Search This Blog

Showing posts with label Intel. Show all posts

New Exploit Circumvents Existing Spectre-V2 Mitigations in Intel and Arm CPUs


Researchers have revealed a new technique that might be used to bypass existing hardware mitigations in modern processors from Intel, AMD, and Arm CPUs and stage speculative execution attacks like Spektre to expose sensitive data from host memory. 

Spectre attacks are aimed to disrupt the isolation between different applications by using an optimization technique known as speculative execution in CPU hardware implementations to mislead programmes into accessing arbitrary memory regions and leaking their secrets. While chipmakers have included software and hardware defences such as Retpoline and safeguards such as Enhanced Indirect Branch Restricted Speculation (eIBRS) and Arm CSV2, the latest technique demonstrated by VUSec researchers seek to circumvent all of these measures. 

Branch History Injection (BHI or Spectre-BHB) is a new variant of Spectre-V2 attacks (tracked as CVE-2017-5715) that circumvent both eIBRS and CSV2, according to the researchers, and exposes arbitrary kernel memory on modern Intel CPUs.

"The hardware mitigations do prevent the unprivileged attacker from injecting predictor entries for the kernel," the researchers explained,

"However, the predictor relies on a global history to select the target entries to speculatively execute. And the attacker can poison this history from userland to force the kernel to mispredict to more 'interesting' kernel targets (i.e., gadgets) that leak data," the Systems and Network Security Group at Vrije Universiteit Amsterdam added. 

To put it another way, malicious code can use the CPU Branch History Buffer (BHBshared )'s branch history to affect mispredicted branches within the victim's hardware context, leading to speculative execution that can subsequently be used to infer information that would otherwise be inaccessible. All Intel and Arm processors that were previously vulnerable to Spectre-V2, as well as a number of AMD chipsets, are now vulnerable to Spectre-BHB, forcing the three firms to release software upgrades to address the problem. 

Customers should also disable the unprivileged extended Berkeley Packet Filters (eBPF) in Linux, enable both eIBRS and Supervisor-Mode Execution Prevention (SMEP), and apply LFENCE to particularly identified gadgets that are discovered to be susceptible, according to Intel. 

The researchers stated, "The [Intel eIBRS and Arm CSV2] mitigations work as intended, but the residual attack surface is much more significant than vendors originally assumed. Nevertheless, finding exploitable gadgets is harder than before since the attacker can't directly inject predictor targets across privilege boundaries. That is, the kernel won't speculatively jump to arbitrary attacker-provided targets, but will only speculatively execute valid code snippets it already executed in the past."

Hackers are Selling Tool to Hide Malware in GPUs


Cybercriminals are moving towards malware attacks that can execute code from a hacked system's graphics processing unit (GPU). Although the approach is not new, and demo code has been published in the past, most of the projects to date have come from academics or were unfinished and unpolished. 

Recently in August, the proof-of-concept (PoC) was sold on a hacker forum, perhaps signaling hackers' shift to a new level of complexity in their attacks. 

Code Tested on Intel, AMD, and Nvidia GPUs

In a brief post on a hacking forum, someone offered to sell the proof-of-concept (PoC) for a strategy that keeps harmful code protected from security solutions scanning the system RAM. The seller gave a brief description of their technique, claiming that it stores malicious code in the GPU memory buffer and then executes it from there. 

As per the advertiser, the project only works on Windows PCs that support OpenCL 2.0 and above for executing code on various processors, including GPUs. It also stated that he tested the code on Intel (UHD 620/630), Radeon (RX 5700), and GeForce (GTX 740M(? ), GTX 1650) graphics cards. 

However, there are fewer details regarding this new hack, but the post went live on August 8 and was apparently sold for an unknown amount on August 25.

Another hacker forum user mentioned that GPU-based malware had been done before, citing JellyFish, a six-year proof-of-concept for a Linux-based GPU rootkit. 

