ANC - The Ultimate Vulnerability that just killed Javascript entirely

If you have a Android phone or any computer made ever it's permanently vulnerable to an unpatchable attack

TLDR of TLDR

You're fucked, go live in a cave

No worries, you're doing great! And I really don't mind butting heads or seeing sparks fly from time to time, I grew up on open source BBS discussions, back when nothing was held back. It was offensive as fuck, but it was also refreshingly transparent and educative. I know there is a craving of a lot of youth and experienced youthful minds to not be burdened by the emo-molasses of political correctness and overly sensitive drama magnets, but to dig right in there and blow stuff up just to really learn and expand experiences. There is nothing more exciting than learning from blunt grumpy offensive people that only care about the technology. There is little learning to be done from considerate educational professionals who care how everybody feels as they are learned how to do things in a correct way. I was given the remark by a drunk music teacher that it was pretty obvious that I never really learned how to play guitar well, because I was not economy picking during the long carnival sets, and I was ruining my joints and what was I even thinking. Well, a couple of months back I actually had hand surgery after an impactful involuntary deceleration on my motorbike, and I couldn't play at all, but I really trained a lot to be able to play - any way possible - through the carnival season. It doesn't look good, but it works, and most of all, it works for me and the band. If you give it all you have, nobody can criticize you, you tell it like it is to you, and if people don't like it, that's their problem because that's what you have to offer, and you're in control of what you offer and of whom you're offering it to. As I said, you're doing great.

2 Likes

Short conclusion: only full and complete open source soft- and hardware can save the world, because the big companies screwed up on an extinction level scale again.

1 Like

Block web services in XPosed and block javascript in your browser and avoid webfront apps, and there is nothing wrong with Android lol, but explain that to people that don't care about technology...

2 Likes

I wonder if this has anything to do with the memory leaks that have happened to me recently when I had Java on my computer, it stopped happening when I uninstalled Java. Also:

"Stop using Android"
Easier said than done I am afraid, unless there is another OS I can use that isn't an iOS.

"The powers that be fight against open source with all might, they prefer to kill humanity for profit, quite literally"

This seems like a way more common theme than it should be.

Does anyone notice a patern on the list of affected CPUs?
The list covers a shit ton of chromebooks, and someone said they don't work on chrome, but that it was questionable, is this not raising any red flags for anyone? Besides the nature of this exploit.

i sometimes find it very hard to ask, because the conversation is often conducted by people who are much smarter than i am, but okay, what do i have to do?

i'm aware the answer is probably "in there" somewhere, but i didn't see any bullet point steps other than the vague mention of "use NoScript". the problem with that being it's like firewalls. the ratio of "in your way" and "useful" is often extremely low, and i'd disable it for the sake of some semblance of normal browsing. of course, i know a big vocal chunk of the community would rather we all stopped using Google services, delete our Facebooks, and other such steps to reduce threats. is this one of those kinds of problems?

This may sound really dumb, but there is no answer, everybody has to figure out his/her own answer. The conclusion is a paradox, and you live with it and learn from it, you draw conclusions on how to live a happy life and how to not make other people unhappy. So I guess the real conclusion is that you learn what not to do more than what to do. It's a conundrum like leaded fuel or lithium ion batteries. Leaded fuel was what set the world free, but also what irreparably poisoned the world, lithium ion batteries are what will poison and burn the world next, but at the same time is presented as the saviour of freedom with fossil fuels becoming too hard to go steal somewhere.

This hardware bugs is just another emanation of the eternal ostrich policy. Just like Elon Musk doesn't care about the consequences of the people dying in Chile for his lithium, just like Intel systematically refuses to patch serious hardware bugs over several generations of processors, it's always the same story... people are lying to themselves in order to not see the damage they do. Radium, leaded fuel, high altitude nuclear tests, space debris, overfishing, extinction of the buffalo, etc etc etc etc etc, it's just another demonstration of how opportunists cause irreparable damage to the world and humanity because they have no conscience, because they are ready to lie to themselves in order to make a couple of bucks that they can't take with them to the grave anyway, a couple of bucks that will not suffice to ever undo the damage they have caused in the long run.
The conclusion is that patents have to end, and complete technical transparency has to become mandatory. It was actually the first thing that the French Revolution brought, all medications, all technical designs, including weapons technology, everything had to be entirely shared in the most transparent way. It was one of the keystone principles of modern democracy. It didn't cause any real economic damage. It just forced some manufacturers to review their marketing strategy. For instance, Cologne Water was sold as medicine, and then Cologne was occupied by Napoleon, and the principles of the French Revolution were introduced, and if Cologne Water chose to remain sold as a medicine, they would have to publish their formula, so they changed that and became a cosmetic product instead, and it was the best decision they ever made. In the computer world, things are exactly the same: ARM chips have conquered the world over Intel x86 chips. ARM chips are actually open source designs, but with a closed source OEM implementation. Linux has conquered the world over closed source operating systems, every person has actually more linux computing devices in his possession than Windows or Mac devices, even if they don't realize that, and the entire network infrastructure of the planet runs on linux. Linux is open source, even iOS or OSX are nothing but closed source implementations of open source software (BSD).

