Unable to load image

Hertzbleed Attack: New CPU Vulnerability

https://www.hertzbleed.com

tl:dr I'm to r-slurred to understand this but you will probably be affected by this

Orange forum

52
Jump in the discussion.

No email address required.

wake up babe, new unpatchable speculative execution side channel vuln just dropped

Jump in the discussion.

No email address required.

must be a tuesday

Jump in the discussion.

No email address required.

I hate mondays

![](https://media.giphy.com/media/pzryvxGeykOxeC0fWb/giphy.webp)

Jump in the discussion.

No email address required.

:#marseygarfield:

Jump in the discussion.

No email address required.

Don't worry, it's not like this caused major issues in the past!

Jump in the discussion.

No email address required.

this can easily be fixed by locking the core frequency for the duration of sensitive cryptographic calculations

Jump in the discussion.

No email address required.

shut up nerd

Jump in the discussion.

No email address required.

![](https://media.giphy.com/media/3zpHYzhLV3ZzW/giphy.webp)

Jump in the discussion.

No email address required.

easier said than done, hurts performance too

Jump in the discussion.

No email address required.

you can force speed boost on for those moments and get the same security fix

Jump in the discussion.

No email address required.

the whole reason the dynamic scaling exists is that the cpu often cannot remain at the maximum clock speed forever, often for heat reasons

Jump in the discussion.

No email address required.

it's only for the duration of the decryption calculation just lock for a short burst, not at all times, and only on that physical core.

at worst it would mildly degrade effectiveness of dynamic scaling wasting some power/heat

Jump in the discussion.

No email address required.

There's already stuff in place for protected memory. You can just assume that whenever those syscalls get run that they want to run in a stable frequency

Jump in the discussion.

No email address required.

Wouldn't adding random delays work too?

Jump in the discussion.

No email address required.

that would hurt performance a lot worse than telling the CPU to "finish this calculation before you speed step again"

Jump in the discussion.

No email address required.

depends tbh, 1 or 2 nanoseconds should do it well enough?

Jump in the discussion.

No email address required.

maintaining a supply of sufficiently random data for padding is somewhat costly

Jump in the discussion.

No email address required.

What the frick did I just read and how does It affect me

Jump in the discussion.

No email address required.

when faced with serious autism, your computer may leak secret information to an attacker because the content of secrets can influence cpu frequency. It may be possible to perform the attack via Javascript, but most likely it will never happen. Most likely, you will never be targeted with this unless you are a cloud provider or you enjoy finding and running extremely sophisticated malware. This attack seems difficult to mitigate and the only known protection for now is to fix a constant cpu frequency, which is bad for performance and power consumption.

Jump in the discussion.

No email address required.

It may be possible to perform the attack via Javascript, but most likely it will never happen.

No, following MELTDOWN/SPECTRE browser people tried to make their hardest to disable millisecond-accurate time measurements, so no.

Cloud providers could be targeted in theory.

Jump in the discussion.

No email address required.

I have no idea who is right, but the user fpoling on orange site says:

When Spectre came it turned out that it was very straightforward to implement the relevant attacks in JS. A script can use workers with shared memory access to monitor execution and get a timer with less than 100ns resolution. As the result the shared memory were disabled. Later under the presumption that relevant issues were mitigated, the shared memory was re-enabled again.

So I wonder if the shared memory will be disabled again as it may allow to monitor frequency changes.

Jump in the discussion.

No email address required.

Huh, I didn't know it was ever re-enabled. I honestly doubt that, because SPECTRE was actually two very different things: one was a bunch of genuine bugs in Intel (and possibly AMD) process isolation, for example if you tried to read memory you didn't have the right to, the instruction would set the exception flag but still return an actual value instead of say 0, which you could then leak by reading from an address dependent on the value thus loading it into the cache, before the whole speculative execution branch was discarded.

And the other half was that you can't provide memory isolation in software. Like, if you don't have your javascript interpreter in a separate process then the javascript code can use this shit to read your memory, no ifs, buts, or bugs required.

