The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
Bad news for people with intel chips.
Jast
Registered User regular
Registered User regular
Inforworld article.
Ok, this doesn't sound too good. The guy does sound kind of crazy, and is going about making his point the wrong way, (harr harr instead of just telling intel how to fix this I'm going to release this to the world so that hackers can take down thousands of computers a day!). Would it really be so hard to say, "Hey I found this totally massive security flaw, fix it!" It's almost akin to someone saying there's a flaw in a building's security then blowing it up to prove it.
Researcher to demonstrate attack code for Intel chips
Kaspersky says CPU bugs are a growing threat, with malware being written that targets these vulnerabilities
By Sumner Lemon, IDG News Service
July 14, 2008
Security researcher and author Kris Kaspersky plans to demonstrate how an attacker can target flaws in Intel's microprocessors to remotely attack a computer using JavaScript or TCP/IP packets, regardless of what operating system the computer is running.
Kaspersky will demonstrate how such an attack can be made in a presentation at the upcoming Hack In The Box (HITB) Security Conference in Kuala Lumpur, Malaysia, during October. The proof-of-concept attacks will show how processor bugs, called errata, can be exploited using certain instruction sequences and a knowledge of how Java compilers work, allowing an attacker to take control of the compiler.
"I'm going to show real working code...and make it publicly available," Kaspersky said, adding that CPU bugs are a growing threat and malware is being written that targets these vulnerabilities.
Different bugs will allow hackers to do different things on the attacked computers. "Some bugs just crash the system, some allow a hacker to gain full control on the kernel level. Some just help to attack Vista, disabling security protections," he said.
The demonstrated attack will be made against fully patched computers running a range of operating systems, including Windows XP, Vista, Windows Server 2003, Windows Server 2008, Linux and BSD, Kaspersky said, adding that the demonstration of an attack against a Mac is also a possibility.
Processors contain hundreds of millions of transistors and errata in these chips are relatively common. While some errata can affect a chip's ability to function properly -- such as the errata that last year forced Advanced Micro Devices to push back volume shipments of its quad-core Opteron processors -- many others exist unnoticed by users.
For example, the Silverthorne version of Intel's Atom processor, which lies at the heart of the Centrino Atom chip platform, contains 35 errata, according to a June specification update released by Intel.
"It's possible to fix most of the bugs, and Intel provides workarounds to the major BIOS vendors," Kaspersky said, referring to the code that controls the most basic functions of a PC. "However, not every vendor uses it and some bugs have no workarounds."
Ok, this doesn't sound too good. The guy does sound kind of crazy, and is going about making his point the wrong way, (harr harr instead of just telling intel how to fix this I'm going to release this to the world so that hackers can take down thousands of computers a day!). Would it really be so hard to say, "Hey I found this totally massive security flaw, fix it!" It's almost akin to someone saying there's a flaw in a building's security then blowing it up to prove it.
Jast on
0
Posts
Oh, and as to your question: this is how things work in the computer security world. If you don't disclose a vulnerability when you find it, the corporation responsible (Intel, in this case) will just deny it exists, even after the bad guys independently find and explot it. The only way to get a company to fix security flaws is to make them embarrasingly public. It's sad, but true.
And not only with they deny it exists, but they will probably sue you over it.
Yeah. Sometimes a researcher will hold off on making the explot public until a set time, to give people a chance to get patched, but invariably a bunch of retarded corporate entities don't fucking bother until the exploit is found in the wild. And sometimes the bad guys independently figure out the problem in the meantime. See also: the recent DNS vulnerability (which honestly was a good deal scarier).
~ Buckaroo Banzai
Umm, that's not how things work in the "computer security world." When you find a bug you're supposed to take it to the developer, not disclose it to the public. And they can't deny it, because if they do and then someone takes advantage of the flaw, they can be held liable for willful ignorance and the damages caused.
You live in an interesting ideal world. What's the weather like?
they release because that gives an incentive for the company to do a patch, otherwise it may sit around for years...
Wasn't there a patch for intel and windows ? I remember something in the last year or so I downloaded to patch a bug or exploit in the cpu code..
Librarians harbor a terrible secret. Find it.
If you look at the article, Intel already knows about the problem and provides BIOS fixes. Some motherboard vendors aren't implementing them, leaving their customers at risk.
Certified under CNSS here.
And you?
My reply wasn't to this issue, but to the exploit / patch cycle in general.
