{"id":39242,"date":"2018-07-25T08:17:32","date_gmt":"2018-07-25T06:17:32","guid":{"rendered":"https:\/\/www.planet3dnow.de\/cms\/?p=39242"},"modified":"2018-07-25T08:20:53","modified_gmt":"2018-07-25T06:20:53","slug":"weitere-cpu-luecken-ret2spec-und-spectrersb-entdeckt","status":"publish","type":"post","link":"https:\/\/www.planet3dnow.de\/cms\/39242-weitere-cpu-luecken-ret2spec-und-spectrersb-entdeckt\/","title":{"rendered":"Weitere CPU-L\u00fccken ret2spec und SpectreRSB entdeckt"},"content":{"rendered":"<p>Nach Bekannt\u00adwer\u00adden der Sicher\u00adheits\u00adl\u00fc\u00adcken in moder\u00adnen Pro\u00adzes\u00adsor-Designs \u2013 <a href=\"https:\/\/www.planet3dnow.de\/cms\/35759-massive-sicherheitsluecke-in-intel-cpus-update-amd-arm-bugfixes-2\/\">Melt\u00addown und Spect\u00adre<\/a> \u2013 Anfang des Jah\u00adres, sowie der bis\u00adher nicht voll\u00adst\u00e4n\u00addig ver\u00ad\u00f6f\u00adfent\u00adlich\u00adten, von der Pres\u00adse <a href=\"https:\/\/www.planet3dnow.de\/cms\/38265-acht-neue-spectre-sicherheitsluecken-in-intel-prozessoren-entdeckt\/\">Spect\u00adre-NG<\/a> genann\u00adten Schwach\u00adstel\u00adlen, sind nun wei\u00adte\u00adre L\u00fccken \u00f6ffent\u00adlich gewor\u00adden, die \u00c4hn\u00adlich\u00adkei\u00adten zu den bis\u00adhe\u00adri\u00adgen Schwach\u00adstel\u00adlen auf\u00adwei\u00adsen, im Detail aber den\u00adnoch ande\u00adres sind: <a href=\"https:\/\/christian-rossow.de\/publications\/ret2spec-ccs2018.pdf\" rel=\"noopener\" target=\"_blank\">ret2spec oder auch Spect\u00adre v5<\/a> genannt, sowie <a href=\"https:\/\/arxiv.org\/pdf\/1807.07940.pdf\" rel=\"noopener\" target=\"_blank\">Spec\u00adtreRSB<\/a>. Ent\u00addeckt wur\u00adden sie von Gior\u00adgi Mai\u00adsu\u00adrad\u00adze und Chris\u00adti\u00adan Rossow vom Cen\u00adter for IT-Secu\u00adri\u00adty, Pri\u00adva\u00adcy and Accoun\u00adta\u00adbi\u00adli\u00adty (<span class=\"caps\">CISPA<\/span>) der Uni Saar\u00adland, sowie einem For\u00adscher\u00adteam der Uni\u00adver\u00adsi\u00adty of Cali\u00adfor\u00adnia, River\u00adsi\u00adde (<span class=\"caps\">UCR<\/span>).<\/p>\n<p>Die kom\u00adplet\u00adte Fami\u00adlie der seit Janu\u00adar ans Licht gekom\u00adme\u00adnen L\u00fccken nutzt das Ver\u00adhal\u00adten moder\u00adner Out-of-Order-Pro\u00adzes\u00adso\u00adren, Befeh\u00adle nicht wie bei fr\u00fc\u00adhe\u00adren In-Order-Designs strikt in der Rei\u00adhen\u00adfol\u00adge aus\u00adf\u00fch\u00adren, wie sie im Code ste\u00adhen. Statt\u00addes\u00adsen k\u00f6n\u00adnen OoO-Pro\u00adzes\u00adso\u00adren Befeh\u00adle vor\u00adzie\u00adhen, w\u00e4h\u00adrend sie auf das Ergeb\u00adnis einer ande\u00adren Berech\u00adnung war\u00adten oder sogar mit des\u00adsen Ergeb\u00adnis spe\u00adku\u00adlie\u00adren (Spe\u00adcu\u00adla\u00adti\u00adve Exe\u00adcu\u00adti\u00adon) und der\u00adweil mal mit dem Ergeb\u00adnis wei\u00adter\u00adrech\u00adnen, von dem sie \u201cmei\u00adnen\u201d, dass es am wahr\u00adschein\u00adlichs\u00adten ist. War die Spe\u00adku\u00adla\u00adti\u00adon kor\u00adrekt, hat der Pro\u00adzes\u00adsor jede Men\u00adge Zeit gespart, weil die Berech\u00adnung bereits erle\u00addigt wur\u00adde, wohin\u00adge\u00adgen ein