Supplementing CVEs with !CVEs

By Jake Edge
December 5, 2023

The Common Vulnerabilities and Exploits (CVE) system is the main mechanism for tracking various security flaws, using the omnipresent CVE number—even vulnerabilities with fancy names and web sites have CVE numbers. But the CVE system is not without its critics and, in truth, the incentives between the reporting side and those responsible for handling the bugs have always been misaligned, which leads to abuse of various kinds. There have been efforts to combat some of those abuses along the way; a newly announced "!CVE" project is meant to track vulnerabilities "that are not acknowledged by vendors but still are serious security issues".

The "!CVE Team" posted the announcement to the oss-security mailing list on November 8; the project had just been presented at Black Hat Toronto by Hector Marco and Samuel Arevalo from Cyber Intelligence, S.L., which is a Spanish security research firm. Given that Cyber Intelligence is the sole partner listed on the !CVE web site, it is hard not to come to the conclusion that Marco and Arevalo are part of (or all of) the !CVE Team, though its membership is ostensibly anonymous.

The reasons behind the new project are pretty straightforward: tracking vulnerabilities that the relevant CVE Numbering Authority (CNA) has rejected for CVE assignment. CNAs are delegated to assign CVEs for a particular product or project, which, in many cases, is the same as the vendor or project itself. The announcement quotes the CNA rules: "CNAs are left to their own discretion to determine whether something is a vulnerability". Since the CNA is often the same as the one whose code is implicated, the announcement noted that there is a problem:

This poses a clear conflict of interest, since the same vendor is the one deciding whether or not an issue is a vulnerability and therefore whether a CVE is assigned to their own product or not.

The solution, according the project, is to have a panel of experts evaluate reports of these kinds of vulnerabilities; if they qualify, a !CVE-yyyy-nnnn identifier will be assigned and an entry will be created in the NotCVE database. As might be guessed, the exclamation point in the identifier was not popular, with Alexander "Solar Designer" Peslyak pointing out flaws in the numbering scheme in the first response to the announcement:

Please make these more distinctive, so that searching (e.g. the web or mailing list archives) for CVE-2023-0001 wouldn't find both the actual CVE and the !CVE, which are likely totally unrelated to each other. In fact, searching specifically for the !CVE could be difficult as the exclamation mark may be dropped by the tokenizer when indexing content.

He also noted that he had created a CVE alternative, called OVE, back in 2016, though it never really went anywhere; "Maybe yours will." David A. Wheeler suggested using "NotCVE" rather than "!CVE", which is what the team eventually decided to adopt. Looking up the first alert will work using either identifier, since there may be existing references to !CVE-2023-0001.

At this point, NotCVE-2023-0001 has only been joined by NotCVE-2023-0002, which is, somewhat ironically, a buffer overflow in NVD Tools. That project provides a set of tools to work with the National Vulnerability Database, which includes CVEs among the vulnerability information that it tracks.

In the thread, Mike O'Connor asked about non-vendor CNAs, noting that the GitHub CNA is responsible for lots of open-source projects it hosts, but is hardly the "vendor" for them. He suggested that there are cases where CNAs are legitimately rejecting CVE assignment:

Perhaps they don't want to build deprecated decades-old code to scope out the severity of a buffer overflow some random fuzzbot found. How would !CVE work for the Linux kernel, where most security fixes have git commit hashes but not CVEs?

The !CVE Team said that the project would only be tracking vulnerabilities that are not being assigned CVEs—for any reason. It is not only for vulnerabilities that have been rejected for CVE assignment, there is more to it than that:

!CVE project is tracking, identifying and sharing security issues that otherwise would be randomly published in blog posts, Twitter, etc, (in the best case) or just lost. To obtain a NotCVE is not relevant whether someone is getting difficulties to obtain a CVE for their vulnerability or not. To get a NotCVE the issue must qualify.

