 zombie load attack, return of the leaking dead. Or at least that's what the title says, and I love the title. I'm smiling, because it's funny, but this is actually a pretty serious topic. Watch out your processor, resurrects your private browsing history and other sensitive data. And they're not lying here. This is really interesting. They got proof of concept code out there. They went through Intel, had an embargo on this, but Intel researched it, but it turns out that the bad news is, well, just as bad as it sounds. It's a pretty bad attack. This is of the same type of attack that we've seen against processors and before with the Spectre Meltdown. And then the zombie attack, and now the zombie attack return of the living dead as this one's titled. And this affects the latest Intel processors. And they have a really far beyond my scope of this video talk on exactly how cross-privilege boundary data sampling works. And it's impressive. They've done a lot of research and let's go ahead and roll the demo because why not start there and show what they're able to do. Now, this is a virtual machine running and they're running a Tor Rouser, running Tails specifically. And what this is showing you is that right here, they're typing in newyorktimes.com and they can see running their tool and they give you all the compilations so you can do your own proof of concept and they give you the source code to this tool. They show how you can pull data out of a virtual machine from the hypervisor level. Now, this would be really difficult if you don't have access to the hypervisor. So let me back up a little bit and talk about how this attack is actually occurring and just how serious of a problem it is. So first, do we know if it's being exploited in the wild? We don't know. There doesn't appear to be a lot of traces left behind but we do know and this is through their documentation and what they have on here that if you have a hypervisor running over here and you have a person who has access to set hypervisor to run this tool, the VMs within that hypervisor you could possibly be leaking data from. They have to be running in the same processor that you assign. So if we have 16 cores and I have core one assigned to a specific hypervisor and then I run this tool against core one and this does include with hyperthreading turned off which was the mitigation before for some of the other attacks, there is the ability to pull that data out like they show in the proof of concept. Where things get much more complicated is when you have a virtual machine over here and a virtual machine over here and we try to run it in this virtual machine to try to grab their data out of this virtual machine. Well, now it doesn't work as well. That is a much, much less likely to get the data because the hypervisor isn't dedicating one single core to both of these. It will be interleaving between all the cores and doing its management system and this would obviously cause problems of them nailing down exactly where the data is. So it does take some really specific knowledge like we have to have essentially like root level access to a hypervisor. Now, of course this can be run as another process on bare metal as in if I'm running it here on my laptop, not a hypervisor and we run that tool, the zombie load tool and we know where to look for memory. I could find things like for example what's running inside of a browser or pull out certain private keys. So this is a pretty serious attack and it does affect pretty much even the latest Intel processors and that's kind of the point of this is it's no longer a mitigated in the by the latest Intel have the problem solved or turn off hyperthreading have the problem solved. So let's break down and look at the matrix they have here and talk a little bit more in detail about what processors are actually affected by this. So here at the bottom it says, am I affected by this bug despite the MDS mitigations? With our new variant that has been disclosed November 14, 2018, the zombie land attack is still possible on CPUs with hardware mitigations against the MDS, e.g. recent Cascade Lake CPUs. Furthermore, we show that research paper that on some processors, the software based mitigations including necessary microcode dates will not fully prevent this attack. So as I stated, it's built into even these latest processors the Cascade Lake CPUs, even with the microcode update there currently isn't or does not appear to be a fix for this. What can be leaked? If your system is effective, our proof of concept, zombie load exploit can read data that is recently accessed or accessed in parallel on the same process recorded. So I said it has to be on the same core for them to be able to find this. So these are really important things. Are these software bugs? Well, not really. This is one of the things they break down. This is at the hardware level and that's where these attacks are occurring. So that's one of the challenges on here. And the other important thing, well how do I know if I'm affected by this is a popular question. We do not have any data on this that exploitation might not leave any traces in traditional log files. And I wanna bring that up because, you know, people say well maybe the government's had this for years. These are not likely scenarios that has been abused in a while. It's hard to say. Obviously we don't have any proof either way. But it feels like with all the dumps we've had that if this was being abused over time, maybe someone the secret would have gotten out. That's really speculative more than anything else. But, you know, it's taken a lot. I mean, these researchers have spent years focusing on a single project here to figure out and reveal this methodology. And once again, what happened is we started out by speculating that this was a possibility. The speculative evocation, the meltdown specters, as they're referred to, it expanded from there. And once they knew there was gold, they kept digging and kept digging. And that's what's happened here is they've gotten to the point where they go, okay, these are the problems we found. These are the ways that it can be exploited. And they keep getting better at exploiting them. Now someone's gonna point out, well this is, you know, pound the keyboard. This is a reason to go by AMD, blah, blah, blah, blah, blah. Well, we don't know about AMD. I say we don't know. We don't know if there's flaws in AMD because they have not spent the last couple of years researching specifically AMD processors. So before you run out and think that everything in the world