There is nothing you can do to protect yourself against the ASLR bug, more than what you already are doing if you are IT literate: you don't execute scripts that you can't see the code of. You don't use software that you can't see the code of. You don't trust anyone that uses software of which the code can't be seen by you. You don't accept privacy policies and terms of service of "free services" that come with terms of service, because it means they are not free. You start to participate in society on YOUR terms, instead of leaping in where angels would fear to thread if they thought about it for a single nanosecond.

The most important thing is that you KNOW, that you UNDERSTAND, that you reject compromise that you can't accept, that you decide for YOURSELF what you are willing to sacrifice to keep up with the Jones's, that you REALIZE what the consequences are for yourself and for others.

If your question is what I do, the answer is simple: it don't worry about it, I think about all of the above, and want to make others think about it also, but I do the very same I have always done: the really important stuff I do on a PC, the plans of my products that I don't want compromised, data that I don't want compromised, etc... are on a laptop with an open source BIOS, a laptop that has never ever had Windows on it, a laptop that has a chip without Intel ME, that has a discrete TPM chip that I erased first thing I did, a laptop that came with a HDD that I never used, that was removed and swapped out for a drive before I turned on the machine for the first time, a laptop that was assembled by people I know personally, and that was never ever turned on with any software on it, it was only ever hardware tested with open source BIOS without any payload. Then that laptop is loaded with open source software that I compiled myself (which is not a guarantee because in the end, there are ways to spike a compiler invisibly), and that laptop is never used on the internet, it only gets connected to my own LAN. Now how much data is eligible for that degree of protection, is up to everyone to decide for him/herself. I don't care too much, I just care about three things: 1. Data I'm responsible for, i.e. data that pays the bills and wages of employees and confidential client/customer data, 2. Data pertaining to the kids or medical data, and 3. data harvested by big corporations. I don't care about governments agencies snooping around to be honest. I care about governments agencies stepping outside of their democratic mandate, that is not OK, but as long as they operate within their democratic mandate, they're just doing what they were created for in the first place, and I don't care what they do. But what I seriously object to, is that big corporations are trying to cut democratic agencies off from intelligence, to feed them with "commercial intelligence", and that big corporations are harvesting data. I find that immoral ad infinitum. If it were up to me, I would ban that completely, and prohibit any gathering or exchanging data without individual and explicit user permission for every single instance of gathering or exchanging data, and would absolutely prohibit any other data transmission of privacy relevant data unless by full forward secrecy encrypted sockets. I would prohibit mail services that do not have full forward secrecy strong encryption that cannot be decyphered by the mail host, and would prohibit any sharing of meta or direct data between companies or even departments of companies, and I would prohibit the conservation of data gathered by a company in case of takeover or acquisition or bankruptcy or other corporate discontinuity. I would also prohibit the valuation of customer and private data, the accrual value would always be zero or negative because of reserves for liabilities due to the possession of such data. Trade in data would be forbidden.

I think the only way to not ruin the economy and the world is to implement all of these things. It would keep the IT industry from inflating and then crashing, it would save education, it would save jobs, it would bring IT corporations back to their core business, it would stimulate development of real solutions that help mankind and help the economy in a responsible way. It would avoid a lot of permanent damage and grief. It would dethrone evil leaders and false prophets. Full transparency, no more patents and no more data trading would do a lot of good. It's also not going to happen until after the cyberholocaust, which has already started, has ignited the planet and has burned out. And I hope there are still intelligent humans left after that, humans who don't say they are intelligent because they lie to themselves about the damage they really do, but humans who are considered intelligent because they share everything they can with everyone they meet, humans who are human first and intelligent second, humans who are intelligent enough to not be selfish at all cost to others.