O'Connor had also suggested working with the CVE project, "addressing what CNA rules you think may be broken", but the !CVE Team said that MITRE (which runs the CVE project) is not unaware:

This is not something new or unknown by MITRE or vendors. In some cases MITRE is in favor of assigning a CVE but the vendor is against. In those cases MITRE can do nothing and by experience we can tell you that at the end CVE will not be assigned. Note that "the security issue" cannot be even named "vulnerability" because it is not (vendor is the only one with this authority) according to MITRE rules. If something is not a "vulnerability" there is nothing to patch, nothing to track, etc. Since those issues go unnoticed, they should be looked at even more cautiously since they are probably not going to be fixed.

At first blush, tracking untracked vulnerabilities seems like a perfectly reasonable idea—and it is—but there are some risks to it as well. The biggest problems with the current system stem from misaligned incentives; researchers push for CVE assignment for personal-recognition purposes, while companies and others sometimes want to forgo CVEs in order to not be recognized as having a security flaw. Meanwhile, governments and others base legislation and agreements around fixing CVEs in short order, which gives vendors and projects another reason to avoid them.

Beyond that, there are bogus CVEs that projects have to grapple with if they do not create their own CNA. The usefulness of NotCVEs is going to come down to how well the "panel of experts" does in keeping bogus reports from getting added. If the NotCVE system were to become popular, it would provide another target for researchers who are only concerned with personal recognition, so the project might well be inundated with bogus reports of various kinds.

The CVE system is, in short, a mess—and one that periodically spawns attempts to fix or replace the CVE system. So far, at least, none of those efforts has gone very far and !CVE looks likely to join that club. But the problems it is trying to address, remain. So we will probably see more sporadic, generally quixotic, tilts at the CVE windmill over the coming years—decades and more, even.

Index entries for this article
Security	Bug reporting/CVE

to post comments

Scaling/domain knowledge

Posted Dec 6, 2023 6:22 UTC (Wed) by nickodell (subscriber, #125165) [Link] (8 responses)

Seems tricky to scale. The current system may have a conflict of interest, but it does at least distribute vulnerability reports among the CNAs, and ensures that the CNAs evaluating their own software for security bugs are domain experts. I think that for a lot of software, it might be hard to tell if a bug is a security issue, without an understanding of what the security model of the software is.

Scaling/domain knowledge

Posted Dec 6, 2023 7:40 UTC (Wed) by epa (subscriber, #39769) [Link] (7 responses)

Perhaps they would do better to declare that a NotCVE simply represents a “bug”. Thus avoiding the whole circus about what counts as a vulnerability, the expected uses of the software, where the trust boundary lies and so on.

Calling something a “bug” is also open to debate—the developer may argue that a segmentation fault on invalid input is not a bug because by design the program is meant to work only on valid input—but without the additional politics brought in by the word “vulnerability” it may be easier to resolve.

Scaling/domain knowledge

Posted Dec 6, 2023 8:21 UTC (Wed) by roc (subscriber, #30627) [Link] (2 responses)

Often we do have information about whether a bug has security implications or not, and it seems rude to conceal that information.

Scaling/domain knowledge

Posted Dec 6, 2023 10:14 UTC (Wed) by taladar (subscriber, #68407) [Link]

Perhaps what is really needed is some sort of moderated location to discuss each potential bug and security implications so the disagreements become visible?

Scaling/domain knowledge

Posted Dec 6, 2023 17:39 UTC (Wed) by epa (subscriber, #39769) [Link]

Oh, I didn’t argue to deliberately conceal anything, but to say that any bug can be given a NotCVE without having to argue about whether, officially speaking, it counts as a “vulnerability”. Just to shortcut the sterile discussions about “well I know you have a working exploit, but this shouldn’t be considered a security vulnerability because…”

Scaling/domain knowledge

Posted Dec 6, 2023 12:02 UTC (Wed) by pm215 (subscriber, #98099) [Link] (3 responses)

The problem I think with that is that the whole point of the CVE circus is trying to distinguish "unexciting bugs" from "you will have a really bad day if you don't apply a fix for this" bugs. If every bug got a NotCVE or a BUG identifier or whatever, it would not really be very helpful, because it wouldn't let you track "do we (or our downstream users) have any Really Bad Days in our future if we don't do something?".

