|
|
Subscribe / Log in / New account

"ZombieLoad": a new set of speculative-execution attacks

The curtain has finally been lifted on the latest set of speculative-execution vulnerabilities. This one has the delightful name of ZombieLoad; it is also known as "microarchitectural data sampling", but what's the fun in that? Various x86 processors stash data into hidden buffers that can, in some cases, be revealed via speculative execution. Exploits appear to be relatively hard. See this page from the kernel documentation for a fairly detailed description of the problem, and this page for mitigation information.

to post comments

"ZombieLoad": a new set of speculative-execution attacks

Posted May 14, 2019 18:40 UTC (Tue) by SMK (guest, #131799) [Link]

There is also a full academic paper available on the Fallout issue (which is ancillary to "ZombieLoad" aaugh i hate named vulnerabilities. And for those that are more ..visual...Red Hat has create a video explainer too.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 14, 2019 21:23 UTC (Tue) by flussence (guest, #85566) [Link] (15 responses)

Whew, it's a good thing we haven't normalised a security landscape of billions of people executing random code over the internet, from totally anonymous invisible 4th-parties hellbent on squeezing profit out of everything from our mouse movements to our DNA, while gaslighting users into believing software developers care about their privacy.

Sprinkle some more fairy dust on the JS sandbox (but not too much - gotta win those synthetic benchmarks), squeeze out another PR fluff piece trumpeting about how much We Careā„¢ More Than The Company Over The Road Who Pays Our Bills, and keep on laggin'!

We'll have forgotten all about it by the time next month's vulnerability rolls around and this dance of insanity can happen again and again. Forever.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 14, 2019 21:59 UTC (Tue) by pyellman (guest, #4997) [Link] (10 responses)

It really is more than a little unfair to use this revelation as another reason to go on an(other) anti-Javascript rant. Sure, Javascript is at this time a leading vector for how most people might be exposed to security threats, but Javascript also enables much or most of the useful stuff we take advantage of and benefit from on the internet.

I well understand that "real" programmers and software engineers are contemptuous of Javascript and those who use it to build software and websites, but I think there's more than a little bit of envy in there as well. Yes, Javascript has a chaotic, undisciplined ecosystem of add-in functionality, but that ecosystem is also both enormously useful and just plain enormous. Futhermore, Javascript has been a vehicle and driver for widespread popularization of some decent ideas about what a high level language should offer (even if Javascript didn't necessarily invent those ideas). Again, I sometimes detect a hint of envy from "real" programmers in this regard.

Finally, I find it particularly unreasonable that this particular security threat, which has been brought to us by arguably some of the most highly skilled "real" computing engineers on the planet, should be your excuse for going on a rant about Javascript.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 9:17 UTC (Wed) by weberm (guest, #131630) [Link] (1 responses)

Sadly, flussence's observations are correct no matter whether you include JS as the deployment vehicle or not. One can reduce the comment to a JS rant and ignore it on that basis, or try and understand the notion behind it and reflect on that.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 14:00 UTC (Wed) by pyellman (guest, #4997) [Link]

I understand the notion just fine. And I'm pretty sure the targeting of JS was reflexive and unnecessary; the distance between JS being perfect, and JS being replaceable, is about equal. Again, this vulnerability was brought to us by the "real" programmers.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 9:22 UTC (Wed) by LtWorf (subscriber, #124958) [Link] (6 responses)

Js is certainly abused. Except some more interactive websites, 99% of the website should not run it.

Also, the wide ecosistem is there because js lacks a standard library. It doesn't even have basic string functions.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 9:59 UTC (Wed) by eru (subscriber, #2753) [Link]

Also, the wide ecosistem is there because js lacks a standard library. It doesn't even have basic string functions.

That is not quite true, there are quite a lot of string functions in the built-ins, one could argue all the "BASIC":s are there :-). Even regexes. But there are also some strange omissions, like no built-in sprintf() equivalent.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 10:30 UTC (Wed) by roc (subscriber, #30627) [Link] (3 responses)

Thanks to JS and the Web platform, we have lots of powerful apps running on a platform whose design is not controlled by any single vendor, that has no gatekeepers, and can be implemented completely in free software.

Curse it if you like, but if it goes away you'd better enjoy whichever vendor-controlled walled garden you end up in.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 13:11 UTC (Wed) by LtWorf (subscriber, #124958) [Link] (2 responses)

We have basically only 2 web rendering engines and js engines, and firefox is probably going away.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 19:21 UTC (Wed) by samth (guest, #1290) [Link]

There are definitely 3 of each: Blink/v8, WebKit/JSC, and Gecko/SpiderMonkey. Even if you think Blink and WebKit are "the same" (which is wrong) JSC and v8 have no common heritage.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 22:39 UTC (Wed) by roc (subscriber, #30627) [Link]

There are 3 of each. Firefox need not go away; it's competitive enough that people are switching to it from Chrome, though the situation is still very challenging. Defeatist attitudes definitely won't help.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 14:08 UTC (Wed) by pyellman (guest, #4997) [Link]

I can heartily agree that JS is abused and misused. So is just about everything else on the internet. Anger at JS because it is one of the tools being used to track you, slog your machine with ads, etc. is, in my opinion, misdirected.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 14:25 UTC (Wed) by nix (subscriber, #2304) [Link]

Quite. In particular, that JS can now be used to spy on things happening at the same instant using code with no branches or conditionals whatsoever is not an indictment of JS: more or less *any* language can probably do the same thing, even though JS in particular was explicitly designed to be sandboxed, and unlike (say) Java, there haven't been any significant holes in that sandbox that aren't attributable to outright hardware faults.

