Jump to content

SUBIECTE NOI
« 1 / 5 »
RSS
eroare declaratie 100

Dilema spalare masina iarna

Rovinieta - pot plati pana la ora...

Rack gantere
 Tester ștergere eroare Renau...

Cine trebuie sa faca sapaturile p...

Curs initiere QA tester

Tomorrowland, w2 (28-30 July 2023)
 Sfat achizitie masina noua 40-45k...

Antena CB PNI LED 850 rabatabila,...

Operation Fortune(2023)

Cutie de viteze manuala schimbata
 Sofer pe ambulanta

Cum lipesc o lustra pe beton? Cum...

Achiziție boxa portabila sau...

Pareri despre DS 923+? Procesor R...
 

Intel CPU - Design flaw in fiecare procesor din ultimii 10 ani

* * * * - 7 votes
  • Please log in to reply
1561 replies to this topic

#1549
Arthos

Arthos

    ¯\_(ツ)_/¯

  • Grup: Senior Members
  • Posts: 3,314
  • Înscris: 01.11.2004
TPM Fail Attack

Citat

Most laptop and desktop computers nowadays come with a dedicated TPM chip, or they use the Intel firmware-based TPM (fTPM) which runs on a separate microprocessor inside the CPU. Intel CPUs support fTPM since the Haswell generation (2013). TPM chips are also used in other computing devices such as cellphones and embedded devices.

We discovered timing leakage on Intel firmware-based TPM (fTPM) as well as in STMicroelectronics' TPM chip. Both exhibit secret-dependent execution times during cryptographic signature generation. While the key should remain safely inside the TPM hardware, we show how this information allows an attacker to recover 256-bit private keys from digital signature schemes based on elliptic curves.

POC : https://github.com/VernamLab/TPM-Fail

2019.2 IPU – Intel® CSME, Intel® SPS, Intel® TXE, Intel® AMT, Intel® PTT and Intel® DAL Advisory

Attached Files



#1550
Arthos

Arthos

    ¯\_(ツ)_/¯

  • Grup: Senior Members
  • Posts: 3,314
  • Înscris: 01.11.2004
In alte stiri Intel si-a tras patent pentru vulnerabilitati :>
Processor instruction support to defeat side-channel attacks - 2 ianuarie 2020

Attached Files


Edited by Arthos, 06 January 2020 - 17:00.


#1551
Arthos

Arthos

    ¯\_(ツ)_/¯

  • Grup: Senior Members
  • Posts: 3,314
  • Înscris: 01.11.2004
L1D Eviction Sampling (L1DES) si Vector Register Sampling (VRS)

Citat

L1D Eviction Sampling (L1DES)
On Oct 25, 2019, we reported to Intel that this variant would bypass their latest VERW mitigation (and so did a PoC shared with Intel on May 10, 2019), resulting in Intel finally acknowledging the L1D eviction issue and requesting another (L1DES) embargo.

Vector Register Sampling (VRS)
On Oct 1, 2019, we reported to Intel that a 1-line modification of our 'alignment write' PoC can leak vector register values, resulting in Intel requesting a new (VRS) embargo.

Practic Intel nu a rezolvat problemele de securitate cu microcodurile anterioare.

Vector Register Sampling / CVE-2020-0548 / INTEL-SA-00329
L1D Eviction Sampling / CVE-2020-0549 / INTEL-SA-00329

#1552
Arthos

Arthos

    ¯\_(ツ)_/¯

  • Grup: Senior Members
  • Posts: 3,314
  • Înscris: 01.11.2004
Intre timp avem si un site dedicat L1D Eviction Sampling (L1DES) : https://cacheoutattack.com/

Citat

CacheOut: Leaking Data on Intel CPUs via Cache Evictions

We present CacheOut, a new speculative execution attack that is capable of leaking data from Intel CPUs across many security boundaries. We show that despite Intel's attempts to address previous generations of speculative execution attacks, CPUs are still vulnerable, allowing attackers to exploit these vulnerabilities to leak sensitive data.
Moreover, unlike previous MDS issues, we show in our work how an attacker can exploit the CPU's caching mechanisms to select what data to leak, as opposed to waiting for the data to be available. Finally, we empirically demonstrate that CacheOut can violate nearly every hardware-based security domain, leaking data from the OS kernel, co-resident virtual machines, and even SGX enclaves.

Am I affected by this vulnerability?
For a select number of processors released after Q4 2018, Intel inadvertently managed to partially mitigate this issue while addressing a previous issue called TSX Asynchronous Abort (TAA).

What about other processor vendors?
AMD is not affected by CacheOut, as AMD does not offer any feature akin to Intel TSX on their current offering of CPUs.
Arm and IBM do have a feature similar to Intel TSX, but we are currently unaware of whether any of their products are affected. We are also unaware of any other attack vectors to exploit CacheOut.