Scaling/domain knowledge

Posted Dec 6, 2023 12:14 UTC (Wed) by Wol (subscriber, #4433) [Link]

The other big problem is that you get too many people gaming the CVE system, and flagging bugs that are disabled by default as "you really need to fix this", etc etc.

If the payoff of making an ass of yourself is high, then people are going to do it ... :-( It's exactly the same as the spam problem. Filing a brainless CVE is easy, the cost of dealing with the mess falls on someone else.

Unfortunately the only real way to implement anti-CVE-spam is just to delete all CVEs on sight - at which point the regulators get upset :-(

Cheers,
Wol

Scaling/domain knowledge

Posted Dec 6, 2023 17:41 UTC (Wed) by epa (subscriber, #39769) [Link] (1 responses)

That’s part of the reason. But the other is just to tie together information about a bug with a single easily greppable identifier. A given NotCVE might not be a bug you care about. But if you’ve decided you do care, you have a formal mechanism for labeling fixes, checking whether a fix has been merged into a given branch, listing installed packages that may be unpatched and so on.

Scaling/domain knowledge

Posted Dec 7, 2023 4:31 UTC (Thu) by buck (subscriber, #55985) [Link]

Yeah, I thought that "common vulnerability enumeration" was meant to convey that a CVE is like a serial number authority (confederated, now, I guess) for vulnerabilities.

And, just as most of us never have a need to ever consult the serial number of our refrigerators or whatever, especially not if it's a dorm-room model that's here today and out on the curb tomorrow, but you might want to be able to call in for service if you have an expensive custom fridge with the wood panels that blend into your cabinetry, there are going to turn out to be some numbers that people care about and some that nobody does.

But, if they do, it's nice for somebody to have handed out a unique identifier for them (if nobody is willing to foot the registration fee for a brand name vulnerability PR web site etc., I say, tongue in cheek, because usually the research that's gone into those vulnerabilities is a lot more mind-bending than my brain can take without breaking, and having to register a .vuln domain might be a nice barrier to entry for nuisance reporting [grin]).

Assuming the people overseeing registration are good enough taxonomists to figure out just exactly how to separate one bug from another

Supplementing CVEs with !CVEs

Posted Dec 6, 2023 9:15 UTC (Wed) by bluca (subscriber, #118303) [Link]

Great, we so desperately needed more bogus reports, as if cves weren't bad enough already

Supplementing CVEs with !CVEs

Posted Dec 6, 2023 10:22 UTC (Wed) by luna (guest, #166424) [Link] (3 responses)

Another issue with the awful name is that people can interpret "!CVE" as "no vulnerability". Why would there be a record of no vulnerability? That makes no sense. That's how I first interpreted it before reading the article.

As pointed out by another commenter, how are they going to prevent teenage John Doe who thinks configuring sshd to accept root logins is a vulnerability (or any of the other perennial nonsense you see on bugtraq) from reporting that? Chicken littles everywhere will flood the folks managing this with spurious "reports".

Supplementing CVEs with !CVEs

Posted Dec 6, 2023 12:21 UTC (Wed) by pbonzini (subscriber, #60935) [Link] (2 responses)

A curated record of disputed vulnerabilities, with a hall of fame that names and shames reporters that nevertheless proceeded to get CVE numbers assigned, would actually be pretty interesting.

Supplementing CVEs with !CVEs

Posted Dec 6, 2023 12:56 UTC (Wed) by Wol (subscriber, #4433) [Link]

Hmmm - and it would give some push-back against regulators to be able to say "this CVE appears to be spam".

I know, we in the MV community had a surprise some months back when a CVE was filed against UniData. Just the one, in what appeared to be a drive-by fuzzing attack.

