Security

Every major OS maker misread Intel's docs. Now their kernels can be hijacked or crashed

Grab those patches as Chipzilla updates manuals


Updated Linux, Windows, macOS, FreeBSD, and some implementations of Xen have a design flaw that could allow attackers to, at best, crash Intel and AMD-powered computers.

At worst, miscreants can, potentially, "gain access to sensitive memory information or control low-level operating system functions,” which is a fancy way of saying peek at kernel memory, or hijack the critical code running the machine.

The vulnerabilities can be exploited by malware running on a computer, or a malicious logged-in user. Patches are now available to correct the near-industry-wide programming blunders.

As detailed by CERT on Tuesday, the security cockup, labeled CVE-2018-8897, appears to have been caused by developers at Microsoft, Apple, and other organizations misunderstanding the way Intel and AMD processors handle one particular special exception.

Indeed, CERT noted: "The error appears to be due to developer interpretation of existing documentation." In other words, programmers misunderstood Intel and AMD's manuals, which may not have been very clear.

You're fired (the interrupt, that is)

Here's a deep dive put as gently as possible. At the heart of the issue is the POP SS instruction, which takes from the running program's stack a value used to select the stack's segment, and puts that number into the CPU's stack selector register. This is all to do with memory segmentation that modern operating systems mostly ignore, and you can, too. The POP SS instruction is specially handled by the CPU so that the stack cannot be left in an inconsistent state if an interrupt fires while it is executing.

An application can set a debug breakpoint for the memory location where that stack selector will be pulled from the stack by POP SS. That is, when the app uses POP SS, it will generate a special exception when the processor touches a particular part of RAM to fetch the stack selector.

Now, here's the clever trick. To exploit this situation, the instruction immediately after the POP SS instruction has to be an INT instruction, which triggers an interrupt. These software-generated interrupts are sometimes used by user programs to activate the kernel so it can do work for the running process, such as open a file.

On Intel and AMD machines, the software-generated interrupt instruction immediately after POP SS causes the processor to enter the kernel's interrupt handler. Then the debug exception fires, because POP SS caused the exception to be deferred to avoid the stack being in an inconsistent state.

Operating system designers didn't expect this. They read Intel's x86-64 manuals, and concluded the handler starts in an uninterruptable state. But now there's an unexpected debug exception to deal with while very early inside the interrupt handler.

This confuses the heck out of the kernel, causing it to, in certain circumstances, rely on data controlled by un-privileged user software, as explained by the flaw's discoverers Nick Peterson of Everdox Tech, and Nemanja Mulasmajic of triplefault.io, in their technical explanation (PDF):

When the instruction, POP SS, is executed with debug registers set for break on access to that stack location and the following instruction is an INT N, a pending #DB will be fired after entering the interrupt gate, as it would on most successful branch instructions. Other than a non-maskable interrupt or perhaps a machine check exception, operating system developers are assuming an uninterruptible state granted from interrupt gate semantics. This can cause OS supervisor software built with these implications in mind to erroneously use state information chosen by unprivileged software.

This is a serious security vulnerability and oversight made by operating system vendors due to unclear and perhaps even incomplete documentation on the caveats of the POP SS instruction and its interaction with interrupt gate semantics.

The upshot is that, on Intel boxes, the user application can use POP SS and INT to exploit the above misunderstanding, and control the special pointer GSBASE in the interrupt handler. On AMD, the app can control GSBASE and the stack pointer. This can either be used to crash the kernel, by making it touch un-mapped memory, extract parts of protected kernel memory, or tweak its internal structures to knock over the system or joyride its operations.

Any exploitation attempt is more likely to crash the kernel than cause any serious harm, we reckon. However, like Meltdown, as bugs go, it's a little embarrassing for the industry, and it ought to be patched to be on the safe side.

Manipulations

The FreeBSD advisory on the problem explains it further. “On x86 architecture systems, the stack is represented by the combination of a stack segment and a stack pointer, which must remain in sync for proper operation,” the OS’s developers wrote. “Instructions related to manipulating the stack segment have special handling to facilitate consistency with changes to the stack pointer.

“The MOV SS and POP SS instructions inhibit debug exceptions until the instruction boundary following the next instruction. If that instruction is a system call or similar instruction that transfers control to the operating system, the debug exception will be handled in the kernel context instead of the user context.”

The result? “An authenticated local attacker may be able to read sensitive data in kernel memory, control low-level operating system functions, or may panic the system.”

Exploiting such on Windows, according to Microsoft’s kernel advisory, would mean “an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.”

Which – gulp! - isn’t a very far-fetched scenario, unless you run a tight ship of no untrusted code.

