Howdy! You must login or signup first!

Meltdown and Spectre

Added 6 years ago / Updated 4 years ago
Meltdown-spectre-kernel-vulnerability

Submission   8,631

GEEK of Januar FST (Floating Point Store--taking deta out of the FPU and putting it into memorv) with numeric and null segment exceptions may cause General but onlyv observed by Intel so f AE2 Code Segment imit violation when the CPU checks to see if the instruction pointer for the currently running program is valid) may occur on 4-Cbyte limit check when the code stream wraps around in such a way that one instruction ends at the last byte of a 4-Gbyte limit, and the next instruction AES POPF and POPFD (pop flags and pop flags double, which restores the internal FLAGS register from the memory stack) instructions that set the Trap Flag (TF) bits in the EFLAGS register (causing the processor to enter but requires REP MOVS (RepestMove a string from one memory location to another) operation in fast string mode continues in that mode when crossing into a Show Stopper, but only Memory aliasing (using common memory Page Table Entries) with g the page has been used) and D Show-Stopper, but only Dirty--meaning the page has been updated) bits may cause processor deadlock (such as saying "D"rty without saying it's been "A"cc essed, which will only occur with an errant operating system or a hardere f비ure, URオ(Virtual Mode) bit"ill be cleared on Double Feult Handler. Following Handler thatwas inti ated while the pr was in virtual-8086 (M6) mode, the VM bit will be incorrectly cleared in AL7 Page with PAT Page Attribute Table) set to uswc (Unc acreable, Speculative mite Combine) while associated MTTR (Memory Type Range Register) is UC t an application DSAVE ater FNINIT without an intervening FP ioating poin) instruction may save uninitialized values for FOP (x87 FPU Instruction Operand at) Pointer Offsety and FDS (x87 FPU Instruction Operand (Data) Pointer progr ammer should catch it Under certain conditions, LTR (Load Task Register) instruction may result in a system hang. The conditions are: 1) Irnalid data selector of the TR (Task Register) resulting in a #GP or gNP fai 2) COT (Global Descriptor Table is not 8-bytes aligned 3) Data BP (breakpoinnt is set on cache line Show-Stopper, but only this deserves this one The OS would catch this, and Intel makes it very dear th at le Register (PDPTR) mayreserved bits are to be set to cause General Protection (#GP) exception if the reserved bits are set to one their specified values REP MOVS operation in fast string mode continues in that mode when FP inexact-result exception FLAG oit S of the Status Word) may not be set if the InexactResut occurs in any FPU instruction with one of these instructions occurring immediately after: FSTP m32164, FSTP mBo, FETP m16132, FISTP m64. Note: iract precision occurs when the Fr loating Point Un㈦ s unable to fully represent the resuit ln·finite manner, such a /3 Since there are a ne oumber of bits in the FRUrone of 33 55 80--depending on the FP's urrenr precision model, nor aW nmbers can be represented ezacty is erceptron is nomaly masked which means it doesmT signar the operaning system thar an ieract precision has occurred This is masked because most every instruction canmot be represented ex act precision is requir ed, the the handler has no idea why it which is Interrupt 16. Intel's f rounding is usualy tolerable for Show-Stopper, but only IFUJBSU deadlock may cause system hang d only affect an app lication being rkaround is awailable, but the INIT does not clear global entries in the TLB of this errata and code for Show-Stopper, but only Use of memory aliasing with inconsistent memory type may cause system hang Machint check exception may occur when interleaving code between returningfrom C3/C4 state and Processor Digital Thermal Sensor (DTS) Readout stops updating upon returning from C3fC4 state Only affects Cor e Duo, and the Data Prefetch Event Monitor ON) Events can only be enabled on a single cooperative, share d CPU LOCK asserted during a special cycle shutdown transaction may could potentialy leave the other from launc hing viruses. Since Disable Txecution-Disable" bit 0A32 MISC ENABLS1340 is shared Last Branch Records (LDR) updates may be incorrect after a task switch. ore: When a rask switch occuws witita CP Sch as runhing ovo or more being debugged or intercepted programs at the same time, formation related to bhe task are stored by in some way, and would greatly the processor. b"thts case, where it came Tam, maybe assigned to whe confuse the programmer for a t an application Address reported bV Machine-Check Architecture(MCA) on single-bit L2 ECC errors may be in ·rapping such errors Intel's Only affects ap plications being Disabling of single-step On Branch Operation may be delayed following POPFD (Pop FLAGS Double) instruction. sig nif ic antly. Pe rf or m ance Performance monitoring counters that count external bus evennts may report