Cheers,
Wol

Supplementing CVEs with !CVEs

Posted Dec 6, 2023 13:23 UTC (Wed) by dave_malcolm (subscriber, #15013) [Link]

FWIW that was my guess as to what the article was going to be about when I clicked on the the headline.

Supplementing CVEs with !CVEs

Posted Dec 6, 2023 11:47 UTC (Wed) by dullfire (guest, #111432) [Link]

From what I've heard about the CVE system, attempting create a bug or vulnerability tracking system, that is defined in relationship to the CVE system has failed from the start.

I don't think any sane system can be design around (or in terms of) the CVE system as it is now. However, as far as I know, this is more of a social problem than a technical one. So a social fix is needed (though it may take advantage of technologies).

Supplementing CVEs with !CVEs

Posted Dec 6, 2023 14:20 UTC (Wed) by pombredanne (guest, #113982) [Link] (6 responses)

The biggest problem IMHO is data quality, as pointed out by several commenters. We do not need more bogus CVEs. We need better data about each vulnerability, and eventually a peer, open review so we can squash and ignore the spam more efficiently.

Supplementing CVEs with !CVEs

Posted Dec 6, 2023 17:22 UTC (Wed) by wtarreau (subscriber, #51152) [Link] (5 responses)

We will always get more bogus CVEs because they are used to give power to the reporter:
- power to inflate the resume (hence the Curriculum Vitae Enhancer definition)
- power to force downstream to apply certain fixes
- power to force the packaging team to accept to backport an important fix that they would otherwise reject
- power to force downstream to abandon older (but still supported) versions and to upgrade, sometimes by paying, just to shut up the bogus CVE checkers that many CISOs pay for.

The system is totally biased and abused. It has become rare these days that a CVE actually designates a *REAL* vulnerability. The vast majority of them are just jokes but there's such a juicy business behind this that there is a whole ecosystem maintaining this big lie and feeding the monster to make money out of it.

Supplementing CVEs with !CVEs

Posted Dec 7, 2023 9:23 UTC (Thu) by pombredanne (guest, #113982) [Link] (4 responses)

You wrote:

> The vast majority of them are just jokes but there's such a juicy business behind this that there is a whole ecosystem maintaining this big lie and feeding the monster to make money out of it.

What could be done to reverse this situation?

Supplementing CVEs with !CVEs

Posted Dec 8, 2023 6:40 UTC (Fri) by wtarreau (subscriber, #51152) [Link]

> > The vast majority of them are just jokes but there's such a juicy business behind this that there is a whole ecosystem maintaining this big lie and feeding the monster to make money out of it.
> What could be done to reverse this situation?

It's difficult to say. Hundreds of companies spending millions in marketing to tell the world how insecure it is, automated CVE scanners running on cloud images to scare people on just cryptic CVE numbers etc. Education might be the only solution now, but it will take 2 decades for IT deciders to be replaced by new ones who stop believing this crap. And it's not even certain because they take less risk by trusting whoever speaks about random bugs than by saying "I know it doesn't affect us, I decide to ignore it".

GregKH and I thought about the possibility of automating the filing a CVE for each backported fix as a way to make sure that distros backport all fixes, and to make some people start to take CVEs with a grain of salt. That could work but this must be adopted by many projects to succeed. I thought about doing it for haproxy but that would cause a lot of burden to our distro maintainers who are currently doing an awesome job, it wouldn't be fair to them. This task should probably be started with poorly maintained projects, if at all. The situation is complex because the system continues to work just thanks to the rare people who are deploying a lot of efforts to continue to deliver good fixes despite the CVE system messing up with about everything and causing confusion everywhere.

Supplementing CVEs with !CVEs

Posted Dec 8, 2023 13:00 UTC (Fri) by farnz (subscriber, #17727) [Link] (2 responses)

The core problem is social; the idea behind the CVE system is that there should be one database of severe bugs, such that if you are vulnerable to any of the bugs in the database, you know that you have a big problem to fix. This then allows a secondary thing where bugs in commonly shared code can be referred to by CVE number, so that (for example) a bug in the EDG language front-ends can be referred to by Microsoft, Intel, SGI and other downstream users with the same CVE number, rather than needing one bug reference per compiler vendor who used the EDG front-end.