The vendor dismissed the links to the JellyFish malware, stating that their approach is unique and does not rely on code mapping to userspace. There is no information regarding the transaction, such as who purchased it or how much they paid. Only the seller's article claims to have sold the malware to an unidentified third party. 

Academic Study

Researchers at the VX-Underground threat repository stated in a tweet on Sunday that the malicious code allows binary execution by the GPU in its memory region. They also noted that the technique will be demonstrated soon. 

PoCs for a GPU-based keylogger and a GPU-based remote access trojan for Windows were also disclosed by the same researchers that created the JellyFish rootkit. All three projects were released in May 2015 and are open to the public. 

While the mention of the JellyFish project implies that GPU-based malware is a new idea, the foundation for this attack approach was developed around eight years ago. 

Researchers from the Institute of Computer Science - Foundation for Research and Technology (FORTH) in Greece and Columbia University in New York demonstrated in 2013 that GPUs can execute a keylogger and save recorded keystrokes in their memory space [PDF document here]. 

The researchers previously evidenced that malware authors may use the GPU's processing capabilities to pack code with extremely sophisticated encryption methods considerably faster than the CPU.

Experts Find Vulnerabilities in AMD Zen Processor


German cybersecurity experts at TU Dresden discovered that Zen processor of AMD is susceptible to data-bothering meltdown like attacks in the end. Exploiting this vulnerability is an academic drill, turns out, there exist much easier and simpler techniques to meddle with systems. In simpler terms, it's a reminder that modern CPU designs have various kinds of side channels, and many yet to be discovered. 

The Register reports "in a paper [PDF] titled "Transient Execution of Non-Canonical Accesses," released via ArXiv, Saidgani Musaev and Christof Fetzer analyzed AMD Zen+ and Zen 2 chips – namely the Epyc 7262, Ryzen 7 2700X, and the Threadripper 2990WX – and found that they were able to adversely manipulate the operation of the CPU cores." When Spectre and Meltdown vulnerabilities came out, in the beginning experts said that Meltdown was only authenticated on Intel x86 chipsets. The list then included IBM hardwares and an Arm Cortex core, however, it was not clear if IBM parts had vulnerabilities. AMD in a statement said that Meltdown didn't affect the processors. 

"The way its chips executed load instructions meant data would not be fetched if architecturally disallowed in the processor's current execution context, it said. In other words, load instructions executed in user mode can't be used to discern the contents of kernel-mode memory, as expected."

"Musaev and Fetzer say that's true for classical Meltdown attacks that rely on fetching data from the L1 data cache and for a variant called Microarchitectural Data Sampling (MDS) that targets specific buffers. But they found another way to poison the way in which a CPU core access data in memory "that is very similar to Meltdown-type behavior," said The Register. 

Most importantly, this technique can't be used by a single process to read a kernel or different process memory, however, a thread in the program can use it to affect different thread in the same memory space. It isn't similar to a classic meltdown, where a Rogue app rips off keys from kernel memory. "The violation we report does not lead to cross address space leaks, but it provides a reliable way to force an illegal dataflow between microarchitectural elements," said the experts.

Black code: Two critical vulnerabilities found in Intel processors

Two new vulnerabilities have been found in Intel processors. They are undocumented capabilities of the manufacturer that allow hijacking control over the device. Access to them opens in a special mode that in most cases only Intel engineers have access to. However, in some scenarios it can also be activated by hackers. Information security experts suggest that these options may be present in all current Intel processors and see them as a major potential threat.

According to Positive Technologies experts Mark Yermolov and Dmitry Sklyarov, there are two undocumented instructions in Intel processors that allow modification of the microcode and gain control over the processor and the entire system.

"The discovered instructions allow bypassing all existing x86 architecture protection mechanisms in modern processors," said Yermolov.

The experts specified that the features found are in Intel's Atom processor family, which has been updated since 2011 to the present day.

"In theory, the vulnerabilities found can be exploited by any attacker who has the necessary information", Alexander Bulatov, Commercial Director of RuSIEM, told the publication.

In this case, the hacker would get a whole set of opportunities to control the compromised system.

