Date: Fri, 5 Jan 2018 15:25:34 +0000 (UTC) From: Jules Gilbert <repeatable_compression@yahoo.com> To: =?UTF-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> Cc: "Ronald F. Guilmette" <rfg@tristatelogic.com>, Eric McCorkle <eric@metricspace.net>, Freebsd Security <freebsd-security@freebsd.org>, Poul-Henning Kamp <phk@phk.freebsd.dk>, "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>, FreeBSD Hackers <freebsd-hackers@freebsd.org>, Shawn Webb <shawn.webb@hardenedbsd.org>, Nathan Whitehorn <nwhitehorn@freebsd.org> Subject: Re: Intel hardware bug Message-ID: <302406914.1010662.1515165934929@mail.yahoo.com> In-Reply-To: <861sj4tlak.fsf@desk.des.no> References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net> <2594.1515141192@segfault.tristatelogic.com> <809675000.867372.1515146821354@mail.yahoo.com> <861sj4tlak.fsf@desk.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Ah, sorry I'm wrong. I apologize. I won't intrude further. I spoke up because selectively choosing to read sections of kernel memory is one thing, obtaining useful information from an arbitrary block of kernel memory you don't get to choose is quite another.
But their are several people here I respect very much and if they say I'm wrong about an area they focus on,... me bad.
On Friday, January 5, 2018, 9:48:50 AM EST, Dag-Erling Smørgrav <des@des.no> wrote:
Jules Gilbert <repeatable_compression@yahoo.com> writes:
> Sorry guys, you just convinced me that no one, not the NSA, not the
> FSB, no one!, has in the past, or will in the future be able to
> exploit this to actually do something not nice.
The technique has already been proven by multiple independent parties to
work quite well, allowing an attacker to read kernel memory at speeds of
up to 500 kB/s. But I guess you know better...
DES
--
Dag-Erling Smørgrav - des@des.no
From owner-freebsd-security@freebsd.org Fri Jan 5 13:30:32 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
[IPv6:2001:1900:2254:206a::19:1])
by mailman.ysv.freebsd.org (Postfix) with ESMTP id 370F1EA923D;
Fri, 5 Jan 2018 13:30:32 +0000 (UTC)
(envelope-from aduane@juniper.net)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com
[208.84.65.16])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "*.pphosted.com", Issuer "thawte SHA256 SSL CA" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id E414668C62;
Fri, 5 Jan 2018 13:30:31 +0000 (UTC)
(envelope-from aduane@juniper.net)
Received: from pps.filterd (m0108156.ppops.net [127.0.0.1])
by mx0a-00273201.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id
w05DTiQ3014492; Fri, 5 Jan 2018 05:30:28 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net;
h=from : to : subject
: date : message-id : references : in-reply-to : content-type :
content-transfer-encoding : mime-version; s=PPS1017;
bh=Rq10H2AKnhJa6OQt+JES3iPtcqyMMxVpJ8rjOFIiCR0=;
b=nA2Jv9BZbdDRqYZr9CEPdyO298kV445+NaO05/NX7bi6/PeaDmNFl0EehV6xiLVSikff
sC3fZdfLmVURWW3wg7TMvLD4uxmOq/iGYHBfrpbOtAmH1GsNGTXmTyYC4iRXoKBzcGTc
iU2m2GslE3owIGc7XhMfOAhJdusb6LEYjvd+o5kfPYYL7Foqp7zTUSD1+0S52S0KD+cU
Ek5cUnBVym/SOL5l68st5elNoylP+PLqU58dCuSltZJYXpdegI8GUO/yAUb9QdSMg4jE
owJv7vz269JIY6iGmL3rUXMzMj5nppzORhwBBjnxWHhw0ZHZhDLOoCZdm/jXsdQjjH7X oA=Received: from nam02-sn1-obe.outbound.protection.outlook.com
(mail-sn1nam02lp0022.outbound.protection.outlook.com [216.32.180.22])
by mx0a-00273201.pphosted.com with ESMTP id 2fa9ymr13j-1
(version=TLSv1.2 cipherìDHE-RSA-AES256-SHA384 bits%6 verify=NOT);
Fri, 05 Jan 2018 05:30:27 -0800
Received: from SN1PR0501MB2125.namprd05.prod.outlook.com (10.163.228.152) by
SN1PR0501MB1693.namprd05.prod.outlook.com (10.163.130.151) with Microsoft
SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.407.1; Fri, 5 Jan
2018 13:30:26 +0000
Received: from SN1PR0501MB2125.namprd05.prod.outlook.com ([10.163.228.152]) by
SN1PR0501MB2125.namprd05.prod.outlook.com ([10.163.228.152]) with
mapi id 15.20.0407.000; Fri, 5 Jan 2018 13:30:26 +0000
From: Andrew Duane <aduane@juniper.net>
To: Eric McCorkle <eric@metricspace.net>, Jules Gilbert
<repeatable_compression@yahoo.com>, "Ronald F. Guilmette"
<rfg@tristatelogic.com>, Freebsd Security <freebsd-security@freebsd.org>,
Brett Glass <brett@lariat.org>, =?iso-8859-1?Q?Dag-Erling_Smørgrav? <des@des.no>, Poul-Henning Kamp <phk@phk.freebsd.dk>,
"freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>, FreeBSD Hackers
<freebsd-hackers@freebsd.org>, Shawn Webb <shawn.webb@hardenedbsd.org>,
Nathan Whitehorn <nwhitehorn@freebsd.org>
Subject: RE: Intel hardware bug
Thread-Topic: Intel hardware bug
Thread-Index: AQHThhm6gtRbndOyekeN4M7Qcuy2NqNlOTSAgAAMhiADate: Fri, 5 Jan 2018 13:30:26 +0000
Message-ID: <SN1PR0501MB2125B36067CD93A5B95AC74DCE1C0@SN1PR0501MB2125.namprd05.prod.outlook.com>
References: <736a2b77-d4a0-b03f-8a6b-6a717f5744d4@metricspace.net>
<2594.1515141192@segfault.tristatelogic.com>
<809675000.867372.1515146821354@mail.yahoo.com>
<250f3a77-822b-fba5-dcd7-758dfec94554@metricspace.net>
In-Reply-To: <250f3a77-822b-fba5-dcd7-758dfec94554@metricspace.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN1PR0501MB1693;
7:5aYxUZZcdWX6ZDNcffZq8FqMPnCx+mx3MXNLc2/udTNDnhkzQzmumE+DdiNTjTR1BtKeMihQNc15xux2UI0tTjMTONlkHptUb77yHz7uV9DfHPnI7jhfP/C/qZWFuK2aGIWzrBcBrxPI6IO/Y0n79rb1d4L0bk5yqD2P3uv3jyTtd6NxBhe1P2eXDjQZFBmFFiv8sQsPcVC0c1AjVVOUjlfkSxsO6xUheIX4e1FrUWVVZH7KxIlUPyXSdzVR9yrl
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 54d83e8a-b5b8-4844-b342-08d554407afc
x-microsoft-antispam: UriScan:; BCL:0; PCL:0;
RULEID:(7020020)(48565401081)(5600026)(4604075)(3008032)(4534040)(4602075)(4627136)(201703031133081)(201702281549075)(2017052603307)(7153060);
SRVR:SN1PR0501MB1693;
x-ms-traffictypediagnostic: SN1PR0501MB1693:
x-microsoft-antispam-prvs: <SN1PR0501MB1693A911DD736A3C2D57D6C2CE1C0@SN1PR0501MB1693.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(20558992708506)(192374486261705)(138986009662008)(201166117486090);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0;
RULEID:(6040470)(2401047)(8121501046)(5005006)(3231023)(944501075)(3002001)(10201501046)(93006095)(93001095)(6055026)(6041268)(20161123564045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123560045)(6072148)(201708071742011);
SRVR:SN1PR0501MB1693; BCL:0; PCL:0; RULEID:(100000803101)(100110400095);
SRVR:SN1PR0501MB1693;
x-forefront-prvs: 05437568AA
x-forefront-antispam-report: SFV:NSPM;
SFS:(10019020)(346002)(39860400002)(376002)(396003)(39380400002)(366004)(199004)(189003)(13464003)(24454002)(551544002)(86362001)(68736007)(6246003)(7116003)(229853002)(77096006)(5660300001)(7736002)(3660700001)(33656002)(106356001)(6436002)(6116002)(7416002)(8936002)(3846002)(97736004)(55016002)(2501003)(39060400002)(305945005)(110136005)(316002)(2950100002)(53936002)(81166006)(81156014)(2906002)(53546011)(2900100001)(3280700002)(9686003)(93886005)(8676002)(6506007)(105586002)(99286004)(3480700004)(2521001)(478600001)(74316002)(14454004)(102836004)(59450400001)(25786009)(76176011)(7696005)(66066001)(921003)(1121003);
DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR0501MB1693;
