backtop

Print E-mail del.icio.us 42 comment(s) - last by Justin Case.. on Jul 18 at 4:26 PM
Code to attack systems using errata vulnerability will be given out freely

In the world of microprocessors it’s common for a CPU containing hundreds of millions of transistors to have physical errors—known as errata in the design. The CPU in computers used day in and day out by the majority of computer users likely contain errata that go unseen and have virtually no noticeable effect on the performance of the processor.

In October the threat from the errata in processors that previously caused no harm will grow significantly. Security researcher and author Kris Kaspersky says that he plans to demonstrate how a hacker could take control of a computer running any operating system by exploiting errata in a CPU.

Not only will Kaspersky demonstrate how such a hack can be made, but he says that he will offer the code freely to anyone—presumably including malicious hackers. The exploit is said to be executed by using instruction sequences and a knowledge of how Java compilers work to allow the hacker to take over the compiler.

Kaspersky says that different errata in different processors will allow different attacks to be launched on computer systems. Kaspersky told PC World, “I'm going to show real working code...and make it publicly available. Some bugs just crash the system; some allow a hacker to gain full control on the kernel level. Some just help to attack Vista, disabling security protections.”

The demonstration of the hack is going to take place in October at the Hack In The Box Security Conference. Kaspersky says that many of the errata vulnerabilities can be fixed with bios updates provided by the CPU makers. However, he points out that not all vendors use the updates and some bugs may have no workaround.

The most recent example of problems caused by errata in a CPU happened when Intel delayed some of its 45nm Penryn parts because of errata.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
Irresponsible
By redbone75 on 7/15/2008 2:02:01 PM , Rating: 1
Feel free to disagree, I'm sure some of you will, but this is enormously irresponsible on the part of Kaspersky. To report that errata exists is one thing, but to actually demonstrate it does a huge disservice to innocent businesses/consumers. I'm sure some of you will whine about how it forces the CPU manufacturers to be more responsible and release proper fixes for their products, but what of the innocent customers? Is it their fault for buying the product to, heaven forbid, run a business? It's like saying when a person gets mugged it's his/her fault for buying a wallet/purse to hold money.

Will the demonstration be on errata that the CPU mfr's are aware of and have already released bios updates for? I don't know. If it is, then that makes it less irresponsible, but it's irresponsible none the less.




RE: Irresponsible
By MatthiasF on 7/15/2008 2:18:52 PM , Rating: 4
Security issues are generally best broadcast to everyone so that the good and bad side of the issue get a heads up.

This can let software makers (antivirus, operating systems, etc.) learn to look out for the methods while also offering some pressure to the actual CPU makers to try their best to remove them.

Freedom of information is the cornerstone of modern society. Don't let fear take over the issue. The risks are more often removed faster when issues are made public than kept secret.


RE: Irresponsible
By ksherman on 7/15/2008 2:45:17 PM , Rating: 3
I have to agree with the OP, this seems a little irresponsible. Its one thing for him to say there is a problem, I think its just fine and nessecary to demonstrate it. But then he is taking things a step further by releasing the code to the general public, so anyone with the know how can easily creat and spread the virus. This seems foolish and wrong. Sure it gets CPU manufactures to act quickly (maybe, who says they have to act quickly?) to provide a fix, mean while virus makers have one more tool they need to infect more and more computers.

Oh, $10 says his software can block it. I bet he won't release THAT code.


RE: Irresponsible
By theapparition on 7/15/2008 3:18:39 PM , Rating: 5
quote:
Oh, $10 says his software can block it. I bet he won't release THAT code.

Bingo....

Oh, and it is also reported that some errata that can still be exploited CAN'T be patched through microcode. If that's true, than it's unforgivably irresponsible.


RE: Irresponsible
By winterspan on 7/15/2008 8:36:14 PM , Rating: 5
I usually would agree, but they need to reveal the exploit to the CPU manufacturers BEFORE RELEASING IT TO THE PUBLIC. If this person is not doing so, then that is an incredible disservice to everyone in the computer industry, not to mention businesses and consumers.


RE: Irresponsible
By SlyNine on 7/15/2008 11:20:27 PM , Rating: 2
I agree to a point. But Freedom of information can be abused, and this is at least on the line of abuse.


RE: Irresponsible
By SiN on 7/16/2008 5:05:39 AM , Rating: 1
The method of how to gain control should be the reserve of prodigys that figure it out themselves then sell their sould to a security company or government. Anything else is simply incitement to cause damages or harm.

If kaspersky had already gone to the CPU manufacturer and was told to fuck off for their efforts, then i would have no problem with what they (kaspersky) are doing.


RE: Irresponsible
By SiN on 7/16/2008 5:11:01 AM , Rating: 2
I guess cursing gets you downrated auto style!