Red Hat has patches ready to roll, as does Ubuntu, and Apple for macOS.

The Linux kernel has also been fixed, way back on March 23, 2018. A patch is already present in versions 4.15.14, 4.14.31, 4.9.91, 4.4.125, plus older 4.1, 3.16, and 3.2 branches.

Microsoft’s got it sorted, for Windows 7 through 10 and Windows Server 2008 through version 1803. Xen has patches for versions 4.6 through 4.10. VMware’s hypervisors aren’t at risk, but vCenter Server has a workaround and vSphere Integrated containers await a fix, but both are rated merely “potentially affected.”

See the above CERT link for all affected vendors and their responses, and apply updates as necessary.

All sources are at pains to point out that while this issue derives from an x86-64 instruction, kernel programmers, and not Chipzilla, are to blame. It seems lots of coders have simply misunderstood how to handle debug exceptions, and made similar mistakes over a long period of time.

The Register expects plenty of OS developers are about to be sent to compulsory reeducation sessions on the x86-64 architecture, now that Intel has updated its manuals to clarify the handling of stack selector instructions, and that readers get to do the emergency patch thing. Which you should be pretty good at by now. ®

Updated to add

A spokesperson for Intel has been in touch to say:

The security of our customers and partners is important to us. To help ensure clear communication with the developer community, we are updating our Software Developers Manual (SDM) with clarifying language on the secure use of the POP/MOV-SS instructions. We recommend that system software vendors evaluate their software to confirm their products handle the situations in question. More information is available here.

Send us news
138 Comments

AsmREPL: Wing your way through x86-64 assembly language

Assemblers unite

Ruby developer and internet japester Aaron Patterson has published a REPL for 64-bit x86 assembly language, enabling interactive coding in the lowest-level language of all.

REPL stands for "read-evaluate-print loop", and REPLs were first seen in Lisp development environments such as Lisp Machines. They allow incremental development: programmers can write code on the fly, entering expressions or blocks of code, having them evaluated – executed – immediately, and the results printed out. This was viable because of the way Lisp blurred the lines between interpreted and compiled languages; these days, they're a standard feature of most scripting languages.

Patterson has previously offered ground-breaking developer productivity enhancements such as an analogue terminal bell and performance-enhancing firmware for the Stack Overflow keyboard. This only has Ctrl, C, and V keys for extra-easy copy-pasting, but Patterson's firmware removes the tedious need to hold control.

Continue reading

Microsoft adds Buy Now, Pay Later financing option to Edge – and everyone hates it

There's always Use Another Browser

As the festive season approaches, Microsoft has decided to add "Buy Now, Pay Later" financing options to its Edge browser in the US.

The feature turned up in recent weeks, first in beta and canary before it was made available "by default" to all users of Microsoft Edge version 96.

The Buy Now Pay Later (BNPL) option pops up at the browser level (rather than on checkout at an ecommerce site) and permits users to split any purchase between $35 and $1,000 made via Edge into four instalments spread over six weeks.

Continue reading

Visiting a booby-trapped webpage could give attackers code execution privileges on HP network printers

Patches available for 150 affected products

Tricking users into visiting a malicious webpage could allow malicious people to compromise 150 models of HP multi-function printers, according to F-Secure researchers.

The Finland-headquartered infosec firm said it had found "exploitable" flaws in the HP printers that allowed attackers to "seize control of vulnerable devices, steal information, and further infiltrate networks in pursuit of other objectives such as stealing or changing other data" – and, inevitably, "spreading ransomware."

"In all likelihood, a lot of companies are using these vulnerable devices," said F-Secure researchers Alexander Bolshev and Timo Hirvonen.

Continue reading

Leaked footage shows British F-35B falling off HMS Queen Elizabeth and pilot's death-defying ejection

Parachute snagged on ship's bows

Video Video footage has emerged of a British F-35B fighter jet falling off the front of aircraft carrier HMS Queen Elizabeth after a botched takeoff.

The leaked clip, seemingly from a CCTV camera on the carrier's bridge, shows the Lockheed Martin-made stealth aircraft slowly trundling down the deck before tipping over the ski-jump ramp on her bows.

As the £100m RAF jet nosed over, the pilot ejected – only for his parachute to snag on the carrier's bows as he descended back towards the ship.

Continue reading

Lloyd's of London suggests insurers should not cover 'retaliatory cyber operations' between nation states

And they might attribute cyber attacks if governments won't

Lloyd’s of London may no longer extend insurance cover to companies affected by acts of war, and new clauses drafted for providers of so-called "cyber" insurance are raising the spectre of organisations caught in tit-for-tat nation state-backed attacks being left high and dry.