“This can be either the simplest forced shutdown of the device, or flashing the processor with microcode that secretly performs certain tasks of the attacker,” explained Bulatov.

According to Yermolov, instructions can be activated remotely only in a special mode of operation of processors Red Unlock, which only Intel engineers should have access to. As Positive Technologies noted, some processors have vulnerabilities that allow third parties to enable Red Unlock mode as well.

Intel's press office said it takes Positive Technologies' research seriously and is carefully reviewing their claims.

The vulnerabilities found are potentially dangerous for users of devices based on the Intel Atom family. These are low-power processors mainly used in netbooks, tablets, POS terminals and POS machines.

Data Breach: Chipmaker Intel Shares Fall by 9%


The stock of Intel Corp was rallied to close in the last minutes of Thursday 21st January 2021 after the unlikely announcement of quarterly results by the chipmaker at the end of the day, but the stock was reversed in prolonged trading as the firm dealt with long-term plans.

The Intel Corp. chip maker made an administrative mistake on Friday with a data breach – which led to a quarterly profits study being released early with a fall in shares as much as 9%. Intel further added that its corporate network was not affected. The Chief Financial Officer of the firm, George Davis, had earlier stated that “Intel had released its results ahead of the closing of the stock market on Thursday, claiming that the hacker had taken financially valuable information from the site.” 

The quarterly reports of the firm were initially expected to be released hours later after the end of the Wall Street market on Thursday. “Once we became aware of these reports, we made the decision to issue our earning announcement a brief time before the originally scheduled release time”, as per a statement by American computer chip corporation. “An infographic was hacked of our PR newsroom site,” disclosed Davis. The company is reviewing claims that one graph from its earnings report may have gained unauthorized entry. 

Intel further added that “the URL of our earnings infographic was inadvertently made publicly accessible before the publication of our earnings and accessed by third parties. Once we became aware of the situation, we promptly issued our earnings announcement. Intel's network was not compromised, and we have adjusted our process to prevent this in the future.”

The performance of Intel for the fourth quarter met the aspirations of analysts and dismissed the company's estimate of high PC revenues. The chipmaker saw a trimestral decline of 1% to $20 billion annually, but he still defeated Refinitiv's $17.49 billion forecasts by analysts. Net earnings were $1.52 per share for the year, relative to an estimated $1.10. 

At $62.46 following the release of holiday sales and a forecast that beats expectations, but slowed almost 4 percent after hours, Intel INTC's -9.29 percent share came to an end of 6.5 percent. The business studies claim that a graphic in its profits has been stolen and pressured to reveal the figures early.

Computing Giant Intel Launches New Processors with Ransomware Detection Features


One of the biggest computing giants of the world – Intel has utilized the power of technology and has launched four new series of processors in the Consumer Electronics Show 2021. They affirmed the users that these processors would offer a “Premium PC experience” that would also provide some additional and distinct features. 

Intel is known for its products that are apropos for this era devoted to technology. The digitalization of things is accelerating at an incredible pace. The base of this technology is persuasive computing that gave Intel the idea to build up a processor that has the best features to date in the market. Of the four series launched, one of them is the vPro series. It goes by the name Intel 11th Gen Core vPro series. 

Intel at the launch added that its 11th Gen Core vPro line offers the best performance in a thin a light form factor. It comes with added security features like the Intel Hardware Shield which as per the company is the industry’s first silicon-based AI threat detection to prevent ransomware and crypto-mining attacks. The company says that the Intel Control-Flow Enforcement technology shuts down an entire class of attacks. The new CPU also promises better battery performance.

Intel further announced its partnership with Boston-based Cybereason security firm. This partnership is expected to provide advanced security and support for the announced new features and its security software in the first half of 2021.

The special features that come with the vPro series are the HS (Hardware Shield) technology and the TDT (Threat Detection Technology). These come underneath the various protective antivirus layers of the software that enables the hardware to stay protected from any ransomware attacks. Another accentuate part is that both of the technologies perform on the CPU directly. 

The main intention of Intel behind adding such features is that these technologies allow it to share its data with proper security of the software and allowing it to detect if any malware had entered the software. The malwares that were unnoticed and were not detected by the antivirus will now be sensed by the new features. 

While declaring that “it detects ransomware and other threats that leave a footprint on the Intel CPU performance monitoring unit”, Intel stated in the press release,” Intel TDT uses a combination of CPU telemetry and ML heuristics to detect attack-behavior”

Spectre Rises Yet Again With a Vulnerability In Tow

Spectre ,a class of vulnerabilities in the theoretical execution mechanism utilized in present day modern processor chips, is indeed living up to its name by ending up being unkillable.

In the midst of a progression of alleviations proposed by Intel, Google and others, the on-going claims by Dartmouth computer scientists to have comprehended Spectre variation 1, and a proposed chip configuration fix called Safespec, new variations and sub-variations continue showing up.

The discoveries likewise restore questions about whether the present and past chip plans can ever be really fixed. Just two weeks back, new data-stealing exploits named Ghost 1.1 and 1.2 were made public by specialists Vladimir Kiriansky and Carl Waldspurger. 

Presently there's another called SpectreRSB that endeavors the return stack buffer (RSB), a framework in the current modern CPUs utilized to help anticipate the return addresses, rather than the branch predictor unit.

In a paper titled Spectre Returns! Speculation Attacks utilizing the Return Stack Buffer , circulated through pre-print server ArXiv, boffins Esmaeil Mohammadian Koruyeh, Khaled Khasawneh, Chengyu Tune, and Nael Abu-Ghazaleh detail another class of Spectre Attack that accomplished the similar from Spectre variation 1 – enabling pernicious programming software to take passwords, keys, and other sensitive data, from memory it shouldn't be permitted to contact.

These specialists by coincidence, are among the individuals who built up the SafeSpec mitigation in the first place.

The most recent data-theft burglary system includes constraining the processor to misspeculate utilizing the RSB. Utilizing a call direction on x86, SpectreRSB enables an attacker to push an incentive to the RSB with the goal that the return address for the call guideline never again coordinates with the contents of the RSB.

The paper, dated July 20, plots the steps associated with the SpectreRSB attack, which itself has six variations:         

"(1) after a context switch to the attacker, s/he flushes shared address entries (for flush reload). The attacker also pollutes the RSB with the target address of a payload gadget in the victim’s address space; (2) the attacker yields the CPU to the victim; (3) The victim eventually executes a return, causing speculative execution at the address on the RSB that was injected by the attacker. Steps 4 and 5 switch back to the attacker to measure the leakage."

Leak Reveals Surprise 5GHz Intel Core i7-8086K Anniversary Processor

Intel was going to release one of its fastest ever processors on the occasion of the 40th anniversary of its 8086 processor but the circumstances changed so much that the surprise super-fast processor - the Core i7-8086K processor that had  been rumoured for a couple of months, had been revealed by online retailer listings gathered by Videocardz.

On the 30th of May, retailers were found online that were advertising the special processor with a speeds of 4 GHz and 5 GHz.

The core and thread count and indeed the L3 cache amount of 12MB matche that of Intel's existing Core i7-8700K, which has a maximum speed of 4.7GHz.

While the product listing at Merlion has been taken down, the product page was still available at as of the morning of 31st of May and had just recently been taken down. The page had listed the CPU as having a manufacturer part number of BX80684I78086K.

While the 8086 processor was released in 1978 and lead to the highly successful x86 architecture, it's not the first time that Intel has launched an anniversary edition CPU either.

The 5 GHz edition was currently being priced at $489.83 on, which is approximately $140 more than then Intel Core i7-8700K, which has base speed of 3.70 GHz and can be pushed up to 4.70 GHz.

Although it is not known for sure when these CPUs will be available but according to the original image at VideoCardz it appears that they are slated to be available for order starting on June 8th 2018 and shipping on June 12th 2018.