How a researcher hacked his own computer and became convinced of the reality of the most serious processor vulnerability in history
- Transfer
Daniel Grass almost did not sleep that night when he hacked his own computer and confirmed the possibility of exploiting the vulnerability that affects most microprocessors released over the past two decades by the hardware giant Intel.
Then a 31-year-old researcher in the field of information security and a postdoc at Graz University of Technology penetrated the holy of holies CPU and extracted confidential information from there. Until that moment, Grass and his colleagues Moritz Lipp and Michael Schwartz believed that such an attack on the memory of the processor core, which should be inaccessible to the user, is possible only in theory.
“ When I saw how the addresses of the Firefox websites that should be accessible only to me were read from the memory of the program I wrote, it shocked me incredibly ,” Grass said in an email interview with Reuters describing how he managed to disclose confidential data that should have been protected.
Grass, Lipp and Schwartz, at the beginning of December, working each weekend at home, frantically corresponded with each other in order to verify the result.
“ We checked everything for hours, not trusting the result, until we ruled out the slightest possibility of error ,” said Grass, who could not calm down that day and even get some sleep even after he turned off the computer.
Grass and his colleagues have just confirmed the reality of what he considers “one of the most serious errors ever found in processors.”
The vulnerability, now called Meltdown, was revealed on Wednesday. It affects most processors manufactured by Intel since 1995.
Separately, another "hole" was found, called Specter. This vulnerability also makes kernel memory available on most computers and mobile devices running on processors created by Intel, AMD, and ARM.
Both are capable of giving attackers access to anything — at least passwords, at least photos stored on desktop PCs, laptops, cloud servers or smartphones. It is not known whether hackers could carry out such intrusions into systems earlier, since neither Meltdown nor Specter leave any traces.
Intel announced that it has begun providing software and firmware updates to mitigate the effects of the problem. ARM also said it is working, along with AMD and Intel, on related patches.
The register was originally written by the technical online magazine The Register. As a result, the material on the vulnerability was published a week earlier than the manufacturers planned, that is, before they had time to develop protective tools to completely fix the problem.
A team from Graz at that time was already working on a tool to protect systems from attempts to steal sensitive data from kernel memory.
In a document published last June, they called it KAISER (Kernel Address Isolation to have Side-channels Effectively Removed).
As the name implies, KAISER aims to protect kernel memory from attack using a side effect that exploits a feature of the architecture of modern processors that increases their speed.
This feature is that the processor supports the extraordinary execution of tasks that are not processed in the sequence in which the processor receives them. If, during speculative code execution, the correct sequence of actions is performed, time is saved. If the assumption is incorrect, the results of the extraordinary task are discarded and time is not lost.
In addition, researcher Anders Fogh published material about the possibility of an attack on kernel memory through violation of the mode of operation of the mechanism of proactive code execution. However, in practice, he could not do this.
Only after a successful attempt at a researcher hacking his own computer in December, the importance of the earlier work of the Graz team became apparent. It turned out that KAISER provides effective protection against the Meltdown vulnerability.
The team quickly contacted Intel and found out that other researchers, partly inspired by Faure's material, made similar discoveries.
They worked under conditions of responsible disclosure, which means that researchers inform the companies affected by the vulnerability of their findings in order to give them time to prepare patches to correct the discovered deficiencies.
According to Grass, key figures here were independent researchers Paul Kocher and his team at Cyberus Technology, while Yann Horn of Google Project Zero came to similar conclusions on their own.
" We are in the middle of December, has joined forces with Paul Kocher team and Cyberus Technology employees to work on two thorough publications on Meltdown and Spectre », - said the Grass ( source ).
Grass did not even know about the work that Horn did.
“ It ’s very impressive that Jann Horn created it all on his own ,” he said. “ We developed a very similar attack, but in our case we are talking about a team of 10 researchers". A research team reported that KAISER-based Meltdown vulnerability protection patches were prepared for Microsoft and Apple operating systems, as well as for Linux.
There is still no solution to eliminate the Specter vulnerability, which allows, by tricking programs, to gain access to sensitive data. However, it is more difficult for attackers to exploit this vulnerability.
When asked about which of the two vulnerabilities is more dangerous, Grass replied: “ Today's problem is Meltdown. Next comes the Specter. This vulnerability is more difficult to exploit, but it is also more difficult to fix it. As a result, in the long run, I would bet on Specter . "
Dear readers! What do you think will change in the world of information technology after disclosing vulnerabilities Meltdown and Specter?
