"ETH Zurich scientists have discovered a new CPU flaw that lets attackers read private memory from shared Intel processors — exploiting a nanosecond timing glitch in prediction logic. Credit: SciTechDaily.com" (ScitechDaily, Intel’s Memory Leak Nightmare: 5,000 Bytes per Second in the Hands of Hackers)
In modern computing, even nanosecond is a long time. In that time AI can break down defenses using data injection.
The memory leak left 5000 bytes per second in the hands of hackers. The ability to see the data flow. That comes out from the processor is one of the most dangerous situations in data security. Researchers found vulnerabilities in the actions called "speculative execution". Wikipedia determines speculative execution like this:
*********************************************************************
Quote from Wikipedia.
Speculative execution is an optimization technique where a computer system performs some task that may not be needed. Work is done before it is known whether it is actually needed, so as to prevent a delay that would have to be incurred by doing the work after it is known that it is needed. If it turns out the work was not needed after all, most changes made by the work are reverted and the results are ignored.
"The objective is to provide more concurrency if extra resources are available. This approach is employed in a variety of areas, including branch prediction in pipelined processors, value prediction for exploiting value locality, prefetching memory and files, and optimistic concurrency control in database systems."
Overview
Modern pipelined microprocessors use speculative execution to reduce the cost of conditional branch instructions using schemes that predict the execution path of a program based on the history of branch executions. In order to improve performance and utilization of computer resources, instructions can be scheduled at a time when it has not yet been determined that the instructions will need to be executed, ahead of a branch.
Variants
Speculative computation was a related earlier concept.
Eager execution
See also: Eager evaluation
Eager execution is a form of speculative execution where both sides of the conditional branch are executed; however, the results are committed only if the predicate is true. With unlimited resources, eager execution (also known as oracle execution) would in theory provide the same performance as perfect branch prediction. With limited resources, eager execution should be employed carefully, since the number of resources needed grows exponentially with each level of branch executed eagerly.
Predictive execution
Predictive execution is a form of speculative execution where some outcome is predicted and execution proceeds along the predicted path until the actual result is known. If the prediction is true, the predicted execution is allowed to commit; however, if there is a misprediction, execution has to be unrolled and re-executed. Common forms of this include branch predictors and memory dependence prediction. A generalized form is sometimes referred to as value prediction.
Runahead
This paragraph is an excerpt from Runahead.
Runahead is a technique that allows a computer processor to speculatively pre-process instructions during cache miss cycles. The pre-processed instructions are used to generate instruction and data stream prefetches by executing instructions leading to cache misses (typically called long latency loads) before they would normally occur, effectively hiding memory latency. In runahead, the processor uses the idle execution resources to calculate instruction and data stream addresses using the available information that is independent of a cache miss. Once the processor has resolved the initial cache miss, all runahead results are discarded, and the processor resumes execution as normal. The primary use case of the technique is to mitigate the effects of the memory wall. The technique may also be used for other purposes, such as pre-computing branch outcomes to achieve highly accurate branch prediction.
Related concepts
Lazy execution
Lazy execution is the opposite of eager execution, and does not involve speculation. The incorporation of speculative execution into implementations of the Haskell programming language, a lazy language, is a current research topic. Eager Haskell, a variant of the language, is designed around the idea of speculative execution. A 2003 PhD thesis made GHC support a kind of speculative execution with an abortion mechanism to back out in case of a bad choice called optimistic execution. It was deemed too complicated.
Security vulnerabilities
See also: Speculative execution CPU vulnerabilities
Starting in 2017, a series of security vulnerabilities were found in the implementations of speculative execution on common processor architectures which effectively enabled an elevation of privileges
(Wikipedia, Speculative execution)
*********************************************************************
"To compute faster, a predictor in the computer processor anticipates certain calculation steps. Hackers can exploit these anticipations to bypass security barriers and access confidential information. In the illustration, a hacker manages to overcome the protective measures (privileges) at step 3. Credit: ETH Zurich / COMSEC, HK" (ScitechDaily, Intel’s Memory Leak Nightmare: 5,000 Bytes per Second in the Hands of Hackers)
ScitechDaily tells about the new vulnerability like this:
"Computer scientists at ETH Zurich have uncovered a serious flaw in Intel processors that could let attackers steal sensitive information by exploiting how modern chips predict upcoming actions. Using specially designed sequences of instructions, hackers can bypass security boundaries and gradually read the entire memory of a shared processor. This vulnerability affects a wide range of Intel chips used in personal computers, laptops, and cloud servers."
The Nanosecond Loophole
The so-called BPRC (Branch Predictor Race Conditions) emerge during a brief period of a few nanoseconds when the processor switches between prediction calculations for two users with different permissions, explains Sandro Rüegge, who has been examining the vulnerability in detail over the past few months.
Breaking through the built-in protective barriers between users, known as privileges, is possible because the permissions for individual activities are not stored at the same time as the calculations. With special inputs, it is now possible to cause ambiguity in the sequence of events when changing users, resulting in incorrect assignment of privileges. An attacker could exploit this in order to read an information byte (a unit consisting of eight binary 0/1 pieces of information).
From a Byte to the Entire Memory
The disclosure of a single byte would be negligible. However, the attack can be repeated in quick succession, allowing the contents of the entire memory to be read over time, explains Rüegge. “We can trigger the error repeatedly and achieve a readout speed of over 5000 bytes per second.” In the event of an attack, therefore, it is only a matter of time before the information in the entire CPU memory falls into the wrong hands."
ScitechDaily, Intel’s Memory Leak Nightmare: 5,000 Bytes per Second in the Hands of Hackers
*********************************************************************
We can think of the speculative execution as a secretary, who does some work before the boss gives it to that person. The secretary does the jobs before and then the boss decides if that thing is necessary or should the task be denied. The boss can have the numbers in those papers and if there is a match for the paper, let's say number five, the boss marks the work done. In this case, the boss and secretary are two microprocessors. When some tasks happen very often, the system can perform them.
The programmed tasks can have tables that are numbered from one to a billion. If the computer makes tasks that include certain actions that match with Table 1 the computer sends the number instead of the entire data to the receiver. The number 1 activates the table that has those actions.
If there is no match the works are denied. The speculative execution is the thing that works in cases that repeat very often. And the operator can teach new tasks to the computer.
That action helps intel processors to predict each other's actions. The idea is that the processor makes certain actions after a certain output series. The Speculative execution can be programmed in the microchip's kernel. That means the processor can predict the actions or mark series that other processors can send to it. The system can perform some tasks. Then the system decides if that task is necessary or not.
This method causes problems. That means that if attackers can download those tables that microchips involve. It causes vulnerability to the system. The ability to get access to data that helps the receiving system to predict the transmitter's actions causes danger. If we think that there is a key code that the transmitter must send the receiver, the receiver can open the message and the system confirms that the data is understood by sending data back.
If that data matches. With data, that the transmitter should send the receiver can open the data. The idea is the same as a case where a serviceman must open the door. The boss has a copy of the lock in the office. The serviceman tests the key and sends it back. Maybe there are multiple keys that the serviceman must use in a certain order. If the boss marks the last key that fits to lock that makes it easier to return the system in order, if there is a problem. The system must return to the last key that fits to control lock.
If the same key matches with the boss's lock. That key is not corrupted. But if the key doesn't work, that means the key is corrupted. And that means the system must return to begin the operations. In that case, the system must get a new key series. In these cases where the system uses the same keys again. That makes it possible to break the algorithms. The attacker must only know the key's code and their order. That makes it possible to open those messages.
Before today that thing was not a problem. But things like modern drones make it possible to eavesdrop on data that travels in cables in the computer centers.
https://scitechdaily.com/intels-memory-leak-nightmare-5000-bytes-per-second-in-the-hands-of-hackers/
https://en.wikipedia.org/wiki/Speculative_execution
See also
https://en.wikipedia.org/wiki/Branch_predictor
https://en.wikipedia.org/wiki/Evaluation_strategy#Eager_evaluation
https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
https://en.wikipedia.org/wiki/Pipeline_(computing)
https://en.wikipedia.org/wiki/Runahead
https://en.wikipedia.org/wiki/Speculative_multithreading
https://en.wikipedia.org/wiki/Transient_execution_CPU_vulnerability
