ZombieLoad: Cross Privilege-Boundary Data Leakage on Intel CPUs

Discussion in 'Intel x86 CPUs and chipsets' started by RnR, May 15, 2019.

  1. RnR

    RnR Member

    Joined:
    Oct 9, 2002
    Messages:
    12,651
    Location:
    Brisbane
    Another vulnerability has been found;

    https://zombieloadattack.com/

    Summary from https://www.cyberus-technology.de/posts/2019-05-14-zombieload.html
    • By exploiting the CPU’s so-called bypass logic on return values of loads, it is possible to leak data across processes, privilege boundaries, Hyperthreads, as well as values that are loaded inside Intel SGX enclaves, and between VMs.
    • Code utilizing this exploit works on Windows, Linux, etc., as this is not a software- but a hardware issue.
    • It is possible to retrieve content that is currently being used by a Hyperthread sibling.
    • Even without Hyperthreading, it is possible to leak data out of other protection domains. During experimentation it turned out, that ZombieLoad leaks endure serializing instructions. Such leaks do however work with lower probability and are harder to obtain.
    • It is an implementation detail what kind of data is processed after a faulty read.
    • Using Spectre v1 gadgets, potentially any value in memory can be leaked.
    • Affected software:
      • So far all versions of all operating systems (Microsoft Windows, Linux, MacOS, BSDs, …)
      • All hypervisors (VMWare, Microsoft HyperV, KVM, Xen, Virtualbox, …)
      • All container solutions (Docker, LXC, OpenVZ, …)
      • Code that uses secure SGX enclaves in order to protect critical data.
    • Affected CPUs:
      • Intel Core and Xeon CPUs
      • CPUs with Meltdown/L1TF mitigations are affected by fewer variants of this attack.
      • We were unable to reproduce this behavior on non-Intel CPUs and consider it likely that this is an implementation issue affecting only Intel CPUs.
    • Sole operating system/hypervisor software patches do not suffice for complete mitigation:
      • Similar to the L1TF exploit, effective mitigations require switching off SMT (Simultaneous MultiThreading, aka Hyperthreads) or making sure that trusted and untrusted code do not share physical cores.
    Discussion at https://news.ycombinator.com/item?id=19911341
     
    Last edited: May 15, 2019
    dave_dave_dave and Agg like this.
  2. OJR

    OJR Member

    Joined:
    Jan 19, 2013
    Messages:
    3,563
    Another day, another bug in Intel CPUs. At this rate of mitigation, they will be slower than CJ's piece of shit taxi.
     
  3. shane41

    shane41 Member

    Joined:
    Nov 10, 2008
    Messages:
    6,122
    Location:
    on the edge
    That'd be Cross Privilege-Boundary Data Leakage in the rear of passenger compartment
     
    OJR likes this.
  4. macktheknife

    macktheknife Member

    Joined:
    Jul 26, 2005
    Messages:
    606
    Cross Privilege-Boundary Data Leak was my nickname in high school.
     
  5. flu!d

    flu!d Ubuntu Mate 16.04 LTS

    Joined:
    Jun 27, 2001
    Messages:
    13,057
    I'm going back to using my Amiga 1200 for everything...
     
  6. OJR

    OJR Member

    Joined:
    Jan 19, 2013
    Messages:
    3,563
    Don't need to... an 8700K is running at about the same speed.
     
    flu!d likes this.
  7. flu!d

    flu!d Ubuntu Mate 16.04 LTS

    Joined:
    Jun 27, 2001
    Messages:
    13,057
    Haha! So true! :D
     
  8. bob05

    bob05 Member

    Joined:
    Sep 20, 2009
    Messages:
    238
    Location:
    NSW
    Here's a video about all these new bugs, not gonna lie, I'm pissed that they've neglected their security development.
     
  9. OJR

    OJR Member

    Joined:
    Jan 19, 2013
    Messages:
    3,563
    Fixed it for you.
     
  10. dragonFLAME

    dragonFLAME Member

    Joined:
    Nov 18, 2002
    Messages:
    740
    Location:
    Somewhere Cool
    got to ask why AMD is not as "leaky" - better processor or no ones looked yet?
     
  11. OP
    OP
    RnR

    RnR Member

    Joined:
    Oct 9, 2002
    Messages:
    12,651
    Location:
    Brisbane
    Heard someone saying that its because they have a smaller team, so everyone kinda knows what the other engineers are doing. Intel is huge, and stuff can get lost when you have a number of groups working sorta independently.

    But its just a guess.
     
  12. OP
    OP
    RnR

    RnR Member

    Joined:
    Oct 9, 2002
    Messages:
    12,651
    Location:
    Brisbane
  13. AlliZ

    AlliZ Member

    Joined:
    Aug 15, 2017
    Messages:
    253
    Location:
    Ask Google
    guess there isnt too many positive google results to quote for this most recent exploit, mr immortal what are your conclusive findings on the matter?
     
  14. OJR

    OJR Member

    Joined:
    Jan 19, 2013
    Messages:
    3,563
    Yup he's keeping unusually quiet on this one. Either that or he's working on one of his text walls...
     
  15. AlliZ

    AlliZ Member

    Joined:
    Aug 15, 2017
    Messages:
    253
    Location:
    Ask Google
    this was just on the news, bit of a break from the eleccy coverage
    you can actually see some data leak when intel hits the ground

     
    RnR and OJR like this.
  16. OP
    OP
    RnR

    RnR Member

    Joined:
    Oct 9, 2002
    Messages:
    12,651
    Location:
    Brisbane
    More benchies from Phoronix...

    https://www.phoronix.com/scan.php?page=article&item=mds-zombieload-mit&num=10
     
    nope and OJR like this.
  17. mAJORD

    mAJORD Member

    Joined:
    Jun 4, 2002
    Messages:
    9,581
    Location:
    Griffin , Brisbane
    He's already preemptively responded previously..

    Intel , and there customers don't need hyper threading. 9700k is all anyone ever needs
    All forms of SMT are evil security threats (even when they're not)
    ;)
     
    darkbastard, nope and OJR like this.
  18. nope

    nope Member

    Joined:
    May 8, 2012
    Messages:
    1,948
    Location:
    nsw meth coast
  19. flu!d

    flu!d Ubuntu Mate 16.04 LTS

    Joined:
    Jun 27, 2001
    Messages:
    13,057
  20. mAJORD

    mAJORD Member

    Joined:
    Jun 4, 2002
    Messages:
    9,581
    Location:
    Griffin , Brisbane
    Last edited: May 20, 2019 at 7:21 PM

Share This Page