Well ... cccrrraaaaaap ...

#Intel #downfall #security #infosec #cybersecurity #speculativeexecution #CPUBug

https://downfall.page/

Zenbleed: How the quest for CPU performance could put your passwords at risk - Parse this! "You need to turn on a special setting to stop the code you wrote to stop the... https://nakedsecurity.sophos.com/2023/07/26/zenbleed-how-the-quest-for-cpu-performance-could-put-your-passwords-at-risk/ #speculativeexecution #cve-2023-20593 #vulnerability #dataloss #zenbleed #ormandy #amd

This Week in Security: Session Puzzling, Session Keys, and Speculation https://hackaday.com/2023/04/28/this-week-in-security-session-puzzling-session-keys-and-speculation/ #speculativeexecution #ThisWeekinSecurity #HackadayColumns #SecurityHacks #News #rdp

This Week in Security: Session Puzzling, Session Keys, and Speculation - Last week we briefly mentioned a vulnerability in the Papercut software, and more ... - https://hackaday.com/2023/04/28/this-week-in-security-session-puzzling-session-keys-and-speculation/ #speculativeexecution #thisweekinsecurity #hackadaycolumns #securityhacks #news #rdp

For those interested in the number of ways Intel's SGX has been broken there is now a fine site:

https://sgx.fail

The introduction to the site reads:

Intel's Software Guard Extension (SGX) promises an isolated execution environment, protected from all software running on the machine. In the past few years, however, SGX has come under heavy fire, threatened by numerous side channel attacks. With Intel repeatedly patching SGX to regain security, we set out to explore the effectiveness of SGX's update mechanisms to prevent attacks on real-world deployments.

More specifically, we survey and categorize various SGX attacks, their applicability to different SGX architectures, as well as the information they leak. We then explored the effectiveness of SGX's update mechanisms in preventing attacks on two real-word deployments, the SECRET network and PowerDVD. In both cases, we show that these vendors are unable to meet the security goals originally envisioned for their products, presumably due to SGX's long update timelines and the complexities of a manual update process. This forces vendors to make a difficult security vs. usability trade off, resulting in security compromises.

#SGX #TrustedEnclaves #SpeculativeExecution #Intel #PowerDVD #

H. Xiao and S. Ainsworth, "Hacky Racers: Exploiting Instruction-Level Parallelism to Generate Stealthy Fine-Grained Timers"¹

Side-channel attacks pose serious threats to many security models, especially sandbox-based browsers. While transient-execution side channels in out-of-order processors have previously been blamed for vulnerabilities such as Spectre and Meltdown, we show that in fact, the capability of out-of-order execution itself to cause mayhem is far more general.
We develop Hacky Racers, a new type of timing gadget that uses instruction-level parallelism, another key feature of out-of-order execution, to measure arbitrary fine-grained timing differences, even in the presence of highly restricted JavaScript sandbox environments. While such environments try to mitigate timing side channels by reducing timer precision and removing language features such as SharedArrayBuffer that can be used to indirectly generate timers via thread-level parallelism, no such restrictions can be designed to limit Hacky Racers. We also design versions of Hacky Racers that require no misspeculation whatsoever, demonstrating that transient execution is not the only threat to security from modern microarchitectural performance optimization.
We use Hacky Racers to construct novel backwards-in-time Spectre gadgets, which break many hardware countermeasures in the literature by leaking secrets before misspeculation is discovered. We also use them to generate the first known last-level cache eviction set generator in JavaScript that does not require SharedArrayBuffer support.

#arXiv #ResearchPapers #OutOfOrderExecution #Spectre #Meltdown #SpeculativeExecution

__
¹ https://arxiv.org/abs/2211.14647

H. Xiao and S. Ainsworth, "Hacky Racers: Exploiting Instruction-Level Parallelism to Generate Stealthy Fine-Grained Timers"¹

Side-channel attacks pose serious threats to many security models, especially sandbox-based browsers. While transient-execution side channels in out-of-order processors have previously been blamed for vulnerabilities such as Spectre and Meltdown, we show that in fact, the capability of out-of-order execution itself to cause mayhem is far more general.
We develop Hacky Racers, a new type of timing gadget that uses instruction-level parallelism, another key feature of out-of-order execution, to measure arbitrary fine-grained timing differences, even in the presence of highly restricted JavaScript sandbox environments. While such environments try to mitigate timing side channels by reducing timer precision and removing language features such as SharedArrayBuffer that can be used to indirectly generate timers via thread-level parallelism, no such restrictions can be designed to limit Hacky Racers. We also design versions of Hacky Racers that require no misspeculation whatsoever, demonstrating that transient execution is not the only threat to security from modern microarchitectural performance optimization.
We use Hacky Racers to construct novel backwards-in-time Spectre gadgets, which break many hardware countermeasures in the literature by leaking secrets before misspeculation is discovered. We also use them to generate the first known last-level cache eviction set generator in JavaScript that does not require SharedArrayBuffer support.

#arXiv #ResearchPapers #OutOfOrderExecution #Spectre #Meltdown #SpeculativeExecution

New working speculative execution attack sends Intel and AMD scrambling

https://arstechnica.com/?p=1865795

#speculativeexecution #Biz&IT #Intel #CPUs #AMD

MIT researchers uncover ‘unpatchable’ flaw in #Apple #M1 chips

An evolution of the #spectre flaw (made possible by #speculativeExecution") that bypasses the hardware level measure introduced to counter it called "pointer authentication code" #PAC.

https://techcrunch.com/2022/06/10/apple-m1-unpatchable-flaw/

AMD Downplays CPU Threat Opening Chips to Data Leak Attacks - New side-channel attacks have been disclosed in AMD CPUs, however AMD said that they are not new. more: https://threatpost.com/amd-downplays-cpu-threat-opening-chips-to-data-leak-attacks/153516/ #speculativeexecution #sidechannelflaw #vulnerability #zombieload #l1dcache #meltdown #takeaway #amdchip #spectre #hacks #intel #amd

New 'CacheOut' Attack Leaks Data from Intel CPUs, VMs and SGX Enclave https://thehackernews.com/2020/01/new-cacheout-attack-leaks-data-from.html #speculativeexecutionvulnerability #speculativeexecution #intelvulnerability #intelprocessor #cybersecurity #MDSattacks #CacheOut #IntelCPU

New ZombieLoad v2 Attack Affects Intel's Latest Cascade Lake CPUs https://thehackernews.com/2019/11/zombieload-cpu-vulnerability.html #sidechannelvulnerability #speculativeexecution #intelvulnerability #SkylakeProcessor #ZombieloadAttack #intelprocessor #cybersecurity #Vulnerability #intelchipset #hackingnews #MDSattacks