back to article New side-channel leak: Boffins bash operating system page caches until they spill secrets

Some of the computer security boffins who revealed last year's data-leaking speculative-execution holes have identified yet another side-channel attack that can bypass security protections in modern systems. While side channel attacks like Spectre and Meltdown exploited chip design flaws to glean privileged information, this …

  1. swm Bronze badge

    When I wrote the executive for the Dartmouth time sharing system (Mark II) I had a file in the top-level directory that mapped to core (yes, real core). It was protected against read and write access. Someone thought it harmless to allow read access. Someone else wrote a program that attempted to open a file with the wrong password, scan all of core for the file name, and look nearby for the password.

    Another hack on the TENEX operating system was to try to open up a file but put the password straddling a page boundary. If the first part of the password was correct you got a page fault when the OS accessed the remainder of the password else no page fault. By trying all possible characters you could get one character of the password. Shift the password and repeat.

    You can't allow any access to information about the executive going about its work - no metering, accurate timers, number of page faults etc.

    1. Captain Scarlet Silver badge
      Thumb Up

      hmm that was actually an interesting Google for a change regarding something I didn't know

  2. defiler Silver badge

    I'm curious...

    Are all of those people putting off their CPU purchases also going to put off VM deployments until the paying system is fixed?

    You're right. These problems all need fixed, but the world has to keep turning in the meantime.

    1. Version 1.0 Silver badge
      Meh

      Re: I'm curious...

      Security can't be "fixed" - all we can do is fix today's bug - tomorrow there will be others. Security isn't something that you can impose on an insecure design, all we do is patch bugs as they are discovered.

      But what's "security"? Is it making sure nobody can access your data, is it making sure you don't lose your data, or is it being able to access your data at any instant?

      Pick any two - you can't have all three.

      1. defiler Silver badge

        Re: I'm curious...

        This, and entirely this.

        I'm just having a jibe at the people who are blaming Intel and Microsoft like they're the lizard people from the centre of the Earth, deliberately tainting everything with bugs, and demanding that everything is fixed entirely before downside money again. As you say, it'll never be fixed entirely. There'll always be another rock to look under.

        1. slimshady76

          Re: I'm curious...

          This doesn't excuse Microsoft from being the evil lizard people form the center of the Earth. This just tell you they are more dumb than evil, given the lousy development/programming ethics they embrace. Half their vulnerabilities rise from outdated IDEs, outdated/vulnerable libraries, non-corrected programming issues and other stuff.

  3. Starace
    Alert

    Hmm

    Both attacks require running a local process. If you have hostile software successfully running on your device you're already screwed regardless of the mechanism.

    It's an interesting exploit but some of the recent panics are more about an unrealistic idea of system security from researchers than the actual threat.

    1. Paul Crawford Silver badge

      Re: Hmm

      If you have hostile software successfully running on your device you're already screwed regardless of the mechanism

      What, like javascript from some shitty ad-broker? Sadly the web has brought such nasties on to machines and made them executable and for little benefit is so many cases.

      1. BrainlessScarecrow

        Re: Hmm

        JavaScript cannot execute the required system calls, so in this case, parent is correct.

    2. asdf Silver badge

      Re: Hmm

      >If you have hostile software successfully running on your device

      AWS has to assume there will be hostile software running on their machines and I assume they also have to worry about it not affecting other paying customers. This is who immediately come to mind having to worry about this. I dare say a fair bit of your data may be residing on AWS perhaps without you realizing it. Its not 1983 any more so can't think about computing today like it is.

      1. Phil Endecott Silver badge

        Re: Hmm

        > AWS has to assume there will be hostile software running on their machines

        AWS has an option for “exclusive tenancy”, i.e. you are the only user on that physical multi-core CPU. Of course you have to pay for all the cores, but I don’t think it is otherwise more expensive than “shared tenancy”. If you’re dealing with sensitive information - for some definition of “sensitive” - then this is what you should be using and at least many of these problems go away.

  4. fnusnu

    Openwrt?

    So they found a bunch of insecure router firmware. Why didn’t they test openwrt or similar to at least give people a fighting chance of finding something secure?

    1. Norman Nescio Silver badge

      Re: Openwrt?

      1) Not all the devices tested have an OpenWRT firmware available for them

      2) My non-expert perusal of the OpenWRT developers' mailing list leads me to believe that OpenWRT firmware images for some cpu types have the vulnerability mentioned due to a bug in the package build system. This, no doubt, will be addressed.