So what if the conclusion was that we can't do anything to protect ourselves from this kind of stupidity, but we can maybe do things to protect the next generations of humans?

3 Likes

I read the paper. One of the mitergations was a paper called TimeWarp. In the paper they hardened a VM via software only

A key observation we make is that all microarchitectural
side channel attacks require a high fidelity timing source.
Our solution is to prevent the attacker from accessing this
source. Specifically we obscure the on-chip performance
counters that are used for timekeeping, and also fuzz the
software methods that are used to emulate hardware timekeeping.
The degree of security provided by this method is
roughly proportional to the square of the degree of fuzzing,
and is configurable.
We take great care to ensure that our changes are “backwards
compatible” with existing system and application
software. Our modifications were emulated on virtual machine.
In terms of hardware modifications, we suggest
adding one new instruction to the ISA to configure the level
of fuzzing, and add a very small amount of storage (order
of few hundred bits for a 32KB cache). For single-threaded
virtual machines, our proposal can be implemented without
hardware modifications.

There are performance impacts and I have no idea how bad. Sounds like the browser could use Virtualization to prevent the hardware timing on a CPU MMU from being measured.

It may not be the end of the world. Just a performance hit for unknown code on a system ?

Am I being stupid ?

There is also CPU microcode updates ?

this is again hard to question without looking like Bill and Ted, being generally rude, or derailing the thread into yet another Linux/GNU "debate". i suppose my general sentiment could be summed up with "c'mon.", though.

Nope, I mentioned this. You're right on the money, you can obfuscate your hardware in software, but that reduces your performance enormously, basically to the point of absurdity. For instance, if you have a system you would want just for basic word processing with very light wordprocessing software, and would use the system mainly for storage of delicate information, you would want to encrypt that information, and it would take so long to encrypt that it would be really bothersome.

CPU microcode updates will not really help the situation at all, because it's a structural problem. Also, it's a cornerstone of performance in CPU designs, if they would remove the on-chip caching of the memory allocation tables, which is arguably the only option that would structurally solve the problem, the performance of the chips would be set back 20 years.

There is an acceptably easy architectural fix, and that is to redo the memory interface. If you would have for instance a socket redesign that allows for a sandwich to get HBM memory really close to the CPU, you could avoid caching the memory allocation table on chip without losing too much performance. You could then use software mechanisms to protect against corruptions. On x86 chips however, this would probably be really hard. If anyone would be able to pull this off, it would probably be Samsung, because they actually have the ARM technology, the litho technology, the peripheral technology and the memory technology in house and could puzzle all the things together.

The best solution though would be to simply allow for user-defined unique encryption on-chip. If the data is encrypted all the way up to the execution nodes, it would be almost impossible to make a software attack for it. This will never be allowed by the powers that be though. It would mean that there would actually be uncrackable systems. It would also mean that kernels would not be able to be closed source any more if the chip manufacturers would actually still want to sell chips. Intel for instance could not afford to defy the Linux Foundation and make chips that only work with VxWorks and Windows for instance. They couldn't make it work with OSX because that uses an open source kernel base. They wouldn't sell any chips to China or Russia, which are two major growth markets for them, they wouldn't sell any more chips to enterprises, etc... the reality is that any closed source solution to this problem would be almost certainly suicide for the big chip vendors. That's why the problem will never be solved, and will be minimized in press and marketing, and if the voices of truth get too loud for then to silence them, they will issue placebo patches that at best block specific software vectors. Another scenario of course is that the big cloud businesses cough up the financial means to develop a new generation of CPU's to remedy the situation structurally, because obviously for many economic actors, the risk of this bug will be relative if you substract the Internet from the equation. The impact of this bug, depending on the degree of adoption by different black hat elements, you seriously make the whole cloud business come tumbling down. Amazon, Google or Facebook could actually afford to pay a company like Global Foundaries, the mother company of AMD that runs the group's chip development facilities in Dresden Germany, to develop a new chip + memory solution that doesn't have this problem, but that will also not happen, because the profit of such a deal would go to Europe and the United Arab Emirates, and the powers that be would not allow that. Intel is in a joint venture with Chinese ARM-bakers, but can't get anything done there, if anything, they have succeeded in sinking the market share of their Chinese allies and have not been able to produce anything useful for themselves. Samsung is probably the best bet, but they are rich and powerful enough to work for themselves at their own expense, and the more Trump wants everybody to buy military gear, the richer Samsung becomes, because it's one of the world's largest manufacturers of large military toys (battleships, tanks, etc).

