26

As reported yesterday the Linux and Windows kernels will receive a security update pretty soon to close vulnerabilities that concern 'kernel memory leaking'.

What exactly the design flaw is, that was probably identified at the end of 2017, is unknown to the general public. There is some speculation though.

Quote from the linked article:

Modern processors, like Intel's, perform speculative execution. In order to keep their internal pipelines primed with instructions to obey, the CPU cores try their best to guess what code is going to be run next, fetch it, and execute it.

It appears, from what AMD software engineer Tom Lendacky was suggesting above, that Intel's CPUs speculatively execute code potentially without performing security checks. It seems it may be possible to craft software in such a way that the processor starts executing an instruction that would normally be blocked – such as reading kernel memory from user mode – and completes that instruction before the privilege level check occurs.

That would allow ring-3-level user code to read ring-0-level kernel data. And that is not good.

The article also mentions a paper published in mid 2017, that describes a method to defeat KASLR.

I personally did not yet come across an attack that makes use of this method or any method that exploits the vulnerabilities that are now being fixed. Are there any?

Update:

As mentioned in the comments by Alexander these vulnerabilities have now been given the names Meltdown and Spectre.

Meltdown in short mean is a "novel softwarebased side-channel attack exploiting out-of-order execution on modern processors to read arbitrary kernel- and physical-memory locations from an unprivileged user space program". The linked paper as well as this post by Jann Horn of Google Project Zero are the go-to ressources regarding this vulnerability.

"Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the adversary." Again, the linked paper and the aforementioned GPZ post seem to be the go-to ressources.

Both papers present working attacks that exploit the vulnerabilities. My understanding so far is, that an attack against Spectre seems to be more impactful and more "portable" if you will, than an attack against Meltdown.open for discussion
This is why I want to shift this question towards Spectre and specify it in the following way:

Are there any known attacks - apart from the ones we saw in the Spectre paper or in other PoCs - that exploit the vulnerability known as Spectre?

Community
  • 1
Tom K.
  • 7,913
  • 3
  • 30
  • 53
  • 3
    Known attacks have not be made public, and details are still vague. From the very article you linked to: "Details of the vulnerability within Intel's silicon are under wraps: an embargo on the specifics is due to lift early this month". If anyone in this community is privy to the details, you can assume they will stick to responsible disclosure policies. – Marc Jan 03 '18 at 15:52
  • 1
    1. There might be some information already out in the open, that you and I missed. 2. This question was asked today, but will be here tomorrow. I don't know when the 'embargo' will be lifted (or when 'early this month' is for that matter). Maybe someone might be able to give some more insight when this is due. – Tom K. Jan 03 '18 at 15:59
  • 4
    Just today and at least publicly, this CPU bug has been reproduced with a PoC. https://twitter.com/brainsmoke/status/948561799875502080 so I'm not sure its already being used in any known attack.. Here https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/ you can find more technical details about the speculative exec from an offensive perspective. – Soufiane Tahiri Jan 03 '18 at 16:00
  • @Marc This is what I was talking about under 1. ;) – Tom K. Jan 03 '18 at 16:04
  • https://github.com/HarsaroopDhillon/SpectreExploit what about this? – Sander Visser Jan 05 '18 at 02:35
  • 1
    Here is a published C tool exploiting intel enclaves using spectre vulnerability: https://github.com/lsds/spectre-attack-sgx This is a proof of concept. – Yokai Jan 12 '18 at 11:41

1 Answers1

3

From the reports I have seen, there are no publicly known attacks (other than the proof of concept demos) using these methods. That being said, there is no real way to know for sure someone didn't find these problems and was very careful about leaving traces in their attacks. I'm sure various government would have kept quiet about these methods and used them to enhance their own cyber capabilities. Moving forward, I am sure there will be lots of people trying to exploit these methods against vulnerable systems.

ScarySpider
  • 1,118
  • 1
  • 6
  • 7