#1553
Mr_nobody_

Mr_nobody_

    Senior Member

  • Grup: Senior Members
  • Posts: 5,000
  • Înscris: 03.02.2017
Văd că s-au înmulțit vulnerabilitățile.

[email protected]:~$ grep . /sys/devices/system/cpu/vulnerabilities/*
itlb_multihit:KVM: Mitigation: Split huge pages
l1tf:Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
mds:Mitigation: Clear CPU buffers; SMT disabled
meltdown:Mitigation: PTI
spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling
tsx_async_abort:Not affected



#1554
Arthos

Arthos

    ¯\_(ツ)_/¯

  • Grup: Senior Members
  • Posts: 3,314
  • Înscris: 01.11.2004
LVI - Hijacking Transient Execution with Load Value Injection

Citat

LVI turns previous data extraction attacks around, like Meltdown, Foreshadow, ZombieLoad, RIDL and Fallout, and defeats all existing mitigations. Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: we smuggle — "inject" — the attacker's data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim’s fingerprints or passwords.

Crucially, LVI is much harder to mitigate than previous attacks, as it can affect virtually any access to memory. Unlike all previous Meltdown-type attacks, LVI cannot be transparently mitigated in existing processors and necessitates expensive software patches, which may slow down Intel SGX enclave computations 2 up to 19 times.

What about other processor vendors (ARM, AMD, etc.)?

In our current assessment, LVI principally applies only to Intel processors with SGX technology. However, following the argument of symmetry, in in principle any processor that is vulnerable to Meltdown-type data leakage, would also be vulnerable to LVI-style data injection. Some non-Intel processors have been shown to be affected by some variants of Meltdown and Foreshadow. We maintain an up-to-date overview on the website https://transient.fail/ (select Meltdown + vendor ARM or AMD). If an attacker finds software that uses these features in an exploitable way, LVI might still be possible. We encourage future research to investigate the applicability of LVI to non-Intel CPUs.

Can I detect if someone has used LVI against me?

We do not have any data on this. The exploitation might not leave any traces in traditional log files.

Intel: AFFECTED PROCESSORS: Latest Transient Execution Attacks by Product CPU Model
Intel: Processors Load Value Injection Advisory
Intel: Deep Dive: Load Value Injection

Attached Files

  • Attached File  lvi.pdf   824.93K   0 downloads

Edited by Arthos, 11 March 2020 - 11:27.


#1555
Arthos

Arthos

    ¯\_(ツ)_/¯

  • Grup: Senior Members
  • Posts: 3,314
  • Înscris: 01.11.2004
Avem si niste benchmark-uri cu impactul patchurilor :

Phoronix : The Brutal Performance Impact From Mitigating The LVI Vulnerability

Din Xeon in 486 ;>

#1556
Arthos

Arthos

    ¯\_(ツ)_/¯

  • Grup: Senior Members
  • Posts: 3,314
  • Înscris: 01.11.2004
SGAxe - How SGX Fails in Practice

Citat

SGAxe is an evolution of CacheOut, specifically targeting SGX enclaves. We show that despite extensive efforts done by Intel in order to mitigate SGX side channels, an attacker can still breach the confidentiality of SGX enclaves even when all side channel countermeasures are enabled.

Citat

We understand that remote attestion can be very tricky to pass. However, since we already done all the hard work of getting genuine attestation keys, we decided to help you out by developing a Twitter bot that passes SGX attestation for you. Our bot provides Attestation as a Service (AaaS), which allows you to get your own quotes signed with the keys we extracted using SGAxe. This way you can pass attestation without even owning an SGX machine. If you want to make use of our service, you can send a tweet to our bot @SGAxe_AaaS. If you’ll tweet it, we’ll sign it!

Citat

With these keys at hand, network attackers are able to impersonate as legitimate SGX enclaves thereby eroding trust in the entire SGX ecosystem.


Din ce vad pe Github Intel are microcode-uri noi postate acum 3 ore pentru aproape toate platformele si procesoarele : https://github.com/i...rocode-20200609

L.E Microcode-urile sunt pentru alta vulnerabilitate CROSSTalk ascunsa din 2018 ;>

Citat

We disclosed an initial PoC (Proof-Of-Concept) showing the leakage of staging buffer content in September 2018, followed by a PoC implementing cross-core RDRAND/RDSEED leakage in July 2019. Following our reports, Intel acknowledged the vulnerabilities, rewarded CrossTalk with the Intel Bug Bounty (Side Channel) Program, and attributed the disclosure to our team with no other independent finders. Intel also requested an embargo until May 2020 (later extended), due to the difficulty of implementing a fix for the cross-core vulnerabilities identified in this paper. Intel describes our attack as “Special Register Buffer Data Sampling” or SRBDS (CVE-2020-0543), classifying it as a domain-bypass transient execution attack.

