Surging journalist Yang Xin 倢 | Intern Angel
A security issue derived from the Intel chip loophole spans all desktops, computers, smartphones and cloud computing servers worldwide.
Two loopholes Meng Meng map
On January 4, foreign security research institutes released two sets of CPU vulnerabilities: Meltdown and Specter.
Although no real exploit has been found in the world at this time, in theory this leak exposes all CPUs that have access to virtual memory to malicious access, protected passwords, application keys, etc. The information is therefore at risk.
From the current understanding of the situation, the majority of mass production processors since 1995 are likely to be affected by the above loopholes, and involves most of the common operating system. Although Intel-based, but most mainstream processors ARM, AMD and other chipsets are also affected by the loopholes. Correspondingly, the mainstream operating systems such as Windows, Linux, macOS and Android and the terminal devices such as computers, tablets, mobile phones and cloud servers adopting the chips are affected by the above loopholes.
Worse, Intel itself can not solve this vulnerability by firmware upgrade, causing operating system developers such as Microsoft and Apple to seek ways to fix it.
January 4, China National Vulnerability Database (China National Vulnerability Database) contains these two vulnerabilities, and a comprehensive rating for the vulnerability "high risk".
Subsequently, cybersecurity department issued a safety alert. On January 5, Shanghai Network Information Office issued an early warning notification to all the key information infrastructure managers and operators in this Municipality, requiring all units to start the network security contingency plan and take countermeasures.
Network security experts said that although the impact of a wide range of vulnerabilities, and cause global concern, but the most affected most is the cloud services vendors, for ordinary users, the big need not be too panicked.
Q: How to exploit the vulnerability?
Normally, normal programs can not read data stored by other programs, but malware can use Meltdown and Specter to retrieve private information stored in the memory of other operating programs.
Specifically, according to Tencent computer housekeeper security team experts to surging news reporters: Meltdown vulnerability, low-privileged users can access the contents of the kernel to get the underlying operating system information; when the user visited through the browser contains Specter malicious use User privacy information such as an account number, password, email address, etc. may be leaked during the website of the program. In the cloud service scenario, specter can be used to break the isolation between users and steal the data of other users.
The current vulnerability verification code (PoC) has been released, technical details are not repeated here. Tencent security team has been verified, the loopholes in Windows, Linux, Mac OS and other operating systems, the success of reading any specified memory address of the content.
Q: What is the principle of loopholes?
These two groups of vulnerabilities come from the new features that chip makers have introduced to improve CPU performance.
Modern CPUs use Out-of-Order Execution and Speculative Prediction to improve processing performance. Out-of-order execution means that the CPUs do not execute serially in strict accordance with the order of the instructions. Instead, the instructions are grouped and executed in parallel according to the dependencies. Finally, the results of executing the instructions in each group are summed up. Predict execution is based on the current grasp of the CPU information to predict the outcome of a conditional judgment, and then select the corresponding branch in advance.
Out of Order Execution and Prediction Execution When an exception is encountered or a branch prediction error is found, the CPU discards the previous execution result, restores the state of the CPU to the correct state before out-of-order execution or prediction execution, and then selects the corresponding correct instruction to continue execution . This exception handling mechanism ensures that the program can execute correctly, but the problem is that the CPU cache will not be restored when the CPU resumes, and the two vulnerabilities exploit this design flaw to measure channel attacks.
Q: Why did the flaw hide so long?
The vulnerability was discovered by security researchers at least early in 2016, but Intel did not finally recognize the vulnerability until early this year. The Wall Street Journal quoted security experts as saying that Intel has done a mess in the disclosure of the incident.
At the Black Hat Network Security Conference in Las Vegas, USA, in August 2016, two researchers, Anders Fogh and Daniel Gruss, demonstrated the early stages of the vulnerability sign. Fogg also published a blog post in July last year to encourage other researchers to investigate.
In the meantime, Jann Horn, Project Zero's security research team at Google, has already uncovered the issue and informed Intel. Finally, three other research teams from around the world contacted Intel on the same issues, and Intel went on to exchange and write papers with them.
However, this chip loophole can be traced back to at least 2010, the common architectural principle that has brought this kind of loophole has a history of several decades. Why did Intel not find the loopholes earlier? Intel did not respond positively to this issue.
Dr. Meng Kui, School of Cybersecurity at Shanghai Jiaotong University, said the security breach could break out at this time for two reasons. The first is that Intel's low efficiency and poor progress have caused the industry's pressure. The second Because of the loopholes in the information disclosure time is too long may lead to be exploited by the attacker. Therefore, immediate action must be taken. & rdquo;
Q: Are there any malicious attacks already reported?
Tencent and 360 and other security companies have said there is no known case of exploiting these vulnerabilities is found.