This, in turn, was beneficial to consumers, since instead of getting (say) three different bug reports from Microsoft, Intel and SGI about a compiler bug, I got three different bug reports all containing the same CVE string, so I knew that I had a common bug here, and not a case where I had three different bugs to deal with. This was especially important in the days when lots of software was both proprietary and white-labelled, so I'd get bug reports about an issue in (making names up now) HP-UX Secure Transport Services, Sun Transport Layer Security System and SGI Secured Communication Layer, all of which would turn out to be the same OpenSSL bug (because the products were actually just rebrandings of OpenSSL).

However, once you have a big shared database of "severe" bugs, you tempt people to build metrics around it; and when people build metrics, Goodhart's law follows close behind. In the case of CVEs, the big problem is that people use "number of CVEs you found" as a metric for how good someone is at finding severe bugs; this leads to people trying to get many many CVEs in their name, in order to win at the metric, making it useless for its original purpose (since it's now a metric for how good you are at finding a CNA who'll let you get a CVE number for a report).

And that social problem is hard - we need people to stop caring about CVEs per-se, and to start caring about only the subset of CVEs that represent "real" issues (FSVO of "real" and issues). Trouble is that the vendors have a reason to downplay the severity of every issue, so you need a trustworthy source of information - how do you distinguish Daniel Stenberg's explanation of why a vulnerability should have scored 3.3 not the original 9.8 from a motivated closed-source vendor lying about the severity to get the vulnerability score down, absent technical ability?

Supplementing CVEs with !CVEs

Posted Dec 8, 2023 14:11 UTC (Fri) by atnot (guest, #124910) [Link] (1 responses)

> the idea behind the CVE system is that there should be one database of severe bugs, such that if you are vulnerable to any of the bugs in the database, you know that you have a big problem to fix. This then allows a secondary thing where bugs in commonly shared code can be referred to by CVE number

To my knowledge this is backwards, at least historically. The issue of finding out whether your version was vulnerable was already a solved issue: you just asked your vendor, which had their own bug tracker ID. People weren't really pulling in random versions of hundreds of dependencies to the degree they are now, this sort of scanning wasn't really that necessary.

So the primary purpose was really more to enable more cooperation for security bugs by having an independent central place that would host issue descriptions and give them a unique number. You can sort of see this from the process, I think: CVEs are assigned mostly by affected companies, they are not really given more than cursory verification and were originally just a straightforward republishing of the authors description, without any further classification by MITRE. Attaching meaning to those IDs was the job of other entities, like the affected companies and national CERTs. In this regard, CVEs still work as intended.

I think where this started going wrong was with the introduction of things like CVSS, which increased their duties from merely hosting a database of claims to interpreting those claims, a thing which they are really wholly unequiped for doing. There were plenty of other causes of course, but all of this moves the CVD from a role of merely neutrally numbering important claims to being a factual, accurate description of every vulnerability ever discovered, which the process is not remotely set up for.

Supplementing CVEs with !CVEs

Posted Dec 18, 2023 15:06 UTC (Mon) by nim-nim (subscriber, #34454) [Link]

It started going wrong when tooling and free software made it dirt cheap and easy to pull in other people’s software. For a time all was dandy. And then the suits discovered that the average dev had no intention whatsoever of keeping up with third party code updates and security vulnerabilities (helloo log4j, brought to you by the Apache Open Source way: free-as-a-beer-code, no due diligence nor obligation, just don’t get caught by security scanners).

So now no one trusts whatever the dev vendor says.

