hngopher.com

       [HN Gopher] CacheWarp: A new software fault attack on AMD SEV-ES...
       ___________________________________________________________________
        
       CacheWarp: A new software fault attack on AMD SEV-ES and SEV-SNP
        
       Author : g0xA52A2A
       Score  : 46 points
       Date   : 2023-11-14 19:56 UTC (3 hours ago)
        
 (HTM) web link (cachewarpattack.com)
 (TXT) w3m dump (cachewarpattack.com)
        
       | I_Am_Nous wrote:
       | These things seem to go in pairs, as there is currently a new
       | Intel CVE on the frontpage too. Someone in the Intel thread
       | mentioned that the underlying issue may be x86 having more and
       | more stuff piled on top of it. That's been great for
       | compatibility, but I'm wondering if it might be worth Intel/AMD
       | making an x86 lite that strips everything but the necessary
       | instructions.
        
         | tim-- wrote:
         | Isn't this partly what Intel wants to do with X86-S?
         | https://www.intel.com/content/www/us/en/developer/articles/t...
         | 
         | Stripping away old/unused instructions from the legacy x86
         | arch.
         | 
         | I would assume though that much of the new security
         | vulnerabilities are not coming from these legacy instructions
         | though. Surely they would be battle tested by now?
        
           | I_Am_Nous wrote:
           | The newest Intel CVE seems tied to some legacy handling of
           | duplicate prefixes, where it usually ignores duplicate
           | prefixes since they were used to pad memory registers
           | sometimes. A newer feature added onto x86 is the underlying
           | problem (FSRM), but it's mishandling those "battle tested"
           | instructions/improperly reading them.
           | 
           | So really, it's a combination of things that led to this CVE,
           | and the longer we stay on an old platform the more strange
           | combinations we might find!
        
         | Mogzol wrote:
         | This exploit isn't at all related to the Intel CVE, just a
         | coincidence they came out around the same time. And an
         | instruction set that strips everything but the necessary
         | instructions sounds a lot like ARM or RISC-V. No need to re-
         | invent the wheel.
        
           | I_Am_Nous wrote:
           | I'm just thinking about Windows. They are trying to do ARM
           | again, but x86/64 is where they have stayed for compatibility
           | reasons. At a certain point old software won't run on new
           | Windows anyway, so it won't need hardware compatibility with
           | older instructions to facilitate that.
           | 
           | Eventually something will have to change, and is it less work
           | for Intel to shift to ARM than to strip x86?
        
           | krasin wrote:
           | > an instruction set that strips everything but the necessary
           | instructions sounds a lot like ARM
           | 
           | Have you, by any chance, looked into the contemporary ARM
           | instruction set? Just the list of base instructions for
           | A-profile with 1-2 instructions per line takes 14 pages. And
           | then there are SIMD&FP Instructions, SVE Instructions, SME
           | Instructions. Oh, and also M-profile, and Thumb / Thumb-2
           | instructions encodings, and more.
           | 
           | A small glimpse could be made here: https://developer.arm.com
           | /documentation/ddi0602/2023-09/?lan...
        
         | tedunangst wrote:
         | It's patch Tuesday.
        
           | I_Am_Nous wrote:
           | This _does_ make sense, since they can schedule CVE
           | announcements.
        
       | netcoyote wrote:
       | > Specifically, a malicious hypervisor can selectively drop any
       | writes of an AMD SEV-ES and SEV-SNP guest that occurred at an
       | attacker-chosen point
       | 
       | This strikes me as the thing that Raymond Chen calls "being on
       | the other side of this airtight hatchway" [0]. That is, if you've
       | already got control of the Hypervisor then ... you can do
       | anything you want to the guest operating systems. Right?
       | 
       | 0:
       | https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31...
        
         | depereo wrote:
         | SEV is supposed to protect against exactly that scenario, so
         | it's fairly serious that this protection is unwound here.
        
         | kiririn wrote:
         | Protection against a rogue hypervisor is the main benefit of
         | SEV. The whole point is to raise VM security to equivalent of a
         | bare metal machine with encrypted memory and no exposed DMA
         | channels. Protection from other guests is a nice side effect
         | but should be a given
         | 
         | Sadly this means AWS are still the only ones offering this kind
         | of confidential computing without known flaws, and probably
         | only because they don't have researchers attempting attacks
         | like this on their graviton CPUs
        
       | crest wrote:
       | Oh no the snake oil is leaking.
        
       ___________________________________________________________________
       (page generated 2023-11-14 23:00 UTC)