Like I said, does it have to be a BIOS fix, or something the OS can implement? and dammit, I can't find the patch I applied sometime last year., or even a reference to it.
Librarians harbor a terrible secret. Find it.
haha, wrong person to do this with.
and then
Is he talking about JIT Compilers? Because there is just no fucking way he's saying you can exploit it with bytecode and I'm unable to make a connection between those two statements.
Count me VERY sceptical that:
- the attack is possible remotely.
- it's anything more than a way to cause a buffer overflow in JIT compilers that doesn't actually use a CPU "bug".(the claim it's Intel specific would make no sense in that case though)
I will also be keeping an eye on it as the implications could be pretty big.
From what I've heard, the researcher believes that with proper understanding of how the Javascript interpreter of a particular browser works, it's possible to construct bytecode that will execute machine code which exploits errors in the processor.
I don't know how feasible an attack would be in real life, since it would require compromising almost the entire software stack. Furthermore, unless there's something big I'm missing here, this hole could be easily blocked by the browser and OS vendors.
So you live in Government-land. In the real world, you tell a company about a bug in their software and they'll ignore it. Publicize that you've told them and they'll sue you. Publish the exploit and proof-of-concept and they'll downplay it as a feature. Maybe in a few months, if you're lucky, a patch will be snuck into a service pack.
Civilian contractor with AFRL's IT research division, for now, but if you want to have an internet dickwaving contest you'll win by default since I can't talk about what I'm doing there.
But luckily I don't have to, since it takes a cursory fucking glance at the news to support my point.
But that really shouldn't be possible. JVM implementations do not execute bytecode in the same way. Like, not at all.
I'd agree that even if he can target a specific VM that would be bad enough, but I'm even more skeptical than before. Fully there with your assertion that even if this is possible, it should be trivial to block at least as far as remote exploits are concerned.
I like this thread.
This is the currently accepted wisdom, yes. If he manages to successfully exploit processor errata it will be a a true marvel.
Also, the JVM runs Java, not Javascript.
The winner and still champ-een!
Also, I am really curious to see how this pans out.
That's fine. This is not a pissing contest.
What point is that, and why are you attempting to support it with a news article from 2002? Mate, the legal landscape of information security has changed a lot in the past six years. The Bush administration since 2001 has reviewed hundreds of new regulations in this field alone, and every month new class action lawsuits are filed against corporate executives who stay willfully ignorant of security flaws in their products and systems.
Yeah, it's true that among information security researchers it is common practice to give presentations and talk about newly discovered security flaws for research purposes. But this is very different than what you are suggesting, which is making the information "embarrassingly" public - the specific wording you used - with the justification that it is the only way to get a company to fix it. It is not, and it is not only unprofessional but also illegal. I mean, vigilantism is cool and all that, but it is not very practical - legally speaking - in the information security field.
Here is a more recent - although I admit not recent enough still - news article that explains the kind of phenomenon I'm talking about. Excerpt:
Mind you, this is just for failing to protect other people's private information. Can you imagine a case where they refused to take the necessary steps to protect it? Let me give you a hint: bad, bad things.
Speaking of which, the article I grabbed was the first one that happened to come up. If you want a recent example of what I'm talking about (thankfully without suing the guy who found the vulnerability; at least something's improving!), look at which DNS servers are still, right now, vulnerable to cache poisoning.
edit: and sorry if I seemed hostile at first; the whole "well, I've got a certificate" attitude in IT in general is something that's always rubbed me the wrong way, and I overreacted a bit.
It's quality.
Not enough details given. The technique isn't specific to Intel either, it would theoretically affect all brands of processor, it's just that the researcher has chosen to single out Intel for some reason.
Is the Intel/AMD dynamic the same as it was... err... 5 years ago or so? God, it's been so long since I seriously kept up with PC technology. I need to build a new machine and catch the hell up.
Well, technically, no. The JVM is pretty much a bytecode(read, assembly) interpreter and would run anything as long as the bytecode produced is valid. There are compilers for a lot of different languages.
Your point is what I was getting to in my initial post. First in the article they mention Javascript and then they talk about VM's, which was genuinely perplexing. After your explanation on how it's supposed to work I thought they are going to construct bytecode on the fly, but still wasn't smarter as to why Javascript is the choice as a server language would make much more sense.
What are you asking? If the architectures are still similar enough that reading the manual of one gives you a good idea about the other? If that's it, the answer is no.
If your question was about performance, AMD still have cleaning up to do in their multi core CPU's.