H:SN1PR0501MB2125.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords;
A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate
permitted sender hosts)
x-microsoft-antispam-message-info: crjRIwDX+1fBxiiPleRIx7Ldfgx6Ycl8CntGyXBX33M43E4qXDlbW9Z1yDgZ4Nh2iTbqKC68AG8ZwWePouqWyA=spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 54d83e8a-b5b8-4844-b342-08d554407afc
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jan 2018 13:30:26.0345 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR0501MB1693
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, ,
definitions 18-01-05_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam
score=0 priorityscore01
malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
clxscore11 lowpriorityscore=0 mlxscore=0 impostorscore=0
mlxlogscore™9 adultscore=0 classifier=spam adjust=0 reason=mlx
scancount=1 engine=8.0.1-1711220000 definitions=main-1801050191
X-Mailman-Approved-At: Fri, 05 Jan 2018 15:40:23 +0000
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: "Security issues \[members-only posting\]"
<freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>;
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>,
<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jan 2018 13:30:32 -0000
I wouldn't think Javascript would have the accurate timing required to leverage this attack, but I don't really know enough about the language.
Regardless, is there someone within FreeBSD that is working on patches for this set of problems, at least for Intel? Linux already has at least some, and I believe NetBSD does too. Of course Windows has already pushed out a Windows10 fix, 7 and 8 are coming.
....................................
Andrew L. Duane - Principal Resident Engineer
AT&T Advanced Services Technical Lead
Juniper Quality Ambassador
m +1 603.770.7088
o +1 408.933.6944 (2-6944)
skype: andrewlduane
aduane@juniper.net
-----Original Message-----
From: owner-freebsd-hackers@freebsd.org [mailto:owner-freebsd-hackers@freebsd.org] On Behalf Of Eric McCorkle
Sent: Friday, January 5, 2018 7:43 AM
To: Jules Gilbert <repeatable_compression@yahoo.com>; Ronald F. Guilmette <rfg@tristatelogic.com>; Freebsd Security <freebsd-security@freebsd.org>; Brett Glass <brett@lariat.org>; Dag-Erling Smørgrav <des@des.no>; Poul-Henning Kamp <phk@phk.freebsd.dk>; freebsd-arch@freebsd.org; FreeBSD Hackers <freebsd-hackers@freebsd.org>; Shawn Webb <shawn.webb@hardenedbsd.org>; Nathan Whitehorn <nwhitehorn@freebsd.org>
Subject: Re: Intel hardware bug
On 01/05/2018 05:07, Jules Gilbert wrote:
> Sorry guys, you just convinced me that no one, not the NSA, not the
> FSB, no one!, has in the past, or will in the future be able to
> exploit this to actually do something not nice.
Attacks have already been demonstrated, pulling secrets out of kernel space with meltdown and http headers/passwords out of a browser with spectre. Javascript PoCs are already in existence, and we can expect them to find their way into adware-based malware within a week or two.
Also, I'd be willing to bet you a year's rent that certain three-letter organizations have known about and used this for some time.
> So what is this, really?, it's a market exploit opportunity for AMD.
Don't bet on it. There's reports of AMD vulnerabilities, also for ARM.
I doubt any major architecture is going to make it out unscathed. (But if one does, my money's on Power)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?302406914.1010662.1515165934929>