Then a 31-year-old researcher in the field of information security and a postdoc at Graz University of Technology penetrated the holy of holies CPU and extracted confidential information from there. Until that moment, Grass and his colleagues Moritz Lipp and Michael Schwartz believed that such an attack on the memory of the processor core, which should be inaccessible to the user, is possible only in theory.
“ When I saw how the addresses of the Firefox websites that should be accessible only to me were read from the memory of the program I wrote, it shocked me incredibly ,” Grass said in an email interview with Reuters describing how he managed to disclose confidential data that should have been protected.
Grass, Lipp and Schwartz, at the beginning of December, working each weekend at home, frantically corresponded with each other in order to verify the result.
“ We checked everything for hours, not trusting the result, until we ruled out the slightest possibility of error ,” said Grass, who could not calm down that day and even get some sleep even after he turned off the computer.
Grass and his colleagues have just confirmed the reality of what he considers “one of the most serious errors ever found in processors.”
The vulnerability, now called Meltdown, was revealed on Wednesday. It affects most processors manufactured by Intel since 1995.
Separately, another "hole" was found, called Specter. This vulnerability also makes kernel memory available on most computers and mobile devices running on processors created by Intel, AMD, and ARM.
Both are capable of giving attackers access to anything — at least passwords, at least photos stored on desktop PCs, laptops, cloud servers or smartphones. It is not known whether hackers could carry out such intrusions into systems earlier, since neither Meltdown nor Specter leave any traces.
Intel announced that it has begun providing software and firmware updates to mitigate the effects of the problem. ARM also said it is working, along with AMD and Intel, on related patches.
Finding a solution to a problem
The register was originally written by the technical online magazine The Register. As a result, the material on the vulnerability was published a week earlier than the manufacturers planned, that is, before they had time to develop protective tools to completely fix the problem.
A team from Graz at that time was already working on a tool to protect systems from attempts to steal sensitive data from kernel memory.
In a document published last June, they called it KAISER (Kernel Address Isolation to have Side-channels Effectively Removed).
As the name implies, KAISER aims to protect kernel memory from attack using a side effect that exploits a feature of the architecture of modern processors that increases their speed.
This feature is that the processor supports the extraordinary execution of tasks that are not processed in the sequence in which the processor receives them. If, during speculative code execution, the correct sequence of actions is performed, time is saved. If the assumption is incorrect, the results of the extraordinary task are discarded and time is not lost.
In addition, researcher Anders Fogh published material about the possibility of an attack on kernel memory through violation of the mode of operation of the mechanism of proactive code execution. However, in practice, he could not do this.
Responsible disclosure
Only after a successful attempt at a researcher hacking his own computer in December, the importance of the earlier work of the Graz team became apparent. It turned out that KAISER provides effective protection against the Meltdown vulnerability.
The team quickly contacted Intel and found out that other researchers, partly inspired by Faure's material, made similar discoveries.
They worked under conditions of responsible disclosure, which means that researchers inform the companies affected by the vulnerability of their findings in order to give them time to prepare patches to correct the discovered deficiencies.
According to Grass, key figures here were independent researchers Paul Kocher and his team at Cyberus Technology, while Yann Horn of Google Project Zero came to similar conclusions on their own.
" We are in the middle of December, has joined forces with Paul Kocher team and Cyberus Technology employees to work on two thorough publications on Meltdown and Spectre », - said the Grass ( source ).
Grass did not even know about the work that Horn did.
“ It ’s very impressive that Jann Horn created it all on his own ,” he said. “ We developed a very similar attack, but in our case we are talking about a team of 10 researchers". A research team reported that KAISER-based Meltdown vulnerability protection patches were prepared for Microsoft and Apple operating systems, as well as for Linux.
There is still no solution to eliminate the Specter vulnerability, which allows, by tricking programs, to gain access to sensitive data. However, it is more difficult for attackers to exploit this vulnerability.
When asked about which of the two vulnerabilities is more dangerous, Grass replied: “ Today's problem is Meltdown. Next comes the Specter. This vulnerability is more difficult to exploit, but it is also more difficult to fix it. As a result, in the long run, I would bet on Specter . "
Dear readers! What do you think will change in the world of information technology after disclosing vulnerabilities Meltdown and Specter?