incorrect values ter processor power state transitions. Should not affect VERWIVERRILSLILAR instructions may unexpected update the Last Exception Record LER) MSR CPUMe I originally had this text 5hould not affect anyth ing i on data segment limit violation above 4 Gigabyte limit. Note: This cannot 32-Dir CPU which tels u Since then, Stephane Hockenhull pointed out my ero t is updated as follows: ℃eneral Protection fault may not be signaled on data segment limit violation above 4 Gigabyte limit when operating in a flat 32 bit model, with a base of 0 and & limit of 4 Gigabytes. This neans to or more bytes begin at an address close to 4 Gigabytes, and then would extend beyond the 4CB limit for the last byte Performance Monitoring Events for retired floating point operations (Cih DR3 address match on MOVDMOVQMONTQ memory store instruction Only affects ap plications being may incorrectty increment performance monitor count for saturating instructions exxecuted (Event Bih) t sounds to me we Aotel needs to r debugged or trapped. Should the Core Duo is designed to be Global Pages in the Data Translation Look-Aside Buffer DLB) may not be flushed by RSM instruction before restoring the architectural state from ning to nor mal mode, will Data Breakpoint/Single Step on MOV55 or POP 5S (update the Stack Segment/Selector) may be lost after entry into SMM. Note: is unc ommon for any sofbeare to ure ohese imstroctions outside of task swotch or debugging operations for this reason, debugging is UFaOY disabied or one instruction immediately following MOV SS or POP SS This observable ina single-step debugger by erecuting those instructions. The instruction émmediately after be executed before trapped back to the debogge Only affects applications bei Should not affect service handlersr fprecedence, such CS lirnit violation on RSM may be served before higher priority that interrupt A of high priority is known not to be an issue priority is triggered. It could Hardware Prefetch Performance Monitoring Events may be counted Pending x8 FPU Exceptions (MF) following STI may be served before See AE32 Note: This chart wil be updated from time to time based on Intels scheduled updates, which are lan 16 , Feb 15,Mar 15, Apr 19,May 17, Jun 14,:M19,Aug 16, Sep 13,Oct 18, Nov 15,Dec 13. ⓜGEEKcm
From Date Subject Re: Avoid speculative indirect calls in kernel Linus Torvalds <> Wed, 3 Jan 2018 15:51:35-0800 On Wed, Jan 3, 2018 at 3:09 PM, Andi Kleen <andi@firstfloor.org wrote: > This is a fix for Variant 2 in ading-pr ed-memor ide > Any speculative indirect calls in the kernel can be tricked to execute any kernel code, which may allow side channel » attacks that can leak arbitrary kernel data Why is this all done without any configuration options? A *competent* CPU engineer would fix this by making sure speculation doesn't happen across protection domains. Maybe even a L1 I$ that is keyed by CPL. I think somebody inside of Intel needs to really take a long hard look at their CPU's, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed .. and that really means that all these mitigation patches should be written with "not all CPU's are crap" in mind Or is Intel basically saying "we are committed to selling you s--- forever and ever, and never fixing anything"? Because if that's the case, maybe we should start looking towards the ARM64 people more Please talk to management. Because I really see exactly two possibibilities: Intel never intends to fix anything OR - these workarounds should have a way to disable them. Which of the two is it? Linus Last update: 2018-01-04 00:53 [W:0.021 /U:1.412 seconds] ©2003-2017 Jasper Spaans. hosted at Digital Ocean idvertise on this site
MELTDOWN SPECTRE Architecture Intel Intel, ARM, AMD Entry Must have code execution on the system Must have code execution on the system Intel Privilege Escalation + Speculative Execution Branch prediction + Speculative Execution Method Impact Read kernel memory from user space Read contents of memory from other users' running programs Software patching more nuanced) Action Software patching Daniel Miessler 2018
Anonymous 01/03/18(Wed)20:34:33 No.64127406▶>>64127456 64128023 64128103 64128335 64130566 264130804 264131061 Intel f----- up with security Security patch was released Security patch massively downgrades performance Security patch affects all syscalls nGreddia GPUs heavily rely on syscalls because they don't have their own integrated pipeline to do this, while Radeon has it since GCN 1.1 and up Basically all noVideo GayPoos will have performance downgrade alongside with Intel CPUs if theyll be combo'ed on patched systems There will be no performance downgrade only if GayForce will be paired with Zen CPUs Performance downgrade is anywhere from 30% to 61%. Yes. Really Intel just now cancelled future gen of CPUs Brian Krzhanich sold a lot of stock and ran away before Intel's shares started falling hard
ihte inside® tradin
View All 6 Images