Supplementing CVEs with !CVEs: conflicts of interest

Posted Dec 6, 2023 18:31 UTC (Wed) by geofft (subscriber, #59789) [Link] (14 responses)

It is ludicrous to advertise this as a solution to conflicts of interest when the whole project seems to exist for the purpose of a security research firm being able to present their findings as legitimate. The CVE system has both false positives and false negatives (which is, honestly, unsurprising for such a complex system). The reason it is able to reject proposed vulnerabilities, and there's a clear conflict of interest when an entity whose motivation is having more CVEs focuses only on the problem of false negatives.

If you look at the company behind this, their services are all offense-based: all their trainings are about exploitation, not building secure systems, and their other services are penetration testing and data recovery. And they are clearly collecting CVEs and now !CVEs for advertising purposes. Organizations like this are exactly the kind of people causing the bogus CVE problem (which LWN covered well). The point of the CVE system, one would hope, is for people to actually keep themselves safe from vulnerabilities, and a company that sits solely on the side of finding more vulnerabilities and not keeping real-world systems secure has its own conflict of interest.

The specific "vulnerability" that they built this system for, NotCVE-2023-0001, is a secure boot bypass via voltage glitching. The vendor says that voltage glitching is outside of their threat model and not one of the things they advertise to customers that they're secure against. I don't know enough about this domain to evaluate whether this particular argument makes sense, but things outside the threat model are, again, precisely the kind of thing causing bogus CVEs. The LWN article gives three examples: an integer overflow "vulnerability" in the curl command line / API where a too-large value would just be interpreted as a smaller integer, a denial-of-service "vulnerability" in Postgres by an administrative user, and the fact that an unlocked password manager database contains credentials that you can read. In all of these cases, the upstream project has drawn the lines of their threat model in perfectly sensible ways, and it helps nobody except the ill-gotten reputations of the CVE discoverers to have vulnerability reports that require being on the trusted side of the threat model.

I do actually think that there should be a way, if this research firm believes that voltage glitching should be in-scope for these processors, to dispute the threat model. There are certainly vendors that draw the lines badly and to their convenience. But then the thing that should be filed is an objection to the threat model as a whole, not some specific attack on the assumption of a modified threat model, because you can generally find hundreds of similar attacks that rely on the same assumption. (The curl CLI can be subverted by LD_PRELOAD, a local sysadmin on the Postgres server can use ptrace, etc. The KeePasXC blog post explicitly says, "having lost control of your computer in this manner would mean the attacker could execute any number of security compromises against your KeePassXC database.")

In some cases the vendor will look obviously wrong and hopefully get shamed into fixing their approach to security, not just the one vulnerability. In some cases (see recent LWN articles on whether Linux kernel filesystem implementations can trust the disk or whether libbfd is secure to hostile input), there's some legitimately non-obvious debate about the threat model itself. And in some cases the researcher will look obviously wrong. In all of these cases, documenting what the vendor believes about the threat model is far more valuable for actual end users, largely because - again to the bogus CVE problem - many actual users probably do align with the vendor's envisioned threat model. Quoting a good article questioning the ReDoS vulnerability fad: "I’ll just be blunt about it: 99.9% of developers do not care about ReDoS 'vulnerabilities,' and they’re right not to care." Even those users who aren't aligned with the vendor's vision are usually better off realigning themselves (e.g. running the affected component in a sandbox or finding some alternative tool for what they're doing) to protect themselves from the hundreds of attacks that actually do exist under the threat model the vendor isn't using. Filing those hundreds of similar attacks one at a time, and patching for them, isn't useful to the users that aren't affected, nor does it actually keep the affected users safe, and especially for small OSS projects, it diverts maintainer attention in a way that probably leaves all users worse off. The only people who would actually benefit, again, are the folks who want to catch CVEs like they're Pokémon.

The only other NotCVE at writing, 2023-0002, is a crash on malformed input in a function that I think is intended to be called by local code. It shows all the signs of CVE abuse: the reporter is claiming it's "obviously reachable (if the fuzzer did then everyone can + it is part of the exposed functions of the module)" but with no analysis of whether it's reachable from untrusted inputs. These tools are all command-line utilities, and nothing in them implies that they're intended to be made accessible to remote users, let alone to untrusted remote users, yet the NotCVE website claims this has an attack vector of "network." This is, again, almost certainly an issue of the researcher having a threat model that is probably unwarranted, and it's exactly the sort of thing the CVE project should be rejecting!

Franky I don't think LWN should be giving these guys the publicity. This is just taking one of the major flaws of the CVE program and calling it a feature.

Supplementing CVEs with !CVEs: conflicts of interest

Posted Dec 6, 2023 18:57 UTC (Wed) by apoelstra (subscriber, #75205) [Link]

Thank you for this great comment. It covers all of the problems (and more) that I was expecting a "NotCVE" proposal to try to address ... and was disappointed to find that the proposal was actually intending to make worse.

Supplementing CVEs with !CVEs: conflicts of interest

Posted Dec 6, 2023 19:10 UTC (Wed) by jake (editor, #205) [Link]

> Franky I don't think LWN should be giving these guys the publicity.

Well, if we had not written about it, we would not have gotten your nice comment (and others in the thread). Perhaps I was too credulous in writing it up, but bringing it to the attention of readers seems to have been valuable.

thanks,

jake

Supplementing CVEs with !CVEs: conflicts of interest

Posted Dec 6, 2023 19:50 UTC (Wed) by excors (subscriber, #95769) [Link]

> The specific "vulnerability" that they built this system for, NotCVE-2023-0001, is a secure boot bypass via voltage glitching. The vendor says that voltage glitching is outside of their threat model and not one of the things they advertise to customers that they're secure against. I don't know enough about this domain to evaluate whether this particular argument makes sense, but things outside the threat model are, again, precisely the kind of thing causing bogus CVEs.

From what I've seen, the boundaries of the threat model can be fuzzy. A while ago I was working with a chip in a very similar situation: there was a public disclosure of an easy-to-reproduce voltage glitching attack that could bypass an important security mechanism. The chip had never claimed security against glitching attacks and had been built with no defences against that, so it was behaving as intended. But at least one large customer wasn't happy about the situation, because it made their products vulnerable to any moderately-capable attacker, and I believe they made the chip vendor aware that if the vulnerability wasn't fixed they'd stop using that chip. (This wasn't about assigning blame, it was just about deciding a path forwards). And the vendor didn't have any similar chips with stronger security guarantees, so they'd lose the customer to another vendor.

Instead they spent about a year (and presumably a lot of money) producing a new revision of the silicon with mitigations against that specific attack. They were clear that this still wasn't general protection against glitching attacks, and they made no promises - it was just a best-effort attempt to lower the risk within the constraints of a chip that wasn't designed for that. Evidently they thought it was worth doing it to mollify the customers, and the customers had indicated this change would be enough, at least for a few years while the vendor developed their next-generation chips that were really designed for (and advertised) physical security.

The threat model is useful for communicating expectations between chip vendors and customers, but when a vulnerability is discovered it appears theoretical arguments about classification don't really matter - what ultimately matters is the financial pressure from customers to fix it.

Supplementing CVEs with !CVEs: conflicts of interest

Posted Dec 6, 2023 20:41 UTC (Wed) by mfuzzey (subscriber, #57966) [Link] (9 responses)

I think another part of the problem is on the "consumer" side of CVEs.
Too many people want simple answers to complex problems.
CVEs provide that "it's got a number so needs a fix".
But reality is far more subtle and complex and depends on the use case and threat model and deployment environment, things that only the user can determine.

So I don't think it's possible to say, in the general case, if a voltage glitching attack should be considered in scope for some particular processor. That exact same processor could be used in widely different deployment scenarios. For example in a physically secued data center if someone has the physical access needed to do voltage glitching then you've probably got other issues whereas if the same processor were used in a media center maybe that could be a security issue (at least for those trying to use DRM).

Similarly vulerabilities like Spectre and Meltdown are a huge deal for cloud providers whose entire business is providing compute resources to allