tag:blogger.com,1999:blog-4838136820032157985.post6227737444967092885..comments2024-03-18T03:20:01.345-07:00Comments on Project Zero: Reading privileged memory with a side-channelUnknownnoreply@blogger.comBlogger125125tag:blogger.com,1999:blog-4838136820032157985.post-64734278936620043962018-05-30T16:08:39.482-07:002018-05-30T16:08:39.482-07:00People! Don't say they need physical access to...People! Don't say they need physical access to your computer. The vulnerability just reads what goes through the memory. So if your password goes through the memory it can read what is going throughhypermug1https://www.blogger.com/profile/14359342266777523532noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-48283562824960961202018-02-22T01:21:35.813-08:002018-02-22T01:21:35.813-08:00Maybe Project Zero and Google should try to solve ...Maybe Project Zero and Google should try to solve bugs on android and Chrome, and there are a lot.Bartahttps://www.blogger.com/profile/03742980990377974252noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-79533389424313167752018-02-12T18:21:01.047-08:002018-02-12T18:21:01.047-08:00Thanks.Thanks.Jason Chenghttps://www.blogger.com/profile/11850372820326490272noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-58947854361223186152018-02-12T16:37:08.826-08:002018-02-12T16:37:08.826-08:00No. "Past" is used here in the sense of ...No. "Past" is used here in the sense of "go past", not "in the past".<br /><br />The processor can speculatively continue execution beyond (past) a branch.MKhttps://www.blogger.com/profile/14289675575382598584noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-16542889013470451332018-02-12T02:08:27.473-08:002018-02-12T02:08:27.473-08:00Hi, in session Glossary, should the "A proces...Hi, in session Glossary, should the "A processor can execute past a branch" be "A processor can execute a past branch" ? Jason Chenghttps://www.blogger.com/profile/11850372820326490272noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-29323250150262384062018-02-06T02:51:13.856-08:002018-02-06T02:51:13.856-08:00Still waiting for Intel microcode...Still waiting for Intel microcode...Hestiahttps://www.blogger.com/profile/09435526251866934641noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-26433789594951918052018-02-03T06:32:33.726-08:002018-02-03T06:32:33.726-08:00Hopefully Intel is working on hardware solution of...Hopefully Intel is working on hardware solution of this flaw. Obvious solution is adding fully isolated device that performs scheduled encryption for all sensitive information, (that does not used for computation anyway), then decryption is done only when request is longer then access time of meltdown.. Such solution will help not only for Meltdown, but also for any attempt to get password without touching keyboard. Davidhttps://www.blogger.com/profile/01117938740608925196noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-33982375964141866992018-01-25T01:32:43.911-08:002018-01-25T01:32:43.911-08:00May I ask how to dump branch history buffer state?...May I ask how to dump branch history buffer state?Johnhttps://www.blogger.com/profile/02278656169794520248noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-43928307501725802122018-01-22T14:32:50.586-08:002018-01-22T14:32:50.586-08:00Quick question. I've read about Meltdown and S...Quick question. I've read about Meltdown and Specter. And since they both kind of use cache side effects with access to previlieged memory, would a solution be for the processor to invalidate any cache line of data that was speculatively loaded but ended up not needed?efortinhttps://www.blogger.com/profile/17342990294244659957noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-78942888353697853882018-01-21T14:16:09.125-08:002018-01-21T14:16:09.125-08:00This is one interesting threat, knowledgeable peop...This is one interesting threat, knowledgeable people may want to review. To my untrained mind this appears to be eerilie similar to what spectre and meltdown contain as a PoC<br /><br />https://software.intel.com/en-us/forums/intel-moderncode-for-parallel-architectures/topic/305992Saint Crustyhttps://www.blogger.com/profile/16775745880820642277noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-32514034234360896732018-01-20T17:12:33.571-08:002018-01-20T17:12:33.571-08:00When stating that "eBPF's data arrays are...When stating that "eBPF's data arrays are less efficient than its function pointer arrays", is this in general, or specific to the pertaining attack vector?zorinmikihttps://www.blogger.com/profile/11357847549633100438noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-48404017136423962122018-01-18T19:16:06.187-08:002018-01-18T19:16:06.187-08:00chrome://extensions Ok, let's try this again. ...chrome://extensions Ok, let's try this again. Since I have