Schneier on Security

Clive Robinson • September 16, 2019 10:56 AM

@ Bob,

I suspect you are not the only person who thinks Intel have “Scr3w3d the pooch” over their insesent specmanship (a look at UK “Bus Stop” advertising shows half door sized adverts with such nonsense).

But as we keep getting told “security does not sell” and “nobody cares about security”, it’s hard for any security minded types to make much millage where the decisions are made.

Clive Robinson • September 18, 2019 4:41 PM

@ K.S.,

Was there a new breakthrough in tools that allowed research to conduct or was Intel somehow successful in suppressing reports?

No there was no new breakthrough in tools, and we’ve been aware that Intel CPU’s had issues for atleast thirty years or so.

The real answer was although plenty of hardware engineers –myself included– were aware there were issues, as Intel used to publish “hardware erata” for each current chip “step”, they were at best very vague and very abstract and not easy to get hold of, then there were NDA issues on top of that. All of which I guess you could call “lying by omission”.

Further most hardware engineers are creative at heart and want to make things and for various reasons[1] hardware “security research” did not have job prospects. So the reality is next to no hardware engineers went looking to turn hardware bugs into attack vectors untill recently.

Likewise in the Open Security research area, both commercial and academic, software bugs were not only widely known, they were easier to find as the methods were “known quantities”. So it was seen as a much easier way “to make a name for yourself” or “earn a living with” as it’s a very target rich environment (which is why making a name for yourself is now not so easy in software security research).

We can not say what the Closed Security research area such as the various SigInt agencies were upto. Put simply in the US simple things like TEMPEST protection materials were in effect made illegal to have as they were controled substances and research was likewise in theory “classified”. Even in Europe where things were more open things were heavily discouraged[2] and “the doors only turned one way” at the best of times.

If you actually go for a little dig into Meltdown, you will see that actually several people started looking at about the same time, mostly as “private research” in their own time… That is the idea had germinated and hatched. When I read about it I knew that not only had it come of age, but also due to the noise it made it was going to be the next “Make your name” field of research, thus I christened it “Thr Xmas gift that would keep giving” and indicated we would get a lot more discovered for three to five years.

Part of the reason this sort of leading edge research is done as “in our own time with our own gear” way is researchers have to eat like the rest of us. Thus their professional research is to a certain extent dictated by funding being available. For obvious reasons in the same way the software industry used to attack software vulnerability researchers with lawyers, the hardware industry is not going to fund research unless it’s locked up under NDA or worse. I got out of the “Officialy Secret” defence industry early on despite a promising career because certain things were causing me nightmares one of which we now call “Supply Chain Poisoning” and there are a few others still crawling out of that Pandora’s box.

[1] Hardware engineers tend to spend much longer in training and there is a prevelent ethos of not “rocking the boat” or more correctly “Not killing the goose that lays the golden eggs”. I’ve mentioned this before as I ran afoul of it years ago when I showed to an engineering manager how easy it was to fake fingerprints to get past the biometric fingerprint readers we were designing. Put simply I had to go find another job without a refrence… I likewise had the same “Don’t kill the goose” attitude from people when I found a major but obvious hole in DNA testing, it was actively denied untill an Australian researcher got the attention of ABC and people could nolonger deny it. But they still prevaricated and the chances are that the older cheatable DNA test system will be used…

[2] As an example I discovered independently decades ago just how easy it was to spoof the GPS system and gave some millitary people a demonstration, and I got given the “Keep it quiet whilst we investigate it further” nonsense. I also discovered independently back in the 1980’s just how susceptable microprocessors were to EM radiation. You could cause them to go crazy with just a low power lowish frequency unmodulated RF carrier. Heck even a Handheld transceiver with around 1 watt at VHF PMR would do it upto a couple of feet away. I however took it a lot further using tricks such as “cross modulation” to work out what the code on the CPU was doing[3], and also using it to trigger modulation that caused program execution to be changed in a fairly reliable way. Again it got me into trouble, firstly with a pocket gambling machine where I could make it win way way more than it should. Secondly with an early “electronic wallet”. It was a few years later that the “smart card” / SIM people went firstly into denial and then into doing something about it in all the wrong ways. People talk about “DPA” from nearly two decades later, but that still required power supply pin access, where as my discovery could not just detect the on chip signals, it could unlike DPA change the execution[4]… However a certain person decidrd to patent DPA research and got such broad claims past the examiner that he in effect killed further research…

[3] Actually determining what was going on with code in computers kind of started when I was either just a twinkle in my fathers eye or in nappies. Back then it was “Big Iron” actually made of individual transistors at clock speeds down at or below Mediumwave frequencies and instruction cycle times down in the hundred kilohertz range. Which meant execution loops etc were down in the audio range. Which meant that an ordinary AM radio would pick the signals up and make a garish cacophony of buzzsaw like noise laid over an ordered series of beeps and whistles as the code progressed. If however the software got stuck in a loop a clear tone or whistle would become predominant. Thus “listening in” was used by a number of computer operators, untill clock speeds went up and the signals went beyond what a mediumwave receiver and human ear could pick up.

[4] As I said I indipendently discovered the use of EM fields to cause problems in CPU’s back last century in my own time with my own equipment out of curiosity. However the first published academic research on it I’m aware of was by a couple of researchers at the UK Cambridge Computer Labs a decade into this century some quater of a century or so later. They took a commercial IBM 32bit true random number generator used in ATMs and when “illuminating” it with an RF carrier caused the entropy to fall from 32bits to just below 8bits. That is the range dropped from one in four billion to around one in two hundred and twenty. Thus making a “Guessing attack” entirely feasible,

https://www.lightbluetouchpaper.org/2009/09/08/tuning-in-to-random-numbers/

Since then there has been little or nothing done, especially in “active fault injection attacks”. I suspect nothing will till someone demonstrates it in a way that makes a lot of buzz in the industry, then it will become the new field of research to make your name in for a couple of years.