CPU Attacks - Spectre etc

[spheris]

I've been watching this since December of last year but I've become really suspicious about the announcements of these cpu flaws and leveraged attacks. Because of one missing piece in all these stories and white papers.

There is no attack vector description in any of the published ones I've seen so far. They seem to just miraculously appear and attack these systems from nowhere or that's how it's described. As far as I understand you have to have a means to inject code to be subjected to it's effects and I have yet to find an example of how this malicious code get's into a machine to begin with. Even the variant that supposedly can attack through a browser is suspect because I have yet to find a working example or story of such an attack so far even to demonstrate it can be done or what it's effects actually are

It's making me wonder about the risks of it and if it's even a substantial threat to machines being maintained with best practices and isolated from questionable installations and reckless web surfing.

I'm genuinely interested in any information I can be pointed to about how these attacks are injected into a working system. Any and all replies would be really appreciated

 

[chown33]

The usual way is to compromise a web-server, or many many servers. A compromised server can then have its Javascript files modified to send the attack to any client that connects to that server. The server doesn't need to be a high-traffic site, like say macrumors.com. Instead, the aim is to compromise a substantial number of lower-traffic sites, typically ones with mediocre maintenance, or no maintenance at all. The rationale is that such servers are less likely to have sufficiently skilled managers, and they tend to serve content over a sustained period with no one noticing that something changed.

Another approach is to compromise a server that's supplying Javascript libraries. Replace the library files with modified versions, and then any server that uses the compromised library ends up being an unwitting attack vector.

And it's not just explicit Javascript library servers. Sometimes an ad network's servers can be compromised, and since thousands of other servers distribute ads as trusted content, the ad servers end up being the "Typhoid Mary" of distribution. You don't have to visit a "dodgy site" if a site you visit has a dodgy ad network. In this case, "dodgy" just means "inadequately secured", as distinct from "intentionally malicious". Hanlon's Razor applies.

None of the above routes are specific to Spectre. It's a well-used strategy for all kinds of malicious trickery.

 

[spheris]

Thank you, that's so much more clarity than the white papers have been giving or the press release boiler plate.

Kind of surprising to find it's served in javascript. You'd think that would make sealing it almost an afterthought since the vm it runs in can be isolated or the code itself purged in table cache releases.It seems like the fixes causing slowdowns are not only unnecessary but counter productive to the actual issue.Though, I'm sure there's probably a lot more to the story than is published.

I've never run with Java enabled, I think really hard about if a site requires it and usually defer going to it if it does. it's just been a hard policy since the 90's for me. I was really interested in it when it was being developed, but realizing what it's end purpose was for as well as the partnerships involved in it's initial developments. Made a hard stop decision about it back then because it has never not been a security risk and a real annoyance in it's ability to be misused as you've described - ad serving, code injection et al.

 

[chown33]

Thank you, that's so much more clarity than the white papers have been giving or the press release boiler plate.

Kind of surprising to find it's served in javascript. You'd think that would make sealing it almost an afterthought since the vm it runs in can be isolated or the code itself purged in table cache releases.It seems like the fixes causing slowdowns are not only unnecessary but counter productive to the actual issue.Though, I'm sure there's probably a lot more to the story than is published.

I've never run with Java enabled, I think really hard about if a site requires it and usually defer going to it if it does. it's just been a hard policy since the 90's for me. I was really interested in it when it was being developed, but realizing what it's end purpose was for as well as the partnerships involved in it's initial developments. Made a hard stop decision about it back then because it has never not been a security risk and a real annoyance in it's ability to be misused as you've described - ad serving, code injection et al.

It's a bit difficult for me to tell exactly what you mean from your post, but let me just say that Javascript and Java are two completely different things: "Java is to Javascript as ham is to hamster".

Javascript doesn't have a "vm" (virtual machine) per se; it's typically a library integrated with a browser. Javascript is pervasive on the web. It's difficult to find a significant website where it isn't required, or at least highly recommended.

Another thing is it's not just the Javascript, it's the use of common code repositories (public libraries) that are widely used by other websites. If that library is compromised, then every other website using it is effectively compromised. Security is only as good as the weakest link, and websites have become more dependent on other "infrastructure providers" over time, which means their linkages have increased. Unless a website regularly does security assessments of the sites it links to, it's not fully assessing its own security. And that doesn't even consider ad networks, which are yet another link that can be compromised.

 

[spheris]

It's a bit difficult for me to tell exactly what you mean from your post, but let me just say that Javascript and Java are two completely different things: "Java is to Javascript as ham is to hamster".

Javascript doesn't have a "vm" (virtual machine) per se; it's typically a library integrated with a browser. Javascript is pervasive on the web. It's difficult to find a significant website where it isn't required, or at least highly recommended.

Another thing is it's not just the Javascript, it's the use of common code repositories (public libraries) that are widely used by other websites. If that library is compromised, then every other website using it is effectively compromised. Security is only as good as the weakest link, and websites have become more dependent on other "infrastructure providers" over time, which means their linkages have increased. Unless a website regularly does security assessments of the sites it links to, it's not fully assessing its own security. And that doesn't even consider ad networks, which are yet another link that can be compromised.

I won’t disagree with any of the above. I will clarify what I was referring to.

The java vm as it was developed originally and extended later has always had what I considered fatal flaws both architecturally and purpose wise. I won’t get into the conspiracy theories from back then. Most were pretty silly and others were the usual don’t trust the government/big business stuff that no one really cares about anyway. Though, the real concerns in the dev community were valid then and proven out through years of security threats and patches. Many driven by the vm's own core design and functionality.

I understand that JavaScript is different from the java vm itself.But I do see them as having similar issues in how it’s been utilized and even how it is being leveraged in the last decade or more. I think you would agree the libraries have assumed much of the potentials for malicious injection as the java vm itself as well as the possibility for malicious data extraction. Only speaking for my own uses - I see neither as necessary for casual browsing and I just defer on sites too reliant on it - the same as many people have refused to allow adobe flash for most of the same reasons.

I get it being used widely but it is still a consumers choice. If there’s a site with it and the functionality is a benefit. I have no issue enabling it but for random browsing it is always disabled along with javavm support. It honestly makes browsing a much more pleasant and useful experience personally and perceptually a good deal more secured from malicious or poorly maintained sites. I’m not suggesting I think it is a silver bullet for the webs issues but I can say I have experienced less trouble being minimal in how much of it interacts with me. Spinning balls, strange background processes that had no business being there. Ads other annoyances and weirdness and the like.I don't think adding layers like ad blockers or endless lists or other things to a system actually helps much - despite that I know many people do it and enjoy those things are available and I don't doubt many are actually effective. I just prefer to turn off the services or functions that make them in need of a separate utility or config.