In-Order-Design h\u00e4t\u00adte war\u00adten m\u00fcs\u00adsen und erst dann h\u00e4t\u00adte wei\u00adter\u00adrech\u00adnen k\u00f6n\u00adnen. Aller\u00addings sind Out-of-Order-Designs wesent\u00adlich kom\u00adple\u00adxer, denn die Pro\u00adzes\u00adso\u00adren m\u00fcs\u00adsen sich mer\u00adken, ab wel\u00adcher Code\u00adpo\u00adsi\u00adti\u00adon spe\u00adku\u00adliert wur\u00adde und in wel\u00adcher Rei\u00adhen\u00adfol\u00adge der Code urspr\u00fcng\u00adlich war, um das Puz\u00adzle aus ge\u00e4n\u00adder\u00adter Rei\u00adhen\u00adfol\u00adge und spe\u00adku\u00adlier\u00adten Ergeb\u00adnis\u00adsen am Ende wie\u00adder so zusam\u00admen\u00adzu\u00adset\u00adzen, dass das Ergeb\u00adnis stimmt.<\/p>\n<p>Daf\u00fcr wer\u00adden ver\u00adschie\u00adde\u00adne Puf\u00adfer ver\u00adwen\u00addet. Nor\u00adma\u00adler\u00adwei\u00adse sind die\u00adse Daten von au\u00dfen nicht abgreif\u00adbar. Mit den Spect\u00adre-L\u00fccken hin\u00adge\u00adgen kann durch trick\u00adrei\u00adche Pro\u00adgram\u00admie\u00adrung, soge\u00adnann\u00adte Sei\u00adten\u00adka\u00adnal\u00adat\u00adta\u00adcken, ein Weg gefun\u00adden wer\u00adden, trotz\u00addem an die\u00adse Daten her\u00adan\u00adzu\u00adkom\u00admen. Damit w\u00e4re es z.B. m\u00f6g\u00adlich, per Java\u00adscript via Brow\u00adser ein\u00adge\u00adschleus\u00adten Code daf\u00fcr zu ver\u00adwen\u00adden, aus eigent\u00adlich nicht zug\u00e4ng\u00adli\u00adchen Spei\u00adcher\u00adbe\u00adrei\u00adchen z.B. Pass\u00adw\u00f6r\u00adter oder Schl\u00fcs\u00adsel abzu\u00adgrei\u00adfen. Daf\u00fcr exis\u00adtie\u00adren auch Bei\u00adspiel\u00adcodes, wie wir in den letz\u00adten Mona\u00adten bereits berich\u00adtet und ver\u00adlinkt hat\u00adten. Ein ech\u00adter Angriff, also eine Aus\u00adnut\u00adzung der Spect\u00adre-L\u00fccken in frei\u00ader Wild\u00adbahn, ist bis\u00adher jedoch nicht bekannt geworden.<\/p>\n<p>Das Neue an ret2spec\/Spectre v5 und Spec\u00adtreRSB ist nun, dass nicht die Sprung\u00adadres\u00adsen f\u00fcr den Angriff genutzt wer\u00adden, son\u00addern die R\u00fcck\u00adsprung\u00adadres\u00adsen, also prak\u00adtisch ein umge\u00adkehr\u00adter Spect\u00adre-Angriff. Um die Aus\u00adnut\u00adzung der L\u00fccke zu erschwer\u00adden, wer\u00adden die sel\u00adben Ma\u00df\u00adnah\u00admen emp\u00adfoh\u00adlen, die bereits bei Spect\u00adre zur Lin\u00adde\u00adrung ange\u00adwandt wur\u00adden: die Zeit\u00admes\u00adsung der Brow\u00adser soll unge\u00adnau\u00ader wer\u00adden, denn f\u00fcr einen erfolg\u00adrei\u00adchen Angriff ist das Timing ent\u00adschei\u00addend. Daher haben die Brow\u00adser-Her\u00adstel\u00adler nach Bekannt\u00adwer\u00adden der ers\u00adten L\u00fccken die\u00adser Art im Janu\u00adar die von Skrip\u00adten im Brow\u00adser nutz\u00adba\u00adren Timer-Genau\u00adig\u00adkeit k\u00fcnst\u00adlich redu\u00adziert. Als Lin\u00adde\u00adrung gegen Spec\u00adtreRSB wird der <a href=\"https:\/\/git.kernel.org\/linus\/c995efd5a740d9cbafbf58bde4973e8b50b4d761\" rel=\"noopener\" target=\"_blank\">Linux-Ker\u00adnel-Patch <span class=\"caps\">RSB<\/span> refil\u00adling<\/a> vorgeschlagen.<\/p>\n<p>In den PDFs der For\u00adscher wird haupt\u00ads\u00e4ch\u00adlich auf Intel-Pro\u00adzes\u00adso\u00adren ein\u00adge\u00adgan\u00adgen. Ob die Atta\u00adcken so auch 1:1 auf ande\u00adre Imple\u00admen\u00adtie\u00adrun\u00adgen eines Out-of-Order-Designs \u2013 z.B. von <span class=\"caps\">AMD<\/span> oder <span class=\"caps\">ARM<\/span> \u2013 anwend\u00adbar sind, geht aus der Ver\u00ad\u00f6f\u00adfent\u00adli\u00adchung bis\u00adher nicht her\u00advor. Zumin\u00addest haben <span class=\"caps\">AMD<\/span> und <span class=\"caps\">ARM<\/span> die L\u00fccken grund\u00ads\u00e4tz\u00adlich best\u00e4\u00adtigt. Ob sie auch f\u00fcr die eige\u00adnen Pro\u00adzes\u00adso\u00adren gel\u00adten, bleibt aber (noch) offen. So war <span class=\"caps\">AMD<\/span> bei\u00adspiels\u00adwei\u00adse von Melt\u00addown gar nicht betrof\u00adfen, obwohl auch Melt\u00addown das Prin\u00adzip eines OoO-Pro\u00adzes\u00adsors&nbsp;nutzt:<\/p>\n<blockquote><p>Intel: Intel ack\u00adnow\u00adled\u00adged this \u201cvery inte\u00adres\u00adt\u00ading\u201d issue of RSB-based spe\u00adcu\u00adla\u00adti\u00adve exe\u00adcu\u00adti\u00adon and will fur\u00adther review the attack and its impli\u00adca\u00adti\u00adons. Their imme\u00addia\u00adte advice is to resort to miti\u00adga\u00adti\u00adons simi\u00adlar to Spect\u00adre is to defend against our attack (see Sec\u00adtion 6.1); this is, howe\u00adver, sub\u00adject to chan\u00adge as part of their ongo\u00ading <span class=\"caps\">RSB<\/span> inves\u00adti\u00adga\u00adti\u00adons that we triggered.<\/p>\n<p>Mozil\u00adla Foun\u00adda\u00adti\u00adon: The Mozil\u00adla Foun\u00adda\u00adti\u00adon like\u00adwi\u00adse ack\u00adnow\u00adled\u00adged the issue. They deci\u00added to refrain from using com\u00adpi\u00adler-assis\u00adted defen\u00adses, as they would see\u00admingly requi\u00adre com\u00adplex chan\u00adges to JIT-com\u00adpi\u00adled and C++ code. Ins\u00adtead, they aim to remo\u00adve all (fine-gra\u00adnu\u00adlar) timers from Fire\u00adfox to des\u00adtroy caching-based feed\u00adback chan\u00adnels. Fur\u00adther\u00admo\u00adre, they refer\u00adred to an upco\u00adming Fire\u00adfox release that includes time jit\u00adte\u00adring fea\u00adtures simi\u00adlar to tho\u00adse descri\u00adbed in Fuz\u00adzy\u00adFox [23], which fur\u00adther har\u00adden against accu\u00adra\u00adte timers.<\/p>\n<p>Goog\u00adle: Goog\u00adle ack\u00adnow\u00adled\u00adged the pro\u00adblem in prin\u00adci\u00adple also affects Chro\u00adme. Simi\u00adlar to Fire\u00adfox, they do not aim to address the pro\u00adblem with com\u00adpi\u00adler-assis\u00adted solu\u00adti\u00adons. Ins\u00adtead, they also refer to inac\u00adcu\u00adra\u00adte timers, but more important\u00adly, focus on a stron\u00adger iso\u00adla\u00adti\u00adon bet\u00adween sites of dif\u00adfe\u00adrent ori\u00adg\u00adins. Chrome\u2019s so-cal\u00adled Site Iso\u00adla\u00adti\u00adon pre\u00advents atta\u00adckers from rea\u00adding across ori\u00adg\u00adins (e.g., sites of other domains). Howe\u00adver, as dis\u00adcus\u00adsed in Sec\u00adtion 6.1, this does not miti\u00adga\u00adte the pro\u00adblem that atta\u00adckers can break <span class=\"caps\">ASLR<\/span> with our attack technique.