It is what it is, and it is the prerogative of every human on earth to accept or dismiss what they want based upon the logical arguments they want to hear or refuse to hear. But in the end, everyone has to live with his decisions and the long term consequences thereof. That is freedom.

As good a starting point as any would be to change to a policy of blocking all scripts from websites you visit apart from the ones you choose to allow. I currently use NoScript on Firefox for this purpose.

We've seen a shift over the years from the cheap broadband routers that allowed all inbound traffic to the ones today where all inbound traffic is blocked until you white-list an IP/port. This vulnerability will likely force a similar attitude to web-sites and we'll probably see more thought put into where and how JavaScript is used as people start to routinely block scripts until they trust a website.

Im just going to leave this here

I've been trying to locate a list of possible attack vectors that also have access to the shared cache so I can get an idea of other preventative measures, anyone have any good documentation for review?

I don't think so, because people on standard Android and on Windows can't block all javascript, because the javascript-executing browsers are part of the system, either through the web services or through edge and cortana, both of which are deeply embedded into the system and are normally only blocked by IT literate users (and for those, it's pretty much the first thing they do on such systems lol). But in the total volume of users, this is like a single drop of water on a hot plate. I don't think website devs will change anything, I don't think Google or Microsoft will change anything.

I get what you are saying and agree, but we have to start somewhere and most of the time the browser is the weakest link (after the sack of meat loose on the keyboard) so let's start there. Properly securing Windows and Android is tough, I agree, but at least you can kind of break it down into securing against Google/Microsoft vs. securing against criminals...

Hell even Microsoft have improved Windows no end on the second one 😉

That's exactly the problem, both Google in Android and Microsoft in Windows 10 inject unchecked ads they simply sell. In Europe, there is no ads injection in Windows 10 yet like in the rest of the world, but that won't take very long either, and Google injects ads everywhere. Ads are the number one javascript malware vector worldwide. There is no plausible protection mechanism against javascript attacks that don't trigger software security mechanisms like the AnC attack in standard Android and Windows operating systems. In Android you would need root and at least something like XPosed or at least a version of Android that is heavily modified like for instance the Samsung ones if those are not altered by a provider, whereby users can disable the Google services enough to prevent any Google injection in the system. In Windows the user would have to at least disabled the edge browser by blocking it in the host file manually plus using something like spybot beacon on a regular basis and manually tracing all induced system changes and updates. On Windows, even for experienced IT savvy users, it's almost a full time chore to keep Windows clean enough for basic halfway responsible use. On Android, the only real option is to use a rooted ROM with XPosed, or to use a de-Googled custom ROM, which often can't be used without at least pico OpenGApps any more because Google has blocked the use even of that if you want to log in on devices. It's getting incredibly hard to have full control over commercial operating systems, full control that at least offers a basic protection against injections of crap onto the system that nobody takes any responsibility for. Does Google or Microsoft care that AnC will be in the majority of all javascript based ads in two wweks time now the AnC mechanism has been published... no they don't, because they know that the victims won't ever complain, and that they have enough grip over the system and if need be enough lawyers and enforcers to make sure that they still gain more by not doing the right thing than by doing the right thing.

I agree though that one has to start somewhere. That is easy for us IT savvy people to say, when we do the same thing as the big software mobs and turn our backs on all the people that are sitting ducks. Whilst there is no direct action we can take against it, we should at least call the big software mobs out on it and make sure people understand what is going on, without minimising the importance of it just because we are so used to mitigating all of this crazy stuff for ourselves for all these years because we understand. How about we start by explaining to everyone who wants to know what is going on. People who don't want to understand, yeah tough luck, but there are a lot of people who want to understand and want to escape their commercial software nightmare.

2 Likes

but what you seem to be advocating for, and what i KNOW some people are advocating for, isn't just akin to a Vegetarian diet. it's not even just Veganism. it's solar-powered, hydroponic, Amish Veganism on a biodegradable raft in the middle of the ocean which you have named as your own sovereign country. ie gutting so much of the technical climate than you might as well [as somebody said] unplug your computer from the internet altogether. that block of text i highlighted before basically means you won't run anything not open source, which is as i'm sure you can understand, is extremely unusual to me.

but the same can be said about religion or politics, so i'm just going to have to agree to disagree.