RE: Irresponsible
By tmouse on 7/16/2008 11:09:01 AM , Rating: 2
I completely disagree, its one thing to mention they exist and another to provide the mechanism in enough detail to replicate the exploit. First the manufactures must be made aware and given a reasonable amount of time to respond. It is totally impossible to prevent all errors and as these things become more and more complex this will happen more and more. Some can be fixed some may not, its not like they deliberate produce these errors. Even if they do nothing it is totally irresponsible to aid others in using it. This is for his own ego and has nothing to do with helping anyone but himself. You can alert people to the possibility without helping to promote it which this most certainly will. How are you helping anyone by doing this? The damage FAR out weights ANY theoretical benefit. If he does this and these exploits go wild he should be held responsible both legally and financially. Maybe some time behind bars protecting his own security holes from exploits would give him a better perspective.


RE: Irresponsible
By deadrats on 7/15/2008 8:08:35 PM , Rating: 2
i really must disagree with you for one reason: i think kaspersky is severely over-stating the potential problem.

while i am not that well versed with java, i do have a pretty good background with pascal, c, basic and assembler, and i have monkeyed around with the source to more than one compiler.

the most that can be accomplished by exploiting a cpu errata is to cause the cpu to lock up, which means that you would have to reboot the system.

i have racked my brains trying to thing of how a cpu errata can be exploited by malicious code to compromise the kernel or to allow a hacker to take complete control of a system.

cpu errata's are different from software errata's, a flaw in the cpu design is a hardware problem, to compromise the kernel requires a software flaw, as does completely taking over the whole OS.

i really really want to see 1) the theory behind his claims, 2) a working demo and 3) the source code.

quite frankly it sounds to me like so much hot air, the article mentions 2 different attack vectors 1) the java compiler and 2) cpu errata's, if you can exploit the java compiler to accomplish this then you can exploit any assembler, including using C/C++ or FreeBasic with inline assembler language to accomplish the same thing.

i am really skeptical of his claims...


RE: Irresponsible
By masher2 (blog) on 7/15/2008 9:57:01 PM , Rating: 2
quote:
"the most that can be accomplished by exploiting a cpu errata is to cause the cpu to lock up...cpu errata's are different from software errata's, a flaw in the cpu design is a hardware problem, to compromise the kernel requires a software flaw
No. There are many ways a hardware errata could cause a security flaw. Kernel mode code, for instance, is mediated by a hardware flag. Privilege elevation could occur if a cpu errata mistakenly toggles that flag. Hardware errata could also theoretically allow a process to access memory outside its address space -- another security flaw. The list goes on and on.


RE: Irresponsible
By SiN on 7/16/2008 5:18:27 AM , Rating: 2
your not all that well versed in computer hardware and software working together as you put across are you.

or you just want to see the code.


RE: Irresponsible
By deadrats on 7/16/2008 10:56:37 PM , Rating: 2
quote:
your not all that well versed in computer hardware and software working together as you put across are you.

or you just want to see the code.


i'm better versed than most people, and yes, i really want to see the code.


RE: Irresponsible
By tmouse on 7/16/2008 11:18:16 AM , Rating: 2
Even a lock up can cause a lot of damage. For example many scientific devices use computers to control them and since the vendors rarely support their software even patching can cause problems. It’s a poor practice by the vendors but for the purchasers there simply is no recourse, it’s a small market there is no other choice most times. A crash can literally cause ten of thousands of dollars in lost resources (adding in time and rare components for the experiments). I'm sure there are many other examples in other field as well. I hope he is full of it but I think there is probably some meat in his argument and he is behaving totally irresponsibly in giving ANY specifics.


RE: Irresponsible
By MeTaedet on 7/15/2008 11:31:12 PM , Rating: 2
My problem with this is that it is essentially racketeering. Mr. Kaspersky, by releasing this code, will occasion the production of many new viruses to which he will then offer an antidote in the form of his Kaspersky anti-virus software. Either that, or he is fear-mongering, exaggerating the dangers in order to encourage people to purchase his software.

At any rate, he strikes me as being more than a bit sleazy and greedy.


RE: Irresponsible
By ViroMan on 7/16/2008 3:31:41 AM , Rating: 2
Irresponsible?

Perhaps it is but, maby he has already brought it to the manufacturers attention and they brushed him off. There are many people who point out flaws to Microsoft that can allow a takeover attempt and they get brushed off and so they publish the flaws to the public as well.

These errors can be used with Java?!? WOW now were gana have to buy Norton/Mcfee/Nod/CA/(other) for Java.