<\/p>\n<p><span class=\"caps\">AMD<\/span> \/ <span class=\"caps\">ARM<\/span>: Alt\u00adhough we have not tes\u00adted our attacks against <span class=\"caps\">ARM<\/span> and <span class=\"caps\">AMD<\/span> archi\u00adtec\u00adtures, they ack\u00adnow\u00adled\u00adged the gene\u00adral problem.<\/p>\n<p>Micro\u00adsoft: Micro\u00adsoft has ack\u00adnow\u00adled\u00adged the pro\u00adblem and is working on fixes, but has not dis\u00adc\u00adlo\u00adsed tech\u00adni\u00adcal details yet.<\/p>\n<p>Apple: As of 07\/23\/2018, we have not heard back from Apple&nbsp;yet.<\/p>\n<p>Red\u00adhat: Red\u00adhat was thank\u00adful for our dis\u00adclo\u00adsure and men\u00adtio\u00adned that the cur\u00adrent Spect\u00adre defen\u00adses (espe\u00adci\u00adal\u00adly flus\u00adhing RSBs)\u2014without con\u00adside\u00adring RSB-based attacks\u2014might other\u00adwi\u00adse have been remo\u00adved by the ker\u00adnel deve\u00adlo\u00adpers in the near future. In par\u00adti\u00adcu\u00adlar, Red\u00adhat men\u00adtio\u00adned that fixing <span class=\"caps\">RSB<\/span> under\u00adflows will not ful\u00adly sol\u00adve the pro\u00adblems poin\u00adted out in our&nbsp;paper.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>Nach Bekannt\u00adwer\u00adden der Sicher\u00adheits\u00adl\u00fc\u00adcken in moder\u00adnen Pro\u00adzes\u00adsor-Designs \u2013 Melt\u00addown und Spect\u00adre \u2013 Anfang des Jah\u00adres, sowie der bis\u00adher nicht voll\u00adst\u00e4n\u00addig ver\u00ad\u00f6f\u00adfent\u00adlich\u00adten, von der Pres\u00adse Spect\u00adre-NG genann\u00adten Schwach\u00adstel\u00adlen, sind nun wei\u00adte\u00adre L\u00fccken \u00f6ffent\u00adlich gewor\u00adden, die \u00c4hn\u00adlich\u00adkei\u00adten zu den bis\u00adhe\u00adri\u00adgen Schwach\u00adstel\u00adlen auf\u00adwei\u00adsen, im Detail aber den\u00adnoch ande\u00adres sind. (\u2026) <a class=\"moretag\" href=\"https:\/\/www.planet3dnow.de\/cms\/39242-weitere-cpu-luecken-ret2spec-und-spectrersb-entdeckt\/\">Wei\u00adter\u00adle\u00adsen&nbsp;\u00bb<\/a><\/p>\n","protected":false},"author":2,"featured_media":35751,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"ngg_post_thumbnail":0,"footnotes":""},"categories":[12],"tags":[1527,1420,1526],"class_list":["post-39242","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aktuelles","tag-ret2spec","tag-spectre","tag-spectrersb","entry"],"share_on_mastodon":{"url":"","error":""},"_links":{"self":[{"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/posts\/39242","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/comments?post=39242"}],"version-history":[{"count":4,"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/posts\/39242\/revisions"}],"predecessor-version":[{"id":39246,"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/posts\/39242\/revisions\/39246"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/media\/35751"}],"wp:attachment":[{"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/media?parent=39242"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/categories?post=39242"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.planet3dnow.de\/cms\/wp-json\/wp\/v2\/tags?post=39242"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}