SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability

Nod

Nod

Honorary Master
Joined
Jul 22, 2005
Messages
10,968
Reaction score
2,715
Location
Darling
Source: https://www.theregister.co.uk/2019/03/05/spoiler_intel_flaw/
Further demonstrating the computational risks of looking into the future, boffins have found another way to abuse speculative execution in Intel CPUs to leak secrets and other data from running applications.

This security shortcoming can be potentially exploited by malicious JavaScript within a web browser tab, or malware running on a system, or rogue logged-in users, to extract data: in other words, attacker would require some kind of foothold in your machine to proceed. The vulnerability, it appears, cannot be easily fixed or mitigated without significant redesign work at the silicon level.
Click to expand...
The researchers – Saad Islam, Ahmad Moghimi, Ida Bruhns, Moritz Krebbel, Berk Gulmezoglu, Thomas Eisenbarth and Berk Sunar – have found that "a weakness in the address speculation of Intel’s proprietary implementation of the memory subsystem" reveals memory layout data, making other attacks like Rowhammer much easier to carry out.

The researchers also examined ARM and AMD processor cores, but found they did not exhibit similar behavior.

"We have discovered a novel microarchitectural leakage which reveals critical information about physical page mappings to user space processes," the researchers explain.
Click to expand...
SPOILER, the researchers say, will make existing Rowhammer and cache attacks easier, and make JavaScript-enabled attacks more feasible – instead of taking weeks, Rowhammer could take just seconds. Moghimi said the paper describes a JavaScript-based cache prime+probe technique that can be triggered with a click to leak private data and cryptographic keys not protected from cache timing attacks.

Mitigations may prove hard to come by. "There is no software mitigation that can completely erase this problem," the researchers say. Chip architecture fixes may work, they add, but at the cost of performance.
Click to expand...
 
When I wrote that in future I would only buy Intel CPU's which are Spectre and Meltdown free, people started to argue.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X