On 7/27/23, grarpamp
Another huge exploit against shared computing platforms. Expect another wave of massively embarassing database leaks to be dropping all over the news and file sites soon.
Yet more fun, this time with ... DOWNFALL ! https://downfall.page/ Intel sat on this one for at least an entire YEAR...
... which was well after to its official TOP-SECRET inclusion in the chip masks years ago. As usual, Spooks, Corps, Govts and others have been mole'ing, masking, discovering, buying, or running black ops to get them, and are freely running exploits with them since well before any public release. Zerodium and other dark budgets still paying top dollar.
There's plenty of fun ways to fuzz them fuzzy fuzzers...
#OpenFabs , #OpenHW , #OpenAudit , #FormalVerification , #CryptoCrowdFunding , #OpenTrust , #GuerrillaNets , #P2PFiber , #GNURadioRF , #PrivacyCoins , #DropGangs , ...
Downfall Attacks https://downfall.page/ Attack Demo FAQ Advisories Links profile Downfall attacks targets a critical weakness found in billions of modern processors used in personal and cloud computers. This vulnerability, identified as CVE-2022-40982, enables a user to access and steal data from other users who share the same computer. For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages. Similarly, in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer. The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. This allows untrusted software to access data stored by other programs, which should not be normally be accessible. I discovered that the Gather instruction, meant to speed up accessing scattered data in memory, leaks the content of the internal vector register file during speculative execution. To exploit this vulnerability, I introduced Gather Data Sampling (GDS) and Gather Value Injection (GVI) techniques. You can read the paper I wrote about this for more detail. Please cite as follow: @inproceedings{moghimi2023downfall, title={{Downfall}: Exploiting Speculative Data Gathering}, author={Moghimi, Daniel}, booktitle={32th USENIX Security Symposium (USENIX Security 2023)}, year={2023} } By Daniel Moghimi Demo Stealing 128-bit and 256-bit AES keys from another user Your browser does not support the video tag. Stealing arbitrary data from the Linux Kernel Your browser does not support the video tag. Spying on printable characters Your browser does not support the video tag. FAQ [Q] Am I affected by this vulnerability? [A] Most likely, yes. This depends on whether your computing devices (laptop, tablet, desktop, cloud, etc.) use the affected Intel processors. Even if you do not own any physical Intel-based devices, Intel’s server market share is more than 70%, so most likely, everyone on the internet is affected. [Q] Which computing devices are affected? [A] Computing devices based on Intel Core processors from the 6th Skylake to (including) the 11th Tiger Lake generation are affected. A more comprehensive list of affected processors will be available here. [Q] What can a hacker do with this? [A] A hacker can target high-value credentials such as passwords and encryption keys. Recovering such credentials can lead to other attacks that violate the availability and integrity of computers in addition to confidentiality. [Q] How practical are these attacks? [A] GDS is highly practical. It tooks me 2 weeks to develop an end-to-end attack stealing encryption keys from OpenSSL. It only requires the attacker and victim to share the same physical processor core, which frequently happens on modern-day computers, implementing preemptive multitasking and simultaneous multithreading. [Q] Is Intel SGX also affected? [A] In addition to normal isolation boundaries e.g., virtual machines, processes, user-kernel isolation, Intel SGX is also affected. Intel SGX is a hardware security feature available on Intel CPUs to protect user’s data against all form of malicious software. [Q] What about web browsers? [A] In theory, remotely exploiting this vulnerability from the web browser is possible. In practice, demonstrating successful attacks via web browsers requires additional research and engineering efforts. [Q] How long have users been exposed to this vulnerability? [A] At least nine years. The affected processors have been around since 2014. [Q] Is there a way to detect Downfall attacks? [A] It is not easy. Downfall execution looks mostly like benign applications. Theoretically, one could develop a detection system that uses hardware performance counters to detect abnormal behaviors like exessive cache misses. However, off-the-shelf Antivirus software cannot detect this attack. [Q] Is there any mitigation for Downfall? [A] Intel is releasing a microcode update which blocks transient results of gather instructions and prevent attacker code from observing speculative data from Gather. [Q] What is the overhead for the mitigation? [A] This depends on whether Gather is in the critical execution path of a program. According to Intel, some workloads may experience up to 50% overhead. [Q] Can I disable the mitigation if my workload does not use Gather? [A] This is a bad idea. Even if your workload does not use vector instructions, modern CPUs rely on vector registers to optimize common operations, such as copying memory and switching register content, which leaks data to untrusted code exploiting Gather. [Q] How long was this vulberability under embargo? [A] Almost one year. I reported this vulnerability to Intel August 24, 2022. [Q] Should other processor vendors and designers be concerned? [A] Other processors have shared SRAM memory inside the core, such as hardware register files and fill buffers. Manufacturers must design shared memory units with extra care to prevent data from leaking across different security domains and invest more in security validation and testing. [Q] How can I learn more about Downfall? [A] In addition to the technical paper, I am presenting Downfall at the BlackHat USA on August 9th, 2023 and USENIX Security Symposium on August 11, 2023. [Q] Can I play with Downfall? [A] Here is the code: https://github.com/flowyroll/downfall/tree/main/POC [Q] Why is this called Downfall? [A] Downfall defeats fundamental security boundaries in most computers and is a successor to previous data leaking vulnerabilities in CPUs including Meltdown and Fallout (AKA MDS). In this trilogy, Downfall defeats all previous mitigations once again. [Q] How did you create the logo? [A] I used the DALL·E 2 AI system to create the logo. Advisories Vendor Link MITRE CVE-2022-40982 Intel INTEL-SA-00828 Debian CVE-2022-40982 Links Meet the Finalists for the 2023 Pwnie Awards Dark Reading New Downfall attacks on Intel CPUs steal encryption keys, data Bleeping Computer Episode 56: Interview with Daniel Moghimi about Downfall Chips & Salsa Downfall and Zenbleed: Googlers helping secure the ecosystem Google Security Blog Gather Data Sampling Intel Google unveils Downfall attacks, vulnerability in Intel chips Tech Target New ‘Downfall’ Flaw Exposes Valuable Data in Generations of Intel Chips Wired Gather Data Sampling Technical Paper Intel Threat Analysis Assessment for GDS Paper Intel ‘Downfall’ vulnerability leaves billions of Intel CPUs at risk Cyberscoop Intel DOWNFALL: New Vulnerability Affecting AVX2/AVX-512 With Big Performance Implications Phoronix Another round of speculative-execution vulnerabilities Copyright @ Daniel Moghimi 2023