So either that was mitigated by making sure that javascript interpreters live in their own processes with no sensitive information, or by preventing them from obtaining accurate enough timing data (including via indirect means, like having workers have data races), but either way a new side channel can't break it.

Jump in the discussion.

No email address required.

nerd

Jump in the discussion.

No email address required.

At least I don't cut off my entire country's internet by tossing in my sleep.

Jump in the discussion.

No email address required.

This is correct, stuff like setInterval gets r*ped in the progress and basically all timing events

Jump in the discussion.

No email address required.

your intel/amd CPU is getting another nerf like what happened with heartbleed and spectre (those led to a 10-15% performance drop).

Jump in the discussion.

No email address required.

:gigachad: mitigations=off

Jump in the discussion.

No email address required.

It truly never began for security strags

Jump in the discussion.

No email address required.

Internet jews want to steal my hz

Jump in the discussion.

No email address required.

yes

Jump in the discussion.

No email address required.

:#marseyagreefast:

Jump in the discussion.

No email address required.

Some esoteric bullshit that will never affect anyone.


:!marseybooba:

Jump in the discussion.

No email address required.

Interesting :marseyreading: a spectre-like exploit that can be used for timing attacks during cryptographic operations.

Still obviously requires running malicous code on your machine. Can't see how it can be done over a network.

Jump in the discussion.

No email address required.

jabascript stay winning

Jump in the discussion.

No email address required.

Yeah they insist multiple times this can be done remotely, and I have absolutely no idea how that could be feasible

Jump in the discussion.

No email address required.

If someone's running a server that will encrypt arbitrary messages, then you can send them chosen plaintexts to encrypt, measure how long it takes for them to respond, and derive the key that way.

Jump in the discussion.

No email address required.

Shouldn't the real difference be miniscule compared to the noise? This sounds entirely impractical for all but the most advanced threats

Jump in the discussion.

No email address required.

:marseyagree:

Jump in the discussion.

No email address required.

I've tried timing attacks over a network and the latency always screws it up. Too much variation when you're measuring fractions of a millisecond.

Jump in the discussion.

No email address required.

You know SSL also exists right? That utilizes cryptography thus making the whole channel vulnerable

Jump in the discussion.

No email address required.

SSL or chat encryption

Jump in the discussion.

No email address required.

I understand things can be encrypted over a network. But it's just impossible to measure that kind of precise timing over a normal connection.

Jump in the discussion.

No email address required.

data sends in packets, if the packet is small enough itll get read in all at once

but it seems like to craft malware itll take more effort

Jump in the discussion.

No email address required.

I have no clue what this is but I am now afraid and angry. :marseyraging::!marseylaptop:

Jump in the discussion.

No email address required.

Did we really need another vulnerability logo?

We know some of you don’t really like vulnerability logos, and we hear you. However, we really like our logo (and hope you do too!).

:laughing:

Jump in the discussion.

No email address required.

Look at the cutie trying to protect our computers, marsey should team up

![](/images/16552499809265065.webp)

Jump in the discussion.

No email address required.

you will probably be affected by this

As if I would use Intel.

But with my luck, somebody will probably publicize a similar one for AMD a few months down the road.

Jump in the discussion.

No email address required.

tell us you didnt read the article but use different words

Jump in the discussion.

No email address required.

How about "I am a r-slur?"

Turns out it is also in AMD. Well, can't say I'm surprised. Time to unplug.

Jump in the discussion.

No email address required.

ngl this seems like a non-issue issue, it's just fricking with speed and ofc mitigations will be horrendous

Hopefully kernel level patches to these exist so software devs dont have to mitigate them

Jump in the discussion.

No email address required.

Did you know that the bathtub was first marketed in north america as a horse trough and hog scalder?

Snapshots:

Jump in the discussion.

No email address required.

Link copied to clipboard
Action successful!
Error, please refresh the page and try again.