should be swapped to AMD, which, hey, I'm a big fan of AMD myself, and I think that might be the short-term mitigation. And it's a great idea and I'm sure AMD stock price will take a bump because of it. But we don't know until someone has taken the time to do this hardware level, really focused research, and it takes just unbelievable amounts of time. You gotta think about what goes into the research. It's not like they just tried it. They tried everything and found this. That's one of the reasons it's taken so many years to even come up with version two after the mitigations because they had to wait till the patches came out. The patches came out and then the researchers, you know, get their head into books again and they're going, all right, what happens when we do this? What happens to this? And it's, you know, tons and tons of failure until someone goes, wait a minute, I just seen data. Like I said, as well as the beginning, it takes knowing what core, what thread something's running on and running an adjacent process to it to figure out what data that stored in there and then extracting said data out. So it's not like it's easy to do. And also anyone who has access to your computer to run an application at that level that undoubtedly is pulling lots of CP resources to try to keep itself in that same thread that something spawned in, they have access to your computer. This is the least likely thing. If I have access to your computer to run an application at will, I am much more likely to do something else that's easier to get data out as opposed to the slower, less likely way of pulling it out this way. So it's more of a proof of concept, but it could be used. It's still a very real threat that does need to be addressed. But, you know, it seems like once I have root access or high levels of system privilege design your system, I'm probably gonna use another methodology. This leaves us to things like when we have to trust our software. So I would expect this problem to occur. Let's say someone does take this code and writes something. They would probably do a supply chain level of tax so they could, for example, get into your firewall based on one of the packages that gets loaded within the firewall. This would be, you know, a more likely attack factor than someone trying to get something dropped on your system. Because if you slipped in something that looked like normal code that did it, but I'm being speculative here of whether or not that would occur. And of course, because of all the supply chain style attacks we see in the software development world, they are getting better at tightening it down. At least I like to hope they are. I'm an optimist. So I believe they're getting better at watching what code goes in, vetting, auditing it, and, you know, more eyes on it. And now we have one more thing to look for. We know, because the proof of concept codes out here, what methodologies we need to look for. So if someone is doing this, well, we're gonna hopefully find it and security researchers are out there digging around to see if this is out in the wild. And to my knowledge, as of right now, in November of 2019, no one has seen this out in the wild. It is only a proof of concept that I'll leave links to here for all the details. The last piece we'll talk about is the safest work around to prevent extremely powerful attacks as running trusted and untrusted applications on different physical machines. This is interesting, but like I said, this is the only way to really mitigate this. You have to trust the software, which once again is going to, in my mind, push more and harder for open source solutions where we can audit and vet the code that was created on there to make sure these things weren't embedded on there. Because picture this being embedded into some closed source operating system and or solution that they bury this in, it hides in there and now can extract data in this very specific way. I mean, granted, yes, I know I'm being speculative, but it is a problem in the marketplace right now. We have to trust the hardware, we have to trust the software we run. And when we can't see the code and we know that the code can now break the boundaries of the hardware, this gets pretty very scary. So if this is not feasible, giving the context, disabling hyperthreading completely represents the safest mitigation. This does not, however, close the door and attacks on system calls returning pass that leak data from kernel space to user space. In case of disabling hyperthreading is not feasible for performance or other reasons, trusted and untrusted process should never be scheduled on the same physical core. This again does not mitigate the attack scenarios because adversary processes could still leak data from super-ordinated kernel or hypervisor. For more detailed information on mitigation vectors, please consult the ZamiLand research paper. And I'll leave links to all this so you can do your own further reading. And wow, like I said, they dive deep in this. This took some really, really clever engineering and really challenging designs that they had to go through and figure out what does or doesn't happen to make this attack occur. So like I said, I'll leave all this. It's definitely serious. There's no mitigation for it. So you can decide if you just want to turn off the computer permanently and go live out in the cabin or push on and hopefully the problems will get solved and smarter people than the ones that even did this will then come up with mitigations against it and et cetera, et cetera. And we will progress on, or maybe there's no flaws in AMD. I'm waiting for the security researchers to really dive deep into that. So as I stated, that may or may not be a solution, but fun times either way, it's one more challenge and one more solution to strive for to solve. Thanks. And thank you for making it to the end of the video. If you liked this video, please give it a thumbs up. If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon. If you like YouTube to notify you when new videos come out. If you'd like to hire us, head over to laurancesystems.com, fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you want to carry on the discussion, head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos or other tech topics in general, even suggestions for new videos that are accepted right there on our forums, which are free. Also, if you like to help the channel in other ways, head over to our affiliate page. We have a lot of great tech offers for you. And once again, thanks for watching and see you next time.