7 that Windows was to some degree secure as an internet-capable platform. XP was just terrible from a security standpoint until SP2 (2 years after launch), which at least added a decent firewall that was enabled by default.

As mentioned in the article more technical details can be found in the linked article: https://www.bitdefender.com/business/swapgs-attack.html

Worth pointing out that Xen is not vulnerable to the swapgs attack due to a lucky design decision from a decade ago: https://lists.xenproject.org/archives/html/xen-devel/2019-08...

Even though it's supposedly not feasable to exploit on Linux, there are fixes in the upstream kernel now and the changelog entries have some technical details. If I'm understanding this correctly, AMD systems don't speculatively execute GS-based accesses after speculatively excuting SWAPGS like Intel ones do, but that isn't enough to fully fix the problem on Linux because there's a conditional branch over the SWAPGS instruction which can be speculatively executed. Since that execution path doesn't have a SWAPGS all processors will quite happily continue speculatively executing code that fetches data via GS.

What does speculative mean in this context?

CPU speculating that it knows what the state will be after SWAPGS and continuing to load instructions into pipeline and partially executing them. In case of either a different branch bring taken, or SWAPGS causing a fault the pipeline will be rolled back, but side effects of the partial execution (like loads into cache) will not be.

It seems rather unfair to make the statement that "Microsoft silently patched the vulnerability during last month's update Tuesday" where the phrase "patched the vulnerability" links to Microsoft's CVE article on the problem.

I agree its unfair.

Microsoft also played ball with Linux vendors alerting them to this vector. This allowed them to get the swapGS fixes tested and sane.

This interaction with the opensource community has significantly increased my respect for Microsoft.

Whitepaper is behind a wall, so I can't read it, but I assume it is another in the large and growing class of explits that cannot practically be exploited like Spectre or the load-store buffer that didn't stand a snowballs chance in Hell or creating a workable exploit that didn't' require immense cooperation from the target (literally accessing the same address in a loop and and nothing else).

Still no spectre exploit (or even attempt) found in the wild. There should have been something by now.

If anybody has access to the POC code I would love to see it. Until (and probably after I see how laughable it is), I'll assume this is just a press release by some security company.

> literally accessing the same address in a loop and and nothing else

All you need for this is Javascript with Web Workers to run effectively multithreaded.

I believe that this (SWAPGS) vector is impractical but previous spectre proof of concepts exists if you look hard enough.

I have never seen one that would work in the wild. I don't think it is possible. We've had plenty of time to see something somewhere, but nothing. I gone through the papers, read other code, I've seen nothing that didn't require help from the target.

I don't accept the general hand waving "they keep getting better" because they haven't.

Most of these the exfiltration rate is so slow that simply xor'ing the secret with a random seed that changes locations or moving the memory around itself would prevent any attack.

Meltdown rate was quite a bit higher than the other exploits.

meltdown is different and clearly a microcode bug that is easily fixed. i don't include it with the other side-channel "attacks" that seem to come out every other week.

So I have not yet installed the July 'security only' update because it contains W10 style telemetry (I'm on Windows 7 group B for the fellow AskWoody-ians) which I abhor even more than being vulnerable to a hack.

Any way to get the good without the reprehensible?

Noone is concerned by the concept of "silent" Windows update?

What's the performance hit on this one?

What i understand is , you are already hacked when they perform this hack. They already have access to your system.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact