One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 8367398 |
| Date de publication | 2023-08-08 13:33:00 (vue: 2023-08-08 18:06:35) |
| Titre | Chute et zenbleed: Googlers aide à sécuriser l'écosystème Downfall and Zenbleed: Googlers helping secure the ecosystem |
| Texte | Tavis Ormandy, Software Engineer and Daniel Moghimi, Senior Research ScientistFinding and mitigating security vulnerabilities is critical to keeping Internet users safe. However, the more complex a system becomes, the harder it is to secure-and that is also the case with computing hardware and processors, which have developed highly advanced capabilities over the years. This post will detail this trend by exploring Downfall and Zenbleed, two new security vulnerabilities (one of which was disclosed today) that prior to mitigation had the potential to affect billions of personal and cloud computers, signifying the importance of vulnerability research and cross-industry collaboration. Had these vulnerabilities not been discovered by Google researchers, and instead by adversaries, they would have enabled attackers to compromise Internet users. For both vulnerabilities, Google worked closely with our partners in the industry to develop fixes, deploy mitigations and gather details to share widely and better secure the ecosystem.What are Downfall and Zenbleed?Downfall (CVE-2022-40982) and Zenbleed (CVE-2023-20593) are two different vulnerabilities affecting CPUs - Intel Core (6th - 11th generation) and AMD Zen2, respectively. They allow an attacker to violate the software-hardware boundary established in modern processors. This could allow an attacker to access data in internal hardware registers that hold information belonging to other users of the system (both across different virtual machines and different processes). These vulnerabilities arise from complex optimizations in modern CPUs tha |
| Envoyé | Oui |
| Condensat | comparisondownfallzenbleedaffectsintel optimization speculative these upon want zenbleed 11th 1:30pm 2022 2022may 2023 2023fixed 2023how 2023july 20593 256 2leaksentire 40982 6th about access accessing across addition advanced adversaries advisory affect affecting align all allow allows also although amd applications applications: preemptive architecture are arise attacker attackers august automated aware back becomes becoming been belonging better billions bit blackhat blocking both boundaries boundary bulletins but bymicroarchitecturalanalysisfuzzingfixmicrocode can capabilities case challenges clear closely cloud collaboration community completed complex compromise computation computer computers computes computing continues continuing coordinate core cores could cpu cpu/hardware cpus critical cross crucial cve cycle daniel data dedicated depending deploy designing detail detailed details develop developed did different directly disclosed disclosure disclosures discovered discovery doesn doing done downfall each ecosystem enable enabled enables encoding encourage enforces engineer established everyday exception execute execution existing expand exploitation exploits exploring expose exposed extract extracted faster features files fixes flag followed forward forwarding forwards from function fundamental further gaps gather gathermicrocode gen generation get google googlers guidance had half harder hardware have heart help helping helps high highly hold how however immediately imperative implemented importance important including: there incorrectly industry information insights insignificantreported instead instruction instructions intel internal internet introduce invest investing its join just keeping keeps leading leakdiscovered leaking leaks learn learned learned these lessons level long look machines make malicious marks meltdown memory mis mitigating mitigation mitigations modern moghimi more move multiple multitasking multithreading new not onaugust one only optimizations order ormandy other out over overhead0 parallelism part partners performance performing personal physical plan post posted potential presented prior processes processing processors properly protect provided published quickly rather read register registers registersexploitgather registerupper related requires research researchers respectively responded rolled safe same samplingarchitectural scattered scientistfinding secure security see senior setting several share shared sharing should shows signifying simd similar simultaneous since single software speculated speculative speed stale stop succeeding suggest supported supposed system tavis technical techniques testing than them these those thread timelines times today trend trivially two ultimately understanding upper usa user users value verification violate virtual vulnerabilities vulnerability waiting what when where which who whole why widely wider will wiping without work worked workload statistically workloads would xmm/ymm/zmm years ymm zen zen2 zenbleed zenbleed: zero zeroupper zeroupper mitigation |
| Tags | Vulnerability Prediction Cloud |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.