Security

Every major OS maker misread Intel's docs. Now their kernels can be hijacked or crashed

Grab those patches as Chipzilla updates manuals


Updated Linux, Windows, macOS, FreeBSD, and some implementations of Xen have a design flaw that could allow attackers to, at best, crash Intel and AMD-powered computers.

At worst, miscreants can, potentially, "gain access to sensitive memory information or control low-level operating system functions,” which is a fancy way of saying peek at kernel memory, or hijack the critical code running the machine.

The vulnerabilities can be exploited by malware running on a computer, or a malicious logged-in user. Patches are now available to correct the near-industry-wide programming blunders.

As detailed by CERT on Tuesday, the security cockup, labeled CVE-2018-8897, appears to have been caused by developers at Microsoft, Apple, and other organizations misunderstanding the way Intel and AMD processors handle one particular special exception.

Indeed, CERT noted: "The error appears to be due to developer interpretation of existing documentation." In other words, programmers misunderstood Intel and AMD's manuals, which may not have been very clear.

You're fired (the interrupt, that is)

Here's a deep dive put as gently as possible. At the heart of the issue is the POP SS instruction, which takes from the running program's stack a value used to select the stack's segment, and puts that number into the CPU's stack selector register. This is all to do with memory segmentation that modern operating systems mostly ignore, and you can, too. The POP SS instruction is specially handled by the CPU so that the stack cannot be left in an inconsistent state if an interrupt fires while it is executing.

An application can set a debug breakpoint for the memory location where that stack selector will be pulled from the stack by POP SS. That is, when the app uses POP SS, it will generate a special exception when the processor touches a particular part of RAM to fetch the stack selector.

Now, here's the clever trick. To exploit this situation, the instruction immediately after the POP SS instruction has to be an INT instruction, which triggers an interrupt. These software-generated interrupts are sometimes used by user programs to activate the kernel so it can do work for the running process, such as open a file.

On Intel and AMD machines, the software-generated interrupt instruction immediately after POP SS causes the processor to enter the kernel's interrupt handler. Then the debug exception fires, because POP SS caused the exception to be deferred to avoid the stack being in an inconsistent state.

Operating system designers didn't expect this. They read Intel's x86-64 manuals, and concluded the handler starts in an uninterruptable state. But now there's an unexpected debug exception to deal with while very early inside the interrupt handler.

This confuses the heck out of the kernel, causing it to, in certain circumstances, rely on data controlled by un-privileged user software, as explained by the flaw's discoverers Nick Peterson of Everdox Tech, and Nemanja Mulasmajic of triplefault.io, in their technical explanation (PDF):

When the instruction, POP SS, is executed with debug registers set for break on access to that stack location and the following instruction is an INT N, a pending #DB will be fired after entering the interrupt gate, as it would on most successful branch instructions. Other than a non-maskable interrupt or perhaps a machine check exception, operating system developers are assuming an uninterruptible state granted from interrupt gate semantics. This can cause OS supervisor software built with these implications in mind to erroneously use state information chosen by unprivileged software.

This is a serious security vulnerability and oversight made by operating system vendors due to unclear and perhaps even incomplete documentation on the caveats of the POP SS instruction and its interaction with interrupt gate semantics.

The upshot is that, on Intel boxes, the user application can use POP SS and INT to exploit the above misunderstanding, and control the special pointer GSBASE in the interrupt handler. On AMD, the app can control GSBASE and the stack pointer. This can either be used to crash the kernel, by making it touch un-mapped memory, extract parts of protected kernel memory, or tweak its internal structures to knock over the system or joyride its operations.

Any exploitation attempt is more likely to crash the kernel than cause any serious harm, we reckon. However, like Meltdown, as bugs go, it's a little embarrassing for the industry, and it ought to be patched to be on the safe side.

Manipulations

The FreeBSD advisory on the problem explains it further. “On x86 architecture systems, the stack is represented by the combination of a stack segment and a stack pointer, which must remain in sync for proper operation,” the OS’s developers wrote. “Instructions related to manipulating the stack segment have special handling to facilitate consistency with changes to the stack pointer.

“The MOV SS and POP SS instructions inhibit debug exceptions until the instruction boundary following the next instruction. If that instruction is a system call or similar instruction that transfers control to the operating system, the debug exception will be handled in the kernel context instead of the user context.”

The result? “An authenticated local attacker may be able to read sensitive data in kernel memory, control low-level operating system functions, or may panic the system.”

Exploiting such on Windows, according to Microsoft’s kernel advisory, would mean “an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.”

Which – gulp! - isn’t a very far-fetched scenario, unless you run a tight ship of no untrusted code.

Red Hat has patches ready to roll, as does Ubuntu, and Apple for macOS.

The Linux kernel has also been fixed, way back on March 23, 2018. A patch is already present in versions 4.15.14, 4.14.31, 4.9.91, 4.4.125, plus older 4.1, 3.16, and 3.2 branches.

Microsoft’s got it sorted, for Windows 7 through 10 and Windows Server 2008 through version 1803. Xen has patches for versions 4.6 through 4.10. VMware’s hypervisors aren’t at risk, but vCenter Server has a workaround and vSphere Integrated containers await a fix, but both are rated merely “potentially affected.”

See the above CERT link for all affected vendors and their responses, and apply updates as necessary.

All sources are at pains to point out that while this issue derives from an x86-64 instruction, kernel programmers, and not Chipzilla, are to blame. It seems lots of coders have simply misunderstood how to handle debug exceptions, and made similar mistakes over a long period of time.

The Register expects plenty of OS developers are about to be sent to compulsory reeducation sessions on the x86-64 architecture, now that Intel has updated its manuals to clarify the handling of stack selector instructions, and that readers get to do the emergency patch thing. Which you should be pretty good at by now. ®

Updated to add

A spokesperson for Intel has been in touch to say:

The security of our customers and partners is important to us. To help ensure clear communication with the developer community, we are updating our Software Developers Manual (SDM) with clarifying language on the secure use of the POP/MOV-SS instructions. We recommend that system software vendors evaluate their software to confirm their products handle the situations in question. More information is available here.

Send us news
138 Comments

North Korea pulled in $400m in cryptocurrency heists last year – report

Plus: FIFA 22 players lose their identity and Texas gets phony QR codes

In brief Thieves operating for the North Korean government made off with almost $400m in digicash last year in a concerted attack to steal and launder as much currency as they could.

A report from blockchain biz Chainalysis found that attackers were going after investment houses and currency exchanges in a bid to purloin funds and send them back to the Glorious Leader's coffers. They then use mixing software to make masses of micropayments to new wallets, before consolidating them all again into a new account and moving the funds.

Bitcoin used to be a top target but Ether is now the most stolen currency, say the researchers, accounting for 58 per cent of the funds filched. Bitcoin accounted for just 20 per cent, a fall of more than 50 per cent since 2019 - although part of the reason might be that they are now so valuable people are taking more care with them.

Continue reading

Tesla Full Self-Driving videos prompt California's DMV to rethink policy on accidents

Plus: AI systems can identify different chess players by their moves and more

In brief California’s Department of Motor Vehicles said it’s “revisiting” its opinion of whether Tesla’s so-called Full Self-Driving feature needs more oversight after a series of videos demonstrate how the technology can be dangerous.

“Recent software updates, videos showing dangerous use of that technology, open investigations by the National Highway Traffic Safety Administration, and the opinions of other experts in this space,” have made the DMV think twice about Tesla, according to a letter sent to California’s Senator Lena Gonzalez (D-Long Beach), chair of the Senate’s transportation committee, and first reported by the LA Times.

Tesla isn’t required to report the number of crashes to California’s DMV unlike other self-driving car companies like Waymo or Cruise because it operates at lower levels of autonomy and requires human supervision. But that may change after videos like drivers having to take over to avoid accidentally swerving into pedestrians crossing the road or failing to detect a truck in the middle of the road continue circulating.

Continue reading

Alien life on Super-Earth can survive longer than us due to long-lasting protection from cosmic rays

Laser experiments show their magnetic fields shielding their surfaces from radiation last longer

Life on Super-Earths may have more time to develop and evolve, thanks to their long-lasting magnetic fields protecting them against harmful cosmic rays, according to new research published in Science.

Space is a hazardous environment. Streams of charged particles traveling at very close to the speed of light, ejected from stars and distant galaxies, bombard planets. The intense radiation can strip atmospheres and cause oceans on planetary surfaces to dry up over time, leaving them arid and incapable of supporting habitable life. Cosmic rays, however, are deflected away from Earth, however, since it’s shielded by its magnetic field.

Now, a team of researchers led by the Lawrence Livermore National Laboratory (LLNL) believe that Super-Earths - planets that are more massive than Earth but less than Neptune - may have magnetic fields too. Their defensive bubbles, in fact, are estimated to stay intact for longer than the one around Earth, meaning life on their surfaces will have more time to develop and survive.

Continue reading

And relax: no repeat car crash financials for SAP in 2021 as cloud services come good

Let's not mention on-premise licences....

ERP specialist SAP saw Q4 cloud revenue jump 28 per cent compared with the same period a year earlier to hit €2.61bn

In preliminary results, total revenue for calendar 2021 was up 6 per cent year-on-year to €7.98bn - a marked contrast to the car crash financials served up by SAP for 2020.

Customer migration to the vendor's latest in-memory ERP platform was sluggish prior to initiatives SAP put in place to convince customers to migrate. The prelims show those plans are working.

Continue reading

Google and Facebook's top execs allegedly approved dividing ad market among themselves

Latest iteration of Texas-led antitrust complaint against Google expands claims of bad behavior

The alleged 2017 deal between Google and Facebook to kill header bidding, a way for multiple ad exchanges to compete fairly in automated ad auctions, was negotiated by Facebook COO Sheryl Sandberg, and endorsed by both Facebook CEO Mark Zuckerberg (now with Meta) and Google CEO Sundar Pichai, according to an updated complaint filed in the Texas-led antitrust lawsuit against Google.

Texas, 14 other US states, and the Commonwealths of Kentucky and Puerto Rico accused Google of unlawfully monopolizing the online ad market and rigging ad auctions in a December, 2020, lawsuit. The plaintiffs subsequently filed an amendment complaint in October, 2021, that includes details previously redacted.

On Friday, Texas et al. filed a third amended complaint [PDF] that fills in more blanks and expands the allegations by 69 more pages.

Continue reading

US-China chip cold war? It's only helping the Middle Kingdom, silicon makers warn

It's blowback time again

China's cold war with the US on chips isn't slowing down the country's rapid growth in semiconductors, the Semiconductor Industry Association said this week.

The US sanctions on Chinese companies didn't have the intended effect of restricting China's semiconductor industry. In fact, the saber-rattling is only serving for China to get its act together on semiconductors, the industry body warned.

China's semiconductor industry sales totaled $39.8bn in 2020, a growth rate of 30.6 per cent from 2019, the SIA said. In 2015, China chip sales were just $13bn, or a 3.8 per cent market share.

Continue reading

Alibaba ponders its crystal ball to spy coming advances in AI and silicon photonics

Machine learning to propel us into glorious era of scientific discovery

Alibaba has published a report detailing a number of technology trends the China-based megacorp believes will make an impact across the economy and society at large over the next several years. This includes the use of AI in scientific research, adoption of silicon photonics, the integration of terrestrial, and satellite data networks among others.

The Top Ten Technology Trends report was produced by Alibaba's DAMO Academy, set up by the firm in 2017 as a blue-sky scientific and technological research outfit. DAMO hit the headlines recently with hints of a novel chip architecture that merges processing and memory.

Among the trends listed in the DAMO report, AI features more than once. In science, DAMO believes that AI-based approaches will make new scientific paradigms possible, thanks to the ability of machine learning to process massive amounts of multi-dimensional and multi-modal data, and solve complex scientific problems. The report states that AI will not only accelerate the speed of scientific research, but also help discover new laws of science, and is set to be used as a production tool in some basic sciences.

Continue reading

Lawmakers propose TLDR Act because no one reads Terms of Service agreements

The bill calls for concise, machine readable summaries of how websites and apps use client data

Almost no one bothers to read the Terms of Service agreements on websites so a group of US lawmakers on Thursday proposed a bill to require that commercial websites and mobile apps translate their legalese into summaries that can be more easily read by people and by machines.

The bill, titled the Terms-of-service Labeling, Design and Readability (TLDR) Act [PDF], was introduced by Lori Trahan (D-MA-03), Senator Bill Cassidy, (R-LA), and Senator Ben Ray Luján (D-NM), making it technically a bipartisan effort – something of a rarity at a time when the two major US political parties can't agree on basic facts like who was lawfully elected President in 2020.

"For far too long, blanket terms of service agreements have forced consumers to either ‘agree’ to all of a company’s conditions or lose access to a website or app entirely," said Congresswoman Trahan, a member of the House Subcommittee on Consumer Protection and Commerce, in a statement. "No negotiation, no alternative, and no real choice."

Continue reading

Russia starts playing by the rules: FSB busts 14 REvil ransomware suspects

Cybercrook gang has 'ceased to exist' says Putin's military service

Russia's internal security agency said today it had dismantled the REvil ransomware gang's networks and raided its operators' homes following arrests yesterday in Ukraine.

In a statement the FSB (Federal Security Service) said "based on the appeal of the US competent authorities" it had raided 25 addresses apparently belonging to "14 members of an organised criminal community."

That "community" is called REvil, said the Russian law enforcement agency. A translation of the FSB statement reveals that the 14 were charged under Article 187 of the Russian criminal code, which deals with "illegal turnover of means of payments."

Continue reading

Support specialist Rimini Street found in contempt of court for continued Oracle copyright infringements

It took two years for Big Red to find five breaches

A US court has found Oracle support specialist Rimini Street in contempt of court and ordered it to pay $630,000 in sanctions – peanuts for the $40bn-revenue Big Red software company.

In a dispute dragging on for more than a decade, the District Court of Nevada also imposed reasonable attorneys' fees and costs against Rimini, to be decided at a later date.

District Judge Larry Hicks found Rimini in contempt of court on only five of the 10 issues presented at the hearing. "The Court's finding of willfulness on the majority of these issues clearly supports the award," the ruling said.

Continue reading

Virgin Orbit's LauncherOne rocket deploys seven satellites with third successful mission

Paperwork needs sorting for a launch from the UK

Virgin Orbit has managed a third successful mission as the company deployed seven satellites into orbit from its LauncherOne rocket.

Describing itself as "the responsive launch and space solutions company," Virgin Orbit achieved two missions last year. Yesterday's launch was just a few days shy of the company's first successful mission on 17 January 2021. Its first effort, in 2020, ended in failure.

This week's launch included repeat business from the US Department of Defense and Polish company SatRevolution. The payload included experiments in space-based communications, debris detection, navigation, and propulsion. All in all, Virgin Orbit has managed to launch 26 satellites. Still, it's a far cry from the 109 of fellow small-sat upstart Rocket Lab and just a quarter of the payloads launched by SpaceX on its Transporter-3 mission, also on 13 January.

Continue reading