The National Cyber Security Center said there is currently no evidence that Meltdown and Specter are being used to steal data, but the nature of the attack makes them hard to detect.
Zheng Wenbin, general manager of 360 Core Security Group and head of the Vulcan team, told surging reporters that an attacker could exploit the vulnerability to steal privacy but could not control a computer, elevate privileges, or break the isolation of a virtualized system. In addition, the vulnerability can not be remotely exploited, nor can it be exploited in the same way as "eternal Blue" vulnerabilities without the user interacting.
Tencent security experts said that although the details of the vulnerabilities and PoC have been made public, they are not directly applicable to attacks. Vulnerability to real attacks there are many details need to be resolved, there is no stable generic, at the same time can cause significant consequences (theft of account passwords, etc.) exploit code.
Q: how to fix the bug?
According to the British Guardian, because the flaw was caused by a flaw in the underlying silicon design, it was complicated to repair and difficult to repair.
Zheng Wenbin said that the CPU hardware bug fix difficult only by CPU manufacturers for security updates (such as CPU microcode upgrade) is unable to solve this problem, repair these vulnerabilities need operating system vendors, virtualization vendors, hardware and software distributors, Browser vendors, CPU vendors working together and complex and extremely in-depth changes in order to completely solve the problem.
After the loopholes exposure, various chip manufacturers, operating system vendors, browser vendors and cloud service vendors have all responded by taking measures actively, issuing security bulletins, and releasing mitigation measures and patches in time.
Intel Proposed Concern for Subsequent Chipset Update, Motherboard BIOS Update; Linux Has Released KAISER for Meltdown Vulnerabilities; MacOS Tweaked for 10.13.2; Google Claims for Fixes; Win10 Insider Fixes for End of Year; Updates for Win10 Fall Crew Released KB4056892, will force the automatic installation; Amazon AWS then announced the guidance program; Specter more difficult for the specter loopholes, the vendors are still tackling the problem.
In response to the loophole, Shanghai Network Information Office has taken emergency measures. One is to keep abreast of the latest situation of the loopholes and evaluate the impact of the loopholes on the system of the units in time. The second is the chip makers, operating system vendors and security vendors, such as patches issued in a timely manner tracking test, doing a comprehensive and prudent assessment based on the work to develop a repair work plan, timely installation. Third, to further strengthen the network security protection for key information infrastructure, strengthen network security protection and threat intelligence gathering, and report on network security incidents to the municipal network in time.
Q: How to prevent common users from loopholes?
At present, Internet users can use the following security strategy to protect:
1, upgrade the latest operating system and virtualization software patches: At present, Microsoft, Linux, MacOSX, XEN and so have introduced the corresponding system patches, upgraded to prevent these exploits are exploited;
2, upgrade the latest browser patch: At present, Microsoft IE, Edge and Firefox have introduced a browser patch, upgrade to prevent these exploits are exploited;
3, wait or ask your cloud service provider to update the virtual system patches in time;
4, install security software.
According to Tencent security experts, the main danger that a vulnerability can cause is that it uses a browser to visit a webpage with exploited code, resulting in the disclosure of sensitive information (account password, etc.). As long as develop good habits of the Internet, not easily click the link sent by strangers, the basic vulnerability will not be affected. Meanwhile, the patches and mitigations released by browsers for vulnerabilities are simple and effective, and do not result in performance degradation or compatibility issues. Users can choose to upgrade their browsers to the latest version to avoid vulnerabilities.
Q: "Patch will result in CPU performance loss of 30%" is true?
There are many problems with the fix itself.
Tencent security experts to Windows 10, for example, Microsoft in the early hours of January 4, Beijing released an emergency January system security update, but the patch there is a clear performance and compatibility issues: On the one hand, the update may affect The system performance fell 30%. On the other hand, updates may cause some software (security software, etc.) to become incompatible and cause a blue screen.
However, according to Tencent security team's actual testing, performance problems for ordinary users, the impact is not significant: only under extreme testing, there will be obvious performance issues; the normal use of the general does not appear.
Zheng Wenbin 360 also said that this argument is more one-sided, 30% of the performance losses in the more extreme special test cases. Under normal user usage, especially when the user's computer hardware is newer (such as the 32-bit X86 operating system sold on most Macs and laptops), the performance loss of these patches is almost user-friendly can be ignored. Next, including Microsoft, Intel, manufacturers will further introduce targeted patches to further reduce the patch on the performance loss.
However, Tencent security team reminded the compatibility problem is indeed serious: in the security software, and some games on the computer, the patch is more likely to appear blue screen phenomenon. This also makes many security companies have taken a more conservative strategy, temporarily do not take the initiative to push Microsoft's patch, to avoid causing the user's computer can not be used normally.