The problem isn't the language: the problem is the hardware. Whining about the language will not fix the ever-worsening flood of hardware vulns.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 15:20 UTC (Wed) by dvdeug (guest, #10998) [Link]

Blame the Arpanet, where passwords (FTP and Telnet) flew around unencrypted (and everyone on the Arpanet knew how to exploit that) and if the hacker wasn't patient enough for packet snooping, Finger provided a convenient backdoor to every system. Pre-Java and JavaScript, there was none of this executing random code over the Internet; you just downloaded the random code over the Internet (or, for many people, from the BBS).

Maybe the Internet could be better, but if billions of people are on the Internet, billions of people are going to be executing random code, either directly or by downloading it. Directly would be worse; maybe a world where the only way to run code on your computer for most people was download it from the **** Store might be safer, but not more free.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 21:50 UTC (Wed) by excors (subscriber, #95769) [Link] (2 responses)

There isn't a clear distinction between "executing random code" and "processing random data". Processing data downloaded from unknown untrusted sources is kind of the fundamental purpose of the internet, as a system of end-to-end communication with no central authority, and I assume you're not trying to argue against the existence of the whole internet. Data formats usually get more sophisticated over time, as people add useful features, and sufficiently sophisticated data is indistinguishable from code. (PDF documents (and, even worse, PostScript) are obviously code masquerading as data files, but e.g. OpenType fonts and SVG filters and PowerPoint animations are also Turing-complete languages.)

So you're always going to end up dealing with the security implications of essentially executing untrusted code, and it seems better to be honest about it and do it in a real programming language (like JS) rather than pretending it's just data and must be inherently safe.

In the context of Spectre, there's also the NetSpectre attack, which explains how you can attack a remote target by sending not-even-vaguely-code-like data to the target system. You just send some requests that trigger a speculative array read based on secret data, which leaks into the cache state, then measure the cache state via the latency of network responses. The only way to truly solve that problem (without disabling speculation) is to disconnect from the internet entirely. Limiting the expressivity of data won't help.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 21, 2019 16:24 UTC (Tue) by nix (subscriber, #2304) [Link] (1 responses)

In the context of Spectre, there's also the NetSpectre attack, which explains how you can attack a remote target by sending not-even-vaguely-code-like data to the target system. You just send some requests that trigger a speculative array read based on secret data, which leaks into the cache state, then measure the cache state via the latency of network responses. The only way to truly solve that problem (without disabling speculation) is to disconnect from the internet entirely. Limiting the expressivity of data won't help.
You can also solve it by measuring the average latency of responses, then adding artificial latency and jitter that are much larger than the observed value. However, non-attackers aren't likely to be very happy with this, and non-attackers are indistinguishable from attackers :(

"ZombieLoad": a new set of speculative-execution attacks

Posted May 21, 2019 18:37 UTC (Tue) by excors (subscriber, #95769) [Link]

An attacker can always measure the latency of more responses and average out the jitter. So you're still not truly solving the problem, you're just making the attacks much slower.

I accept that making attacks much slower can still be worthwhile in practice; security doesn't require perfect solutions. You can try to calculate how many requests the attacker would have to make to average out the level of jitter you're adding and extract one bit of secret data, and decide how many bits the attacker needs to extract for a meaningful attack, and how many requests per second they can do, etc. If the cost to the attacker is greater than the value they would get from attacking you, with a safety margin of a few orders of magnitude, then you've probably done enough. But that's a complicated decision process and involves a lot of estimating and you'll probably get the numbers very wrong, so it's nowhere near as good as properly fixing the vulnerability so that you don't even need to think about it.

The annoying thing about Spectre is that it revealed a whole class of extremely complicated things you need to think about. Every patch in the kernel or microcode or hardware to mitigate the problem is just making the situation even more complicated to think about, and it will only stop when it's so immensely complicated that researchers give up trying to find new speculative-execution attacks and pick on easier targets.

"ZombieLoad": a new set of speculative-execution attacks

Posted May 14, 2019 23:08 UTC (Tue) by jcm (subscriber, #18262) [Link]

The papers are summarized in RIDL/ZombieLoad (fill buffer attack), and Fallout (Store Buffer). The researchers published their papers at http://mdsattacks.com and http://cpu.fail.

I wrote a blog that includes some detail about the uarch behavior for those interested, here: https://www.redhat.com/en/blog/understanding-mds-vulnerab...

"ZombieLoad": a new set of speculative-execution attacks

Posted May 15, 2019 9:05 UTC (Wed) by voxadam (guest, #50716) [Link]

Intel has also posted Deep Dive: Intel Analysis of Microarchitectural Data Sampling.


Copyright © 2019, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds