论坛 › ＰＣ数码 › 牙膏漏洞新攻击方式LVI，对应修复可导致性能缩至19分之一

albertfu 发表于 2020-3-13 01:26

牙膏漏洞新攻击方式LVI，对应修复可导致性能缩至19分之一

Computer security researchers involved in the discovery of the Meltdown and Spectre vulnerabilities affecting many modern processors have developed a related attack technique called Load Value Injection (LVI).

This time the problem is called 'LVI-LFB', which stands for Load Value Injection in the Line Fill Buffers. It has the CVE-2020-0551 attribute and, like many of the previously discovered issues, uses speculative execution.

The problem likely occurs towards Intel chips from Ivy Bridge generation up to and including Comet Lake, the researchers do not exclude that chips from other brands are not susceptible either as all processors that are susceptible to Meltdown could potentially be at risk. In addition, updates in the microcode, which Intel is likely to have in the works,could cause calculations to be performed 2 to 19 times slower on certain workloads, so this is a big one. The expectation is that these software updates simply will not get installed by many due to that performance hit.

The attack relies on microarchitectural data leakage to inject and execute malicious code in a way that breaks the confidentiality of modern Intel systems. Intel's processors, already weighed down by defenses deployed against side-channel attacks over the past two years, could get slower still if they try to thwart this latest vulnerability: prototype compiler changes, for full mitigation, have produced performance reductions ranging from 2x to 19x. That's because LVI protection involves compiler and assembler updates that insert extra x86 instructions (lfence) and replace problematic instructions (such as ret) with functionally equivalent but more verbose instruction sequences. In a paper scheduled to be published today, March 10, in a coordinated disclosure announcement with Intel, boffins from KU Leuven, Worcester Polytechnic Institute, Graz University of Technology, University of Michigan, and University of Adelaide, describe LVI as a reverse-Meltdown attack. Instead of leaking data from memory, it injects transient load values during a faulting or assisted load operation to perform some malicious action.

The threat scenario involves a local adversary trying to obtain secrets (like passwords or encryption keys) from an operating system kernel, an OS process, or an SGX enclave. For SGX, root OS privileges are assumed – SGX was designed to protect against root-level attacks. With such secrets, more extensive compromise becomes possible.

It turns out that Meltdown, a technique for pulling data from a computer's memory, can be turned around to put data back in, thereby poisoning data stored in memory during brief, speculative operations. Though the data gets thrown away after these short-lived tasks, it can still cause trouble.


如题，之前漏洞可以导致内存数据泄露，这次LVI则可以把数据注入进去。

最新的comet lake 10代core尚未上市但也在受影响之列。

qwased 发表于 2020-3-13 01:58

利用难度高吗

—— 来自 Xiaomi MI 6, Android 9上的 S1Next-鹅版 v2.2.2

mintpie 发表于 2020-3-13 02:00

逆袭的黑月 发表于 2020-3-13 02:41

至?

madnesshare 发表于 2020-3-13 02:42

至？

albertfu 发表于 2020-3-13 02:53

qwased 发表于 2020-3-13 01:58
利用难度高吗

—— 来自 Xiaomi MI 6, Android 9上的 S1Next-鹅版 v2.2.2

和之前的meltdown利用难度差不多，最惨的还是企业和云服务商

albertfu 发表于 2020-3-13 02:53

mintpie 发表于 2020-3-13 02:00
怎么隔三岔五就来个新漏洞？

是18年踢爆那波牙膏漏洞的后续，这次是发现了新的攻击方式

albertfu 发表于 2020-3-13 02:54

逆袭的黑月 发表于 2020-3-13 02:41
至?

恩，性能损失在某些负载下高达95%

混乱中立搅屎棍 发表于 2020-3-13 03:02

财源滚滚!

零下五度猫 发表于 2020-3-13 03:30

内存泄露是对服务器的吧，臭打游戏的可以不打吗

—— 来自 Xiaomi MIX 2S, Android 10上的 S1Next-鹅版 v2.2.1-alpha

hecas 发表于 2020-3-13 07:59

一个月一次
牙膏厂疯了

—— 来自 ZUK Z2131, Android 10上的 S1Next-鹅版 v2.2.2

perfaceNext 发表于 2020-3-13 08:17

怎么又来，感觉可以重新设计CPU，这个性能补丁有点多啊

whatd 发表于 2020-3-13 08:41

牙膏变抽水泵了

yst234 发表于 2020-3-13 08:49

看了下 Anandtech 的报道 Load Value Injection: A New Intel Attack Bypasses SGX with Significant Performance Mitigation Concerns
这个漏洞主要攻击的是Intel SGX，应该在 SGX 保护下的 Secure Enclave 基本上直接失效了
好在这个漏洞对于没有用到 SGX 的大多数应用来说没什么影响

flymop 发表于 2020-3-13 09:03

两弹元勋 发表于 2020-3-13 11:08

这也算企业文化了吧

—— 来自 HUAWEI EVR-AL00, Android 10上的 S1Next-鹅版 v2.2.2

粉色猛男 发表于 2020-3-13 11:27

零下五度猫 发表于 2020-3-13 03:30
内存泄露是对服务器的吧，臭打游戏的可以不打吗

—— 来自 Xiaomi MIX 2S, Android 10上的 S1Next-鹅版 v2 ...

当然可以，只要别让煞笔WIN10自动更新就行

Finsty 发表于 2020-3-13 12:48

sblnrrk 发表于 2020-3-13 13:55

Gnyueh 发表于 2020-3-13 14:00

本帖最后由 Gnyueh 于 2020-3-13 14:06 编辑

icelake yes，当了几年主力的老架构是这样子的什么幺蛾子都出来了

前言作废，ICELAKE也中招了，祖传漏洞

再次翻转，最新的大(icelake)，小核(tremont)不受影响

—— 来自 Xiaomi MI 5s Plus, Android 8.0.0上的 S1Next-鹅版 v2.2.0.1

Gnyueh 发表于 2020-3-13 14:01

sblnrrk 发表于 2020-3-13 13:55
家用不用管，这些玩意需要本地运行程序 ，你不运行，就不会中招，放一万个心

云服务器不行啊，有一个傻比 ...

这个漏洞主要是可以注入，玩法太多了，ROME YES!

—— 来自 Xiaomi MI 5s Plus, Android 8.0.0上的 S1Next-鹅版 v2.2.0.1

Gnyueh 发表于 2020-3-13 14:03

粉色猛男 发表于 2020-3-13 11:27
当然可以，只要别让煞笔WIN10自动更新就行

打开个网页javascript注入一下帮你改个密码好不好啊

—— 来自 Xiaomi MI 5s Plus, Android 8.0.0上的 S1Next-鹅版 v2.2.0.1

tg45 发表于 2020-3-13 14:04

intel大利好！销量提升18倍！

—— 来自 HUAWEI TAS-AL00, Android 10上的 S1Next-鹅版 v2.0.4-play

两个路人 发表于 2020-3-13 15:39

脱氧核糖核酸 发表于 2020-3-13 17:16

挤了10年的牙膏，一下就吸回去了，Intel做梦都要笑醒。

albertfu 发表于 2020-3-13 23:10

tg45 发表于 2020-3-13 14:04
intel大利好！销量提升18倍！

—— 来自 HUAWEI TAS-AL00, Android 10上的 S1Next-鹅版 v2.0.4-play ...

暗黑商法的精髓你get到了！

查看完整版本: 牙膏漏洞新攻击方式LVI，对应修复可导致性能缩至19分之一