Security vulnerabilities in computer hardware

2018-08-26

in Geek stuff, Internet matters, Security

Why is trustworthy computer security impossible for ordinary users? In part because the system has multiple levels at which failure can occur, from hardware to operating systems and software.

Spectre and Meltdown show that no matter how careful you are about the operating sytem and software you run you can still be attacked using the underlying hardware. Another bug included at least in some VIA C3 x86 processors has similar ramifications.

These kinds of problems will be much worst with the “Internet of Things”, since bugs like Heartbleed will go unpatched, or even be unpatchable, in a lot of embedded computing applications for consumers.

{ 4 comments… read them below or add one }

Anon August 27, 2018 at 1:37 am

And so much wireless traffic to attack these days. wifi networks. Cell networks. Keycards and fobs

. August 30, 2018 at 2:56 am

Ever since Meltdown and Spectre were disclosed, Intel’s various customers have been asking how long it would take for hardware fixes to these problems to ship. The fixes will deploy with Cascade Lake, Intel’s next server platform due later this year, but the company is finally lifting the lid on some of those improvements and security enhancements at Hot Chips this week.

One major concern? Putting back the performance that previous solutions have lost as a result of Meltdown and Spectre. It’s hard to quantify exactly what this looks like, because the impact tends to be extremely workload-dependent. But Intel’s guidance has been in the 5-10 percent range, depending on workload and platform, and with the understanding that older CPUs were sometimes hit harder than newer ones. Intel wasn’t willing to speak to exactly what kind of uplift users should expect, but Lisa Spelman, VP of Intel’s Data Center Group, told AnandTech that the new hardware solutions would have an “impact” on the performance hit from mitigation, and that overall performance would improve at the platform level regardless. Variant 1 will still require software-level protections, while Variant 2 (that’s the “classic” Spectre attack) will require a mixture of hardware and software protection. Variant 3 (Meltdown) will be blocked in hardware, 3a (discovered by ARM) patched via firmware, with Variant 5 (Foreshadow) also patched in hardware.

https://tech.slashdot.org/story/18/08/21/2148257/intel-details-cascade-lake-hardware-mitigations-for-meltdown-spectre

. September 1, 2018 at 11:29 pm
. December 10, 2019 at 10:38 pm

New Plundervolt Attack Impacts Intel Desktop, Server, and Mobile CPUs

Academics from three universities across Europe have disclosed today a new attack that impacts the integrity of data stored inside Intel SGX, a highly-secured area of Intel CPUs. The attack, which researchers have named Plundervolt, exploits the interface through which an operating system can control an Intel processor’s voltage and frequency — the same interface that allows gamers to overclock their CPUs. Academics say they discovered that by tinkering with the amount of voltage and frequency a CPU receives, they can alter bits inside SGX to cause errors that can be exploited at a later point after the data has left the security of the SGX enclave. They say Plundervolt can be used to recover encryption keys or introduce bugs in previously secure software. Intel desktop, server, and mobile CPUs are impacted. A full list of vulnerable CPUs is available here. Intel has also released microcode (CPU firmware) and BIOS updates today that address the Plundervolt attack [by allowing users to disable the energy management interface at the source of the attack, if not needed].

Leave a Comment

Previous post:

Next post: