Nobody ever got fired for going with Intel/AMD/ARM (ha). - (Meltdown / Spectre) - update now including Foreshadow (SGX / Skylake and later processors only)

home | blog | Terrible people and places | Covid-19 links | Teh Internet | guest blog |rants | placeholder | political | projects | Gwen and Liam | Citadel patched | Tools | Scouts



Some workloads just took a hit on many Intel processors made in the last 10 years.

- stop the presses - looks like Intel might patch 90% of the processors less than 5 years old:
Guess that would not be most folks anyway.
https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/

https://www.thomas-krenn.com/en/wiki/Safety_instructions_for_Meltdown_and_Spectre
https://git.kernel.org/pub/scm/linux/kernel/git/daveh/x86-kaiser.git/tree/Documentation/x86/kaiser.txt?h=kaiser-dynamic-414rc6-20171101
https://www.phoronix.com/scan.php?page=news_item&px=x86-PTI-EPYC-Linux-4.15-Test
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://www.qemu.org/2018/01/04/spectre/
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

TLDR: Looks like kernel memory can probably be read by user space without a patch in kernel code.
Problem is, you pay a penalty for the patch in performance for some workloads.
Meltdown - side channel timing attack to learn kernel memory space secrets.
Spectre - predictive out of order CPU execution to work around slow memory fetches by malicious code to use timing differences from sequential and out-of-order executions - attacks memory from victim process.

Forcefully Unmap Complete Kernel With Interrupt Trampolines
i.e. FUCKWIT

Might want to enable some protection in your browsers:
Chrome:
chrome://flags/#enable-site-per-process
http://www.chromium.org/Home/chromium-security/site-isolation
https://www.chromium.org/Home/chromium-security/ssca
Firefox:
about:config?filter=privacy.firstparty.isolate

Light reading before you consider any of this below this line:
https://technet.microsoft.com/en-us/library/bb694007.aspx
Here is some code to check for the Windows - won't update without the new reg key: 
import _winreg
import sys

# replace None with \computer-name for remote...
rem_reg = _winreg.ConnectRegistry(None, _winreg.HKEY_LOCAL_MACHINE)
try:
  # change _winreg.KEY_WOW64_64KEY with _winreg.KEY_WOW64_32KEY for 32 bit systems...
  akey = _winreg.OpenKey(rem_reg, r'SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat', 0, _winreg.KEY_READ | _winreg.KEY_WOW64_64KEY)
except WindowsError:
	print "Key not found or is WIN32"
	sys.exit(128)

for i in range(0,_winreg.QueryInfoKey(akey)[1]):
		n, v, t = _winreg.EnumValue(akey, i)
		print i, n, v, t

Here is the same above as an exe:
Checker for 64 bit Windows -
reg key to add if not added by your non-existent Anti Virus software :-)
Now we have Foreshadow (2015 and later Intel only with the SGX extension)
8/15/2018 - If you have the SGX extension in your processor, there is a new (timing sorta) attack for that added but not thought out cpu "feature".
Details here https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf



[æ]