no idea what the heck you are all talking about; what am I supposed to do now. I mean really-not all of us are computer or MIS geniuses. I went in and deleted the "AdBot" extension. It actually was not marked as enabled, but I dumped it anyway. Then I ran Mbytes & Windows Defender scans. Is there anything else I have to do. Also I did not get any notification from Google about problems!!!!!! This came off a Mbyte post dated 1-7-18.Anonymoushttps://www.blogger.com/profile/15749737049488289436noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-3376900535418488462018-01-18T19:14:37.764-08:002018-01-18T19:14:37.764-08:00Great work and great article.Great work and great article.Anonymoushttps://www.blogger.com/profile/18132262762975449123noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-68074391055138568912018-01-18T19:10:06.700-08:002018-01-18T19:10:06.700-08:00So, what are those of us that have NO IDEA what th...So, what are those of us that have NO IDEA what the hell you are talking about, supposed to do? Seriously!!! We are all not computer or mis specialists. I deleted the "AdBot" extension and ran a Mbytes scan. Do I have to do anything else?Anonymoushttps://www.blogger.com/profile/15749737049488289436noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-36565945301006607392018-01-18T15:46:13.439-08:002018-01-18T15:46:13.439-08:00If I use a fingerprint recognition system, can I p...If I use a fingerprint recognition system, can I prevent hacking? Would not it be possible to hack through the program by changing all passwords to fingerprint? Instead, it is based on the assumption that the fingerprint recognition system is based on external USB hardware.Anonymoushttps://www.blogger.com/profile/00038765374445105388noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-16879408200284049052018-01-18T15:43:59.852-08:002018-01-18T15:43:59.852-08:00If I use a fingerprint recognition system, can I p...If I use a fingerprint recognition system, can I prevent hacking? Would not it be possible to hack through the program by changing all passwords to fingerprint? Instead, it is based on the assumption that the fingerprint recognition system is based on external USB hardware.Anonymoushttps://www.blogger.com/profile/00038765374445105388noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-69075269378290185372018-01-17T18:25:36.738-08:002018-01-17T18:25:36.738-08:00as a new one, just mark itas a new one, just mark itlitreilyhttps://www.blogger.com/profile/07557330351988823220noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-67415959817814931012018-01-14T01:20:01.742-08:002018-01-14T01:20:01.742-08:00What you say about the debugger does apply if you&...What you say about the debugger does apply if you're running everything as Administrator or root (or on a C64). But in a secured computer, no ordinary user can attach a debugger to a privileged process, that is locked out and is the whole point of brick-wall like memory protection. It doesn't rely on security through obscurity or hoping things are hard to find, but hardware designed to make it absolutely (completely and utterly) impossible for a normal level user to get past. Computers have had this memory protection hardware for decades.<br /><br />I'm not saying extracting the root password would be trivial, but first off in a server with 10s of GB of RAM you can pretty much guarantee it is all being used for something. Reading any of it is almost certain to disclose sensitive data. It might be some random php in a file cache, but it is still data that someone trusts is behind the security wall. The Meltdown dumps were produced at 500KB/s, which is plenty fast enough to find something juicy or dump all RAM in less than a day. I mentioned the debugger because it's interactive - you're sitting there perusing stuff interactively, watching how it changes when you do something, like say attempting to log in over SSH. Even 2KB/s would be enough for that. The mechanics of the attack also means you get a massive hardware assist and can effectively search a lot faster for certain things. If you're logged into some random web host they tell you exactly what kernel is running with what patches, and one of the papers on this attack discusses what structures might be vulnerable even with mitigations like address space randomisation. Without memory protection, there is basically no security at all against locally running code.adxhttps://www.blogger.com/profile/08977098164422796580noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-13554346739304033802018-01-13T11:17:57.942-08:002018-01-13T11:17:57.942-08:00Yuri, the fact that sensitive data is hidden in a ...Yuri, the fact that sensitive data is hidden in a lot of noise (tens of GB of data dump) is a classic machine learning problem. If a team is determined to use the flaw, (1) experts in computer security would access/grab the data dump, then (2) experts in data-mining/ machine learning would then separate the data from the "noise".<br />The best analogy that comes to mind: suppose we find out that everyone's home has a flaw, where the key to their house is buried somewhere in the garden. Since the flaw affects almost anyone, the probability of any one person getting robbed is extremely low, but if your house is known to contain tons of gold, then it's worth mining your entire garden with metal detectors just to find the key. And entire groups might start deploying an army of miners with metal detectors just to gather as many keys as possible "just in case" (ex: Gov agencies, misc nefarious groups).<br />Keep in mind that the data's not encrypted, so it's just a matter of finding recurring patterns. One extremely simplified example: parse the data-dump to get all websites, and look for recurring bank websites, then get the data you input immediately afterwards (yes, I'm over-simplifying a LOT but it's just probabilistic algorithms crunching a lot of data) .... eventually, one'll obtain your online banking password. Same for paypal and what not. <br />PS: my field isn't computer security, but rather data mining so to me it's the "easy part" of the problem, though I'd need an accomplice to get the data-dump. Yet Againhttps://www.blogger.com/profile/01993185823702529356noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-62108245910035015362018-01-13T10:48:00.765-08:002018-01-13T10:48:00.765-08:00Ditto, the year and also where it was published (o...Ditto, the year and also where it was published (or technical paper if not in conference proceedings or journal), because even some of the co-authors cite Kocher & al. without any date or venue c.f. reference [19] in https://meltdownattack.com/meltdown.pdfYet Againhttps://www.blogger.com/profile/01993185823702529356noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-629426508866743192018-01-13T10:37:46.632-08:002018-01-13T10:37:46.632-08:00Your own source specifies that "Android 5.0.1...Your own source specifies that "Android 5.0.1 and 5.0.2 are not vulnerable, according to the advisory." i.e. all versions of Android still supported by google at the moment (Lollipop except 5.0.x, Marshmallow, Nougat and Oreo) aren't affected by the Wifi Direct vulnerability.Yet Againhttps://www.blogger.com/profile/01993185823702529356noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-4874989299590723612018-01-12T15:39:41.067-08:002018-01-12T15:39:41.067-08:00You know what would be great, if all google pages ...You know what would be great, if all google pages showed a date published and a data updated. Some for almost any of the vendor pages. Please, it is 2018 we use dates and time. Thanks.Saint Crustyhttps://www.blogger.com/profile/16775745880820642277noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-14037057987074907882018-01-11T19:54:09.394-08:002018-01-11T19:54:09.394-08:00Could you explain, how would you be able to discov...Could you explain, how would you be able to discover sensitive information (passwords, usernames etc) inside the memory dump of tens of gigabytes without knowing the exact layout?<br />And what does this memory dump worth when it is created with a speed of 2K byte per second?<br />I suggested a very simple test, which is much easier than stealing of sensitive information and I suggested this test because I doubt that it could be done.<br />You remind the debugger - that's a very good point. You can write a debugger-like application, which attaches to the process of interest and retrieves the information, if it knows how to do it with this particular process. No need to use "cache-lines" and other tricks. The most computers are vulnerable to this. Isn't it? Anonymoushttps://www.blogger.com/profile/06351425016912798444noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-18973315474093982192018-01-11T14:17:34.545-08:002018-01-11T14:17:34.545-08:00Can someone at Project Zero explain why the FreeBS...Can someone at Project Zero explain why the FreeBSD Security Team was notified so much later than their counterparts supporting other systems? I am honestly very disappointed in Google's delay in this regard.xkhttps://www.blogger.com/profile/05889212960761838838noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-92177172680051090642018-01-11T11:24:52.437-08:002018-01-11T11:24:52.437-08:00There is a PoC exploit of this in JavaScript - how...There is a PoC exploit of this in JavaScript - however I am not sure if it has been expanded on or exploited in any specific way. This means, though, that even visiting a webpage that is infected could gain the attacker access to your cache...Anonymoushttps://www.blogger.com/profile/15584291730209133034noreply@blogger.com