RE: Irresponsible
By nemrod on 7/16/2008 5:32:22 AM , Rating: 2
Seems there is no link beetwen Eugène Kaspersky and Kris Kaspersky.
So no link between this guy and kasperky lab (antivirus).


Errata what?!?!
By SilthDraeth on 7/15/2008 1:38:57 PM , Rating: 4
I always thought errata was a list of errors and corrections, and the dictionary links below support that. I didn't know an errata was a physical error on a microprocessor.

www.dictionary.com
er·ra·ta Audio Help /?'r?t?, ?'re?-, ?'ræt?/ Pronunciation Key - Show Spelled Pronunciation[i-rah-tuh, i-rey-, i-rat-uh] Pronunciation Key - Show IPA Pronunciation
–noun
1. pl. of erratum.
2. a list of errors and their corrections inserted, usually on a separate page or slip of paper, in a book or other publication; corrigenda.

http://www.merriam-webster.com/dictionary/errata
Main Entry:
er·ra·ta Listen to the pronunciation of errata
Pronunciation:
\e-'rä-t?, -'ra-, -'ra-\
Function:
noun
Etymology:
Latin, plural of erratum
Date:
1573

: a list of corrigenda; also : a page bearing such a list




RE: Errata what?!?!
By thornburg on 7/15/2008 1:54:56 PM , Rating: 2
quote:
I always thought errata was a list of errors and corrections, and the dictionary links below support that. I didn't know an errata was a physical error on a microprocessor.


You are spot on. Errata is a list of known errors.

I guess that the term is evolving to refer to the errors themselves in addition to the list.

FWIW, AFAIK, an unknown bug in a processor (i.e. one that has not been officially announced) would not be considered "errata".


RE: Errata what?!?!
By flyingrooster on 7/15/2008 1:55:51 PM , Rating: 2
That is the dictionary definition, however microprocessor manufacturers such as intel use the word "errata" to describe errors in the cpu. The fixes are released as microcode updates.
http://support.microsoft.com/kb/q288302/
http://en.wikipedia.org/wiki/Errata#Meanings_in_a_...


RE: Errata what?!?!
By KristopherKubicki (blog) on 7/15/2008 1:58:49 PM , Rating: 2
In the CPU world we usually say errata instead of bug, but it's the same.


RE: Errata what?!?!
By SilthDraeth on 7/15/2008 2:09:15 PM , Rating: 1
Dang, down rated for my first comment, which was a legitimate question/statement? *sigh*

Well, a friend and I work in IT together, and we say P X E, but have heard others say PIXIE BOOT, so we decided from now on, PXE booting will be referred to as "Fairy Kicking" at work.

So you in the CPU world are not the only ones that can change the meanings of things for no apparent reason.

Have a great day.

p.s. This isn't directed at you KK, you are great. I just don't understand why people change things all the time and then get all serious about it.


RE: Errata what?!?!
By Justin Case on 7/16/2008 2:09:45 AM , Rating: 2
Errata means "(list of / set of) errors" when talking about CPUs, just as it does about everything else. A CPU errata is a list of its (known) errors.

Each individual error is called an "erratum" (not an "errata"). Some people can't even get plurals right in English, though, so you can't really expect them to get them right in Latin.

BTW, literally, "erratum" means "one which has gone off course", from "errare", which means "to wander".


RE: Errata what?!?!
By SilthDraeth on 7/16/2008 9:28:34 AM , Rating: 2
Thank you. My second post was just about a conversation a coworker and I had, and was strictly humor.

I am aware of "errata" and "erratum" I just had not heard of them used in describing CPU bugs until now.


RE: Errata what?!?!
By Justin Case on 7/18/2008 4:26:26 PM , Rating: 2
Well, if anything it's "bug" that is a weird word to describe a flaw... :)

PS - Bugs suck. Literally.

http://en.wikipedia.org/wiki/Hemiptera


RE: Errata what?!?!
By masher2 (blog) on 7/16/2008 10:56:58 AM , Rating: 2
> "So you in the CPU world are not the only ones that can change the meanings of things for no apparent reason"

Such meaning transfers from a word which describes some facet of a concept to encompass the concept itself is very common in language...there's even a philological term for it, though I forget it at the moment. But many of the words you use daily originated from such a meaning shift.


Kris Kaspersky have anything to do with
By SilthDraeth on 7/15/2008 3:06:02 PM , Rating: 2
Kaspersky Anti Virus?

I think not, and I am guessing that name is popular somewhere. I find it odd if he doesn't though, that he happens to work in the same line of work as the security vendor.




RE: Kris Kaspersky have anything to do with
By ultra laser on 7/15/2008 3:39:05 PM , Rating: 2
This guy's like a dermatologist who owns a chain of tanning salons. He creates new vulnerabilities so you can buy his software. What a dick.