Edited by Arthos, 09 June 2020 - 21:51.


#1557
_mumbai_

_mumbai_

    Junior Member

  • Grup: Junior Members
  • Posts: 189
  • Înscris: 25.04.2020

Vizualizare mesajArthos, pe 13 martie 2020 - 00:25, a scris:

Avem si niste benchmark-uri cu impactul patchurilor :


Din Xeon in 486 ;>
Au fost refacute si situatia este mult mai grava: din intel in cyrix.

Gaming performance:
Attached File  Clipboard01.jpg   47.01K   36 downloads

Edited by _mumbai_, 09 June 2020 - 23:19.


#1558
Arthos

Arthos

    ¯\_(ツ)_/¯

  • Grup: Senior Members
  • Posts: 3,314
  • Înscris: 01.11.2004
Lista oficiala cu procesoarele afectate : https://software.int...oduct-cpu-model

#1559
dumitruisac

dumitruisac

    New Member

  • Grup: Members
  • Posts: 5
  • Înscris: 22.03.2007
Intel-ul are probleme cu bug-urile, precum și AMD-ul, doar la procesoarele cu APU, produse in perioada 2016 - 2019.

SMM Callout Privilege Escalation
https://www.amd.com/...roduct-security
https://www.zdnet.co...d-of-june-2020/
https://www.tomshard...y-vulnerability

#1560
Arthos

Arthos

    ¯\_(ツ)_/¯

  • Grup: Senior Members
  • Posts: 3,314
  • Înscris: 01.11.2004
Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical


Citat

We introduce the first microarchitectural side channel attacks that leverage contention on the CPU ring interconnect.

There are two challenges that make it uniquely difficult to exploit this channel. First, little is known about the ring interconnect's functioning and architecture.
Second, information that can be learned by an attacker through ring contention is noisy by nature and has coarse spatial granularity. To address the first challenge, we perform a thorough reverse engineering of the sophisticated protocols that handle communication on the ring interconnect.

With this knowledge, we build a cross-core covert channel over the ring interconnect with a capacity of over 4 Mbps from a single thread, the largest to date for a cross-core channel not relying on shared memory. To address the second challenge, we leverage the fine-grained temporal patterns of ring contention to infer a victim program's secrets. We demonstrate our attack by extracting key bits from vulnerable EdDSA and RSA implementations, as well as inferring the precise timing of keystrokes typed by a victim user.

Attached Files



#1561
Arthos

Arthos

    ¯\_(ツ)_/¯

  • Grup: Senior Members
  • Posts: 3,314
  • Înscris: 01.11.2004
W3C Draft : Post-Spectre Web Development


Citat

Spectre-like side-channel attacks inexorably lead to a model in which active web content (Javascript, WASM, probably CSS if we tried hard enough, and so on) can read any and all data which has entered the address space of the process which hosts it. While this has deep implications for user agent implementations' internal hardening strategies (stack canaries, ASLR, etc), here we’ll remain focused on the core implication at the web platform level, which is both simple and profound: any data which flows into a process hosting a given origin is legible to that origin.


#1562
Arthos

Arthos

    ¯\_(ツ)_/¯

  • Grup: Senior Members
  • Posts: 3,314
  • Înscris: 01.11.2004
Google Security Blog : A Spectre proof-of-concept for a Spectre-proof web

Citat

Today, we’re sharing proof-of-concept (PoC) code that confirms the practicality of Spectre exploits against Javascript engines. We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome, and we expect that other modern browsers are similarly vulnerable to this exploitation vector

The demonstration website can leak data at a speed of 1kB/s when running on Chrome 88 on an Intel Skylake CPU. Note that the code will likely require minor modifications to apply to other CPUs or browser versions; however, in our tests the attack was successful on several other processors, including the Apple M1 ARM CPU, without any major changes.

[ https://www.youtube-nocookie.com/embed/V_9cQP60ZGI?feature=oembed - Pentru incarcare in pagina (embed) Click aici ]

https://leaky.page/

Anunturi

Chirurgia spinală minim invazivă Chirurgia spinală minim invazivă

Chirurgia spinală minim invazivă oferă pacienților oportunitatea unui tratament eficient, permițându-le o recuperare ultra rapidă și nu în ultimul rând minimizând leziunile induse chirurgical.

Echipa noastră utilizează un spectru larg de tehnici minim invazive, din care enumerăm câteva: endoscopia cu variantele ei (transnazală, transtoracică, transmusculară, etc), microscopul operator, abordurile trans tubulare și nu în ultimul rând infiltrațiile la toate nivelurile coloanei vertebrale.

www.neurohope.ro

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Forumul Softpedia foloseste "cookies" pentru a imbunatati experienta utilizatorilor Accept
Pentru detalii si optiuni legate de cookies si datele personale, consultati Politica de utilizare cookies si Politica de confidentialitate