The insurer's "Cyber War and Cyber Operation Exclusion Clauses", published late last week, include an alarming line suggesting policies should not cover "retaliatory cyber operations between any specified states" or cyber attacks that have "a major detrimental impact on… the functioning of a state."

"The insurer shall have the burden of proving that this exclusion applies," warn the exclusion policies published by the Lloyd's Market Association.

Continue reading

UK competition regulator to Meta's Facebook: Sell Giphy, we will not approve the purchase

CMA finds that deal would be bad for consumers and tighten Zuck's grip on almost half of £7bn digital ad spend

The UK competition watchdog has ordered Meta, the owner of Facebook, to sell Giphy after deciding purchase of the animated GIF creator platform will damage rivals, consumers and advertisers.

Today's directive is effectively the same as that handed down in August, when the Competition Markets Authority voiced concerns that could only be resolved if Facebook was to offload the $400m acquisition it made in May 2020.

The panel that ran their finger over the merger concluded the buy would only tighten Facebook's already vice-like grip on the social media landscape by:

Continue reading

You, me and debris: NASA cans ISS spacewalk because it's getting too risky outside

Broken antenna will have to wait as warning comes in less than 24 hours before airlock opening

NASA has delayed a spacewalk scheduled today from the International Space Station amid concerns about debris.

The spacewalk by NASA astronauts Thomas Marshburn and Kayla Barron was due to have started today with a switch to spacesuit battery power at 12:10 UTC followed by an exit from the outpost's Quest airlock.

The planned 6.5-hour spacewalk was to have Marshburn positioned at the end of the Canadarm2 robotic arm and swung out over the structure by ESA astronaut Matthias Maurer at the controls within the orbiting lab. Barron was to assist with the replacement of an antenna on the P1 truss.

Continue reading

Can Rust save the planet? Why, and why not

The snag: This programming language is safe and efficient, but hard to learn, impacting productivity

Re:Invent Here at a depleted AWS Re:invent in Las Vegas, Rust Foundation chairwoman Shane Miller and Tokio project lead Carl Lerche made the case for using Rust to minimize environmental impact, though said its steep learning curve made the task challenging.

Miller is also a senior engineering manager for AWS, and Lerche a principal engineer at the cloud giant.

How can Rust save the planet? The answer is that more efficient code requires fewer resources to run, which means lower energy usage in data centers and also in the environmental impact of manufacturing computing equipment and shipping it around the world.

Continue reading

The climate is turning against owning our own compute hardware. Cloud is good for you and your customers

From the data centre to the desktop, here is the green solution

Register Debate Welcome to the latest Register Debate in which writers discuss technology topics, and you the reader choose the winning argument. The format is simple: we propose a motion, the arguments for the motion will run this Monday and Wednesday, and the arguments against on Tuesday and Thursday. During the week you can cast your vote on which side you support using the poll embedded below, choosing whether you're in favour or against the motion. The final score will be announced on Friday, revealing whether the for or against argument was most popular.

This week's motion is: Renting hardware on a subscription basis is bad for customers.

Call it leasing, equipment rental, or hardware as a service, the idea of NOT owning your computing devices has been around for years. However, many individuals and corporations have been distinctly ambivalent about the idea, feeling that the benefits tend to flow to the suppliers, and most of all, the financers.

Continue reading

You loved running JavaScript in your web browser. Now, get ready for Python scripting

All thanks to CPython, WebAssembly, and some clever developers (And yes, there's Pyodide, too)

Python, one of the world's most popular programming languages, may soon become even more ubiquitous as it finds a home within web browsers.

Ethan Smith, a Berkeley-based software developer, recently revealed a project that allows CPython, the default implementation of the Python programming language, to run within web browsers via WebAssembly, or WASM.

WASM is a binary format that provides near-native performance within web browsers. It's a compilation target for languages like C/C++, C# and Rust. It's commonly used to create performance-sensitive code that JavaScript isn't well-suited to handle; wedding Python to WASM though its Emscripten compiler is more about ease of use and distribution than performance, at least at this point.

Continue reading

Think that spreadsheet in your company's accounts dept is old? 70 years ago, LEO ran the first business app

Mods to the design of EDSAC were 'considerable' says boffin

Seventy years ago this week, LEO, the world's first computer for business, ran one of the first enterprise applications after several experimental test runs.

Built for British catering and tea shop giant J Lyons, the Lyons Electronic Office, dubbed LEO, took inspiration from the Cambridge EDSAC, which ran its first programs in 1949.

The LEO, however, was business-focused, and was initially used for the firm's bakery valuation jobs (which were run weekly) before expanding its reach into more of J Lyons' back-office functions, such as payroll.

Continue reading