RE: Kris Kaspersky have anything to do with
By SilthDraeth on 7/15/2008 6:44:50 PM , Rating: 2
No no no. I was asking a question. I don't think that guy owns Kaspersky Antivirus. I just find the names coincidental.


By Ayulin on 7/16/2008 1:41:37 AM , Rating: 2
A quick Wikipedia search for Kaspersky Lab (the company that does the antivirus) says it's founded by Eugene and Natalia Kaspersky. The name's probably coincidental, as you say.


Jolt and Teardrop are back!...
By MrBlastman on 7/15/2008 2:16:14 PM , Rating: 2
Now bigger, badder and better than before!

Boy I miss those days of Windows 95 when all these fun little script-kiddie crash tools were gobs of fun. This time around, they won't be OS-Specific.

As a hillbilly would say - skeeery stuff.

Hopefully he co-operates with processor manufacturers and OS developers to help them try and come up with workarounds - if - what he touts as possible comes to fruition.

As any good developer or computer scientist knows - bugs are never completely unavoidable. No matter how complex or simple your program is, no matter how well you bug check it, there will always be a bug in there in some form or another. It is only a matter of time before it is found. Perfect programming (or CPU design) is purely in the land of speculation and fantasy.




By Screwballl on 7/15/2008 2:42:21 PM , Rating: 2
they key will be hackers trying multiple tools and hope that one works and that there isn't a NAT or software firewall preventing them from connecting...


Via Javascript ... worrying!
By psychobriggsy on 7/15/2008 2:25:14 PM , Rating: 2
JavaScript, not Java. TCP/IP as well.

This worryingly sounds like it would be a web-installable exploit as well, if it can be done in JavaScript. And if it can be done in JavaScript, it surely can be done in any other language as well.

Will all Javascript compilers now have to verify the generated code for errata-exploiting code?




RE: Via Javascript ... worrying!
By xRyanCat on 7/15/2008 4:13:25 PM , Rating: 2
Err... I think you forgot the </sarcasm> tag.


Why?
By qwerty1 on 7/15/2008 2:31:48 PM , Rating: 1
I can understand that revealing errors puts a spotlight onto things that needs to be addressed by the manufacturers and ultimately fixed and prevented in the future, but what is the point of providing the hacking code to every Joe Shmoe out there, especially if there are some "errata" that cannot be fixed and thus are permanently exploitable? Wouldn't that only compromise computing safety?




RE: Why?
By Smartless on 7/15/2008 2:51:37 PM , Rating: 2
Yes someone please explain about these conventions. At least the guy who hacked the RFID cards never made it public how he did it.


RE: Why?
By Icelight on 7/15/2008 4:12:42 PM , Rating: 1
quote:
Wouldn't that only compromise computing safety?


Not only that, but it will add some nice padding to his bank account when he's (initially) the only one in town with software that can provide protection. What a sleazebag.


Java Sucks Anyways
By pauldovi on 7/15/2008 5:54:18 PM , Rating: 3
Don't use it!




This is probably retarded
By joex444 on 7/15/08, Rating: 0
RE: This is probably retarded
By Screwballl on 7/16/2008 11:04:18 AM , Rating: 2
ummm wrong story there bud!!


Intel-only
By Justin Case on 7/16/2008 12:01:38 AM , Rating: 2
FYI, the demo is specifically about attacking Intel CPUs (Core2 and Itanium).

It's interesting (though not exactly surprising) that DailyTech chose to omit this fact, when it's clearly stated by Kaspersky, and is in fact part of the title of the article linked to by DT ("Researcher to Demonstrate Attack Code for Intel Chips").

Here's the original submission, BTW:

http://conference.hitb.org/hitbsecconf2008kl/?page...

All of a sudden that 10% performance hit from AMD's TLB bug fix doesn't seem so terrible (the low clock speed still does, though :P).

Hopefuly these bugs will be fixable in microcode. But, as with the TLB bug, I wonder what effect that will have on CPU performance...




3 Possibilities
By DrDisconnect on 7/16/2008 8:40:58 AM , Rating: 2
My top three reasons for him doing this.

1) As other have suggested he has his own protective software to sell.
2) CPU manufacturers are paying him to do it so they can sell replacement errataless cpus
3) Like many socially disadvantaged hackers he likes being in the spotlight and the more people his annoys (i.e. releasing the code in addition to demonstrating) the more (in)famous he will be.




"I want people to see my movies in the best formats possible. For [Paramount] to deny people who have Blu-ray sucks!" -- Movie Director Michael Bay

DailyTech Poll
Which web browser do you use on your primary personal machine? 






44 Comments









botimage
Copyright 2009 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki