Physical/Hardware Security Part 2 - Spectre, Meltdown, Rowhammer and general EMSEC

Submitted by a_perfect_map in security_culture

Hi, in light of all the good info and points people have brought up on hardware security, I remembered some more relevent and scary issues. Some of this stuff has no real direct mitigation or fix, it is representative of the dangers of trusting in computation.

Spectre and Meltdown are security flaws in the way that we speed up processing by predicting possible future computation. Meltdown effects "every Intel processor which implements out-of-order execution", which is most modern intel chips. AMD is unknown. Some ARM is effected, some not. They are non-trivial issues that leak and allow access to RAM. Meltdown can mostly be mitigated (always keep your computer updated!) but Spectre is so named because it contains a ton of potential exploits we can only hope to defend against preemptively, thus it will haunt us for a while.

complete list of CPUs suffering from spectre/meltdown: https://www.techarp.com/guides/complete-meltdown-spectre-cpu-list/

https://meltdownattack.com/

https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)

Row Hammer rapidly strobes a select row of DRAM in a certain patter, which can cause adajacent memory to flip bits. In other words, an attacker that knows what they are doing can write to arbitrary memory locations with a carefully constructed payload. This effects DDR3 and 4 but not DDR or DDR2. I'm not too sure of mitigation against this attack; ECC memory is still vulnerable to Row Hammer. Newer Intel chipsets claim to resist Row Hammer but Intel is problematic so yeah.

https://hackaday.com/tag/row-hammer/ https://en.wikipedia.org/wiki/Row_hammer#cite_note-intel-d2s2e4-9 https://en.wikipedia.org/wiki/ECC_memory

TEMPEST is general research by the NSA on emissions security (EMSEC), how to guard against leaking data through and how to harvest it. They actually build facilities to an EMSEC code, featuring special grounding and stuff. EMSEC covers a lot and I'm no expert so I'll just touch on it and link stuff.

You probably know that anything electronic and powered on is emitting some kind of radio, as current moving in a conductor makes an alternating field. But EMSEC also extends to things like the coil whine of your monitor, ultrasound that can be reconstructed into an image. Simply bouncing a laser off a window turns the glass into an audio oscillator. Many things are workable as long range improvised audio oscillators.

Don't go move into a faraday cage just yet. But I wouldn't compute with your phone just next to you on the desk if you are concerned at all about privacy. I urge you to do some research yourself as this is a huge, complex field.

https://www.wired.com/2016/11/block-ultrasonic-signals-didnt-know-tracking/

https://security.stackexchange.com/questions/151972/how-practical-is-a-laser-microphone-and-how-to-protect-against-it

https://en.wikipedia.org/wiki/Tempest_%28codename%29

2

Comments

You must log in or register to comment.

There's nothing here…