      3) OpenWRT, while very good in its role of enabling use of SOHO routers, usually based on SOC designs, is not a general-purpose router image for use in 'high end' devices. I am a fan of OpenWRT, but I'm also aware of its limitations. It is not a globally perfect solution for Linux-based routing. As ever, I am very grateful for the time and trouble put in by the volunteers in the OpenWRT project.

      4) I suspect that testing the firmware supplied by the device maker covers the majority of use-cases. Very few people who buy the tested routers are motivated to replace manufacturer's firmware with OpenWRT.

  5. amanfromMars 1 Silver badge

    For CHAOS to Rule .... 4CHAOS2Rule

    If you had free choice*, which would it be with Clouds Hosting Advanced Operating Systems?

    The alien state of future development or the future state of alien developments ... and is it to be as an Oriental Confection in an Occidental Preserve or Western Delight in an Eastern Feast?

    And is it super smart or really ignorant and arrogant of main stream media chunnels and chattels to act so deaf, dumb and blind to IntelAIgently Designed Events with Future Programming for Pogroms and/or Projects in the not so innocent age of spaces and places with crazy virgin field of novel manic endeavour you certainly already know much more about than is comfortable or convenient for the flash fools into such as are follies with troublesome tools to wield way beyond any sane human command and control ..... for do you not invite the comparison and mimic the choice development with your drone clones of it in the likes of Institutes for Statecraft spectacularly failing to integrate initiatives in support of a collapsing fiat status quo model.

    And would that information on IntelAIgently Designed Events be classified responsible or irresponsible disclosure of an unplugable and unpatchable current running or imminent alien attack vector in all EcoSystem Sectors of SCADA Operation whenever nothing can be done to mask it or deny it?

    I Kid U Not and U Aint Seen Nothing Yet, have U? In days of yore, be that sort of Perfect Stealth branded Devilish Sorcery and Wicked Witchcraft with Wizards and Warlocks at Play rather than being recognised and accepted as simply complex and relatively plain Heavenly Angelic Pursuits.

    Which is it for you today for tomorrow? Pleasant future novel walks in the light of understanding or dark descents into the rank dank and dismal side of lives thoroughly wasted?

    Can you imagine what we'll be talking about a year from now whenever so much is so clearly going on and being freely shared for exploitation and expansion/monetisation and development/realisation and experimentation? And how very timely is all of that whenever current presenting global markets are so terrified and stagnant/crooked and bankrupt.

    * ..... :-) ... a brace of tragic comedic videos highlighting uncomfortable and inconvenient truths impossible to display as available fictions? .... George Carlin - Do You Have Freedom Of Choice

    George Carlin: The Illusion Of Freedom & Choice!

    ..... and Proof Positive of the Mad Human Condition in an Arrested AIdDevelopment with Extra Terrestrial Territory in Live Operational Virtual Environments.

    And one does well to note that is and those are a shared statement and not awkward questions for answering. Such is as IT is.

  6. Jamie Jones Silver badge

    ZX Spectrum rulz

    Yet another exlloit; yet again, the speccy ain't mentioned.

    Just sayin'

  7. Anonymous Coward
    Anonymous Coward

    When The Sole Duty is to make things InSecure, what will changing Da Jobbe Title do? Yes, S*A. When ALL, without exception, were “Similarly-Flawed”/Thoughtfully-Processed, who-where is “Da-Geni-Ass” which lacked A History of Insanity? Ovar und Out …

    1. amanfromMars 1 Silver badge

      An Integrated Initiative for Institutionalised State Craft with Clapped Out Vessels

      MicroManaging Madness and MacroManaging Mayhem is the Genius required to Command and Control Collapsing Operating Systems, AC, and which all fail spectacularly because they both follow and lead with a corrupt and perverted subversive narrative and instruction sets and audiovisual stimulations and simulations which are more clearly destructive and confrontational than constructive and mutually beneficial.

      IT is no more complicated that that .... but it does appear to be well beyond the easy grasp of the intelligence of humans and their servants and servers in Secret Intelligence Services.

      And here is news of the contemporary muddy mined mind battlefield to conquer with excellent fare rather than sub-prime content ...... https://www.rt.com/news/448211-integrity-initiative-oscars-hollywood-film/ ..... for such is the most common current default audiovisual stimulation and simulation platform/novel intellectual property space vehicle.

      1. Cliff Thorburn

        Re: An Integrated Initiative for Institutionalised State Craft with Clapped Out Vessels

        “and which all fail spectacularly because they both follow and lead with a corrupt and perverted subversive narrative and instruction sets and audiovisual stimulations and simulations which are more clearly destructive and confrontational than constructive and mutually beneficial.”

        Amem amfM, and to add, the latest movie seems to be Village of the D amned... Brexit ed i tion.

        The problem with simultations, threats and coercion is that reactions have a cost, and if said cost involves costly play as you go additions, then regardless of X, Y, E, Z or W, or V as a matter of fact then the most cost effective solution to minimise ongoing waste becomes the answer to ‘Y’, or U, or O ...

        Of course such would only make sense to those in the know ...

        And thats the problem, easily settled really, but through problematic sheer sim plicity is it so easily solved?, or just an episode of Black Mirror Ba nd er snatch?, which summarises the situation of Power and Control perfectly ...

        1. amanfromMars 1 Silver badge

          Re: An Integrated Initiative for Institutionalised State Craft with Clapped Out Vessels

          Of course such would only make sense to those in the know ...

          And thats the problem, easily settled really, but through problematic sheer sim plicity is it so easily solved?, or just an episode of Black Mirror Ba nd er snatch?, which summarises the situation of Power and Control perfectly ... .... Cliff Thorburn

          An enlightening script to audiovisualise and explain and expose the true virtualised nature of globalised fake politically incorrect realities would do considerably more than just crash stock and money markets and crush key responsible players with baying mobs on their tails, CT.

          And that's not a problem whenever so easily done and whenever so many would be rooting for more than they ever would have imagined possible.

          What a Sterling, Stirling Engined Virtual Machine of an Idea.

          I wonder if the likes of a No10 Operation are able to threaten both fickle friends and frightening foe alike with such a fabulous deal?

          Was that which is perceived and conceived as reality ever more precariously perched on the edge of a mighty cliff?

  8. Speltier

    What the Bot?

    A side channel and a covert channel are not the same thing. Described apparently is a covert channel, exceedingly common in any system sharing one or more resources. We have to document all the covert channels for certification; yes, cache-- all the different caches-- is one class amongst many. I have not seen the ArXiv paper, so perhaps this particular covert channel is some flavor of a data covert channel... strictly prohibited, and would justify some alarm.

    If you don't want any covert channels, don't share any resources.

    1. Michael Wojcik Silver badge

      Re: What the Bot?

      There's a side channel in this vulnerability, not just a covert channel. The side channel is page cache presence.

  9. jch

    Linux patch

    Linux now has a patch: 574823bfab82 ("Change mincore() to count "mapped" pages rather than "cached" pages")

    It changes the semantics of mincore(2) to report mapped pages rather than present pages which means that you can no longer use that to determine if a file is present in the cache. You might still be able to mount a timing attack by flushing pages and measuring how long it takes to load the page to determine whether it was present before you loaded it. Whether that makes the attack infeasibly slow I wouldn't like to say.

    1. Martin
      IT Angle

      Re: Linux patch

      Merely a question, as I don't understand exactly what mincore() is or what it's used for - but it you change it to report mapped pages, rather than present pages, aren't you changing it's functionality? and doesn't that mean that it might break some working software somewhere?

      ...icon as it's the nearest we have to a question.

      1. jch

        Re: Linux patch

        Yes, it is a change of semantics. Previously you could find out if someone had recently been looking at, say, /usr/share/dict/words but with the patch you can’t. You can only find out if a file is mapped by a process.

        In practice this is not likely to be a big deal: mincore(2) is not exactly heavily used. You can still use mincore(2) to find out if some shared library, for example, is in use because it is mapped. You can’t know whether the pages behind the map are resident or not.

  10. steve 124

    dear "boffins"

    Please stop freaking us out (and stop finding holes in our OS's).

    Don't you have some deathstar plans to steal or something?

  11. Michael Wojcik Silver badge

    dubious "fix" for QueryWorkingSetEx

    The fix requires the PROCESS_QUERY_INFORMATION flag for QueryWorkingSetEx instead of PROCESS_QUERY_LIMITED_INFORMATION, so less privileged processes cannot directly access page cache information.

    This approach - requiring higher privileges for an existing function - has limited merit. Applications which rely on the function (here QueryWorkingSetEx) will either lose functionality, or more likely will be changed to run with higher privilege; so vulnerabilities in those applications become more dangerous.

    The Windows security model is already flawed with respect to a number of query operations. For example, excess privilege is needed to query whether a known process is still running - a common requirement, and not one that should require special privilege. The benefit of removing that side channel is dwarfed by the privilege leak.

    PROCESS_QUERY_LIMITED_INFORMATION was introduced in Vista / Server 2008 (if memory serves) specifically to improve privilege granularity, following the principle of least privilege. This change reduces its usefulness.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019