Navigation
AboutHistoryOnline ReactionSearch InterestExternal ReferencesRecent ImagesRecent Videos

About

Meltdown and Spectre are security vulnerabilities in 64-bit Intel central processing units (CPUs) which grant access to privileged system memory to unauthorized processes and allows cyber attacks to trick error-free programs into leaking sensitive data.

History

On January 2nd, The Register[3] published an article about a "kernel-memory-leaking Intel processor design flaw," which would require a patch that could slow down processors by up to 30%. On January 3rd, 2018, the Project Zero[2] team at Google announced the discovery of the Meltdown and Spectre exploits targeting processors created by Intel, AMD and ARM, which use "CPU data cache timing" to "leak information out of mis-speculated execution."

Online Reaction

That day, the website MeldownAttack[1] was created, providing information on the Meltdown and Spectre processor exploits. Meanwhile, YouTuber Moritz Lipp uploaded footage of Meltdown exploit "dumping memory" (shown below). That day, the video gathered upwards of 117,000 views.

Meanwhile, Redditlor digital_desert uploaded submitted an animation of Meltdown "stealing passwords" to /r/netsec[4] (shown below).

On January 4th, Redditor 2evil submitted a post accusing the Intel CEO of selling $24 million shares in the company prior to the announcement of the design flaw, along with a photoshopped Intel logo with the slogan "insider trading" (shown below). Within 11 hours, the post gained over 67,000 points (86% upvoted) and 2,700 comments on /r/funny.[5]

ihte inside® tradin

Search Interest

External References

[1] Meltdownattack.com – Meltdown Attack

[2] Google Project Zero Blogspot – Reading privileged memory with a side-channel

[3] The Register – Kernel-memory-leaking Intel processor design flaw forces Linux

[4] Reddit – Stealing passwords via Meltdown vulnerability in real-time

[5] Reddit – Intel CEO sold 24m of his shares

Share Pin

Recent Images 6 total

View All Images

Recent Videos 2 total

View All Videos

Load 20 Comments
1
Meltdown and Spectre

Meltdown and Spectre

Updated Jun 11, 2020 at 09:31PM EDT by 3kole5.

Added Jan 04, 2018 at 04:48PM EST by Don.

PROTIP: Press 'i' to view the image gallery, 'v' to view the video gallery, or 'r' to view a random entry.

This submission is currently being researched & evaluated!

You can help confirm this entry by contributing facts, media, and other evidence of notability and mutation.

About

Meltdown and Spectre are security vulnerabilities in 64-bit Intel central processing units (CPUs) which grant access to privileged system memory to unauthorized processes and allows cyber attacks to trick error-free programs into leaking sensitive data.

History

On January 2nd, The Register[3] published an article about a "kernel-memory-leaking Intel processor design flaw," which would require a patch that could slow down processors by up to 30%. On January 3rd, 2018, the Project Zero[2] team at Google announced the discovery of the Meltdown and Spectre exploits targeting processors created by Intel, AMD and ARM, which use "CPU data cache timing" to "leak information out of mis-speculated execution."

Online Reaction

That day, the website MeldownAttack[1] was created, providing information on the Meltdown and Spectre processor exploits. Meanwhile, YouTuber Moritz Lipp uploaded footage of Meltdown exploit "dumping memory" (shown below). That day, the video gathered upwards of 117,000 views.



Meanwhile, Redditlor digital_desert uploaded submitted an animation of Meltdown "stealing passwords" to /r/netsec[4] (shown below).



On January 4th, Redditor 2evil submitted a post accusing the Intel CEO of selling $24 million shares in the company prior to the announcement of the design flaw, along with a photoshopped Intel logo with the slogan "insider trading" (shown below). Within 11 hours, the post gained over 67,000 points (86% upvoted) and 2,700 comments on /r/funny.[5]


ihte inside® tradin

Search Interest

External References

[1] Meltdownattack.com – Meltdown Attack

[2] Google Project Zero Blogspot – Reading privileged memory with a side-channel

[3] The Register – Kernel-memory-leaking Intel processor design flaw forces Linux

[4] Reddit – Stealing passwords via Meltdown vulnerability in real-time

[5] Reddit – Intel CEO sold 24m of his shares

Recent Videos 2 total

   

Recent Images 6 total

   

Top Comments

HorseKick
Delete
Sensitive
HorseKick

in reply to Shadez12

It's when you buy or sell stock (or other securities) of a public traded company when you are in possession of information that is not available to the public.

In this case, it is claimed that Intel's CEO knew about the problem and sold $24 Millions of his stock months before the issue was exposed.

This is usually illegal because it's pretty much a scam: "Hey I'm selling you this because I know, and no one else knows, it is fucked. Enjoy!".

+31
Reply
Jagger Huff
Delete
Sensitive
Jagger Huff

in reply to Shadez12

Buying/selling stocks with knowledge that’s not available to the general public, ie selling stock in your company knowing they are about to announce a massive security flaw that will likely lead to a massive drop in stock value. It’s illegal.

+13
Reply

+ Add a Comment

Comments (20)


Display Comments

Add a Comment


Suggest a Change   Edit History