Windows Client Guidance against speculative execution vulnerabilities

Tony K · 06 Jan 2018

clam1952 said:

Makes one wonder just what other flaws are likely to be discovered or if any processor has ever actually been secure or with the rate these "security" experts are discovering flaws, ever will be.

Not a perfect world, but yes, it makes one wonder.

Cliff S said:

Nobody would have known about this(not even the black hats) and it have been fixed eventually and quietly with some updates in the effected OS's and still supported hardware BIOS, and no one would have been the wiser, not even the bad guys.

But for some dumba** Linux kernel developer that tagged his code with a #comment, and being open source it was quickly seen by someone else and that dumba** told the media

I agree, but the rat comes out of the hole eventually. It's like picking between the better of two evils. In the end it's better that it was caught before the bad guys found it. Thing is they should've kept it secret long enough to create a total fix first, if at all. None would've been the wiser. Now we have a period of time that the bad guys can exploit it. I may rant and rave that I may have to buy new hardware, but that's what concerns me most every time I boot a machine.

Steve C said:

I suggest no processor is provably secure or error free - discuss.

Like I said, it's not a perfect world, but how long has the chip architecture and processing code been written? Years ago, yes? You'd think out of all the educated in that field that someone would have caught this years ago. SFAIK Murphy's law, a legitimate rule, is taught in most engineering schools. Perhaps not in hardware and/or software engineering?

Cliff S · 07 Jan 2018

From the Intel White Paper PDF: Intel Analysis of Speculative Execution Side Channels

Related Intel Security Featuresand Technologies

There are security features and technologies, either present in existing Intel products or planned for
future products, which reduce the effectiveness of the attacks mentioned in the previous sections.

4.1 Intel® OS Guard
When Intel® OS Guard, also known as Supervisor-Mode Execution Prevention (SMEP), is enabled, the
operating system will not be allowed to directly execute application code, even speculatively. This
makes branch target injection attacks on the OS substantially more difficult by forcing the attacker to
find gadgets within the OS code. It is also more difficult for an application to train OS code to jump to
an OS gadget. All major operating systems enable SMEP support by default.

4.2 Execute Disable Bit
The Execute Disable Bit is a hardware-based security feature that can help reduce system exposure to
viruses and malicious code. Execute Disable Bit allows the processor to classify areas in memory
where application code can or cannot execute, even speculatively. This reduces the gadget space,
increasing the difficulty of branch target injection attacks. All major operating systems enable Execute
Disable Bit support by default.

4.3 Control flow Enforcement Technology (CET)
On future Intel processors, Control flow Enforcement Technology will allow limiting near indirect jump
and call instructions to only target ENDBRANCH instructions. This feature can reduce the speculation
allowed to non-ENDBRANCH instructions. This greatly reduces the gadget space, increasing the
difficulty of branch target injection attacks.
For additional information on CET, see the Control-flow Enforcement Technology Preview located here:
https://software.intel.com/sites/def...gy-preview.pdf
4.4 Protection Keys
On future Intel processors that have both hardware support for mitigating Rogue Data Cache Load and
protection keys support, protection keys can limit the data accessible to a piece of software. This can
be used to limit the memory addresses that could be revealed by a branch target injection or bound
check bypass attack.
7 Document Number: 336983-001, Revision 1.0

4.5 Supervisor-Mode Access Prevention (SMAP)
Supervisor-Mode Access Prevention (SMAP) can be used to limit which memory addresses can be used
for a cache based side channel, forcing an application attacking the kernel to use kernel memory
space for the side channel. This makes it more difficult for an application to perform the attack on the
kernel as it is more challenging for an application to determine whether a kernel line is cached than an
application line.

https://newsroom.intel.com/wp-conten...e-Channels.pdf

CountMike · 07 Jan 2018

What about VMs, can it penetrate that ?

fdegrove · 07 Jan 2018

Hi,

What about VMs, can it penetrate that ?

Yes, it can.

Cheers,

OldMike65 · 07 Jan 2018

For all the ASUS motherboard owners, Asus has released a list of the updated bios versions that will be released to fix this issue, in some cases, some of these bios updates have NOT been released yet. Link below.
ASUS Global

Cliff S · 07 Jan 2018

OldMike65 said:

For all the ASUS motherboard owners, Asus has released a list of the updated bios versions that will be released to fix this issue, in some cases, some of these bios updates have NOT been released yet. Link below.
ASUS Global

For the Maximus X Series boards, it was released(uploaded ) already on the 3rd of January, they were fast!

OldMike65 · 07 Jan 2018

Cliff S said:

For the Maximus X Series boards, it was released(uploaded ) already on the 3rd of January, they were fast!

Yes Asus released all of their Intel 370's boards already. All the others have not been released as of yet.

alphanumeric · 07 Jan 2018

This is what I get. ASUS M4N68-M V2 and AMD Phenom II, NVIDIA nForce 630a chip-set and AMD CPU. Old stuff, but its my main desktop PC. SA-00086 says This system is not vulnerable. Not so good results with the Power Shell commands though. There haven't been any BIOS updates for it in years. Already running the latest dated 2012/01/18. Will have to reboot to double check, pretty sure I'm running the latest though.

Windows Client Guidance against speculative execution vulnerabilities-power-shell-capture.png

alphanumeric · 07 Jan 2018

Looks like I wasn't running the latest BIOS, just flashed to the latest but it didn't change anything as far as I can tell, still recommends getting a newer BIOS. Not sure what to do now?

Windows Client Guidance against speculative execution vulnerabilities-power-shell-2-capture.png

clam1952 · 07 Jan 2018

SA-00086 is for the Intel management Engine flaw from last autumn / fall and is nothing to do with the current Spectre Meltdown flaws which is what you are checking with the Powershell scripts. Two separate issues, AMD is not affected by the Intel management flaw so does not require that fix, only applicable for Intel systems.

The forthcoming hardware patches so far are for Intel processors only.
For AMD the only "fix" at this point is the one included in the latest Windows update. As far as I'm aware AMD are not releasing any hardware patches yet and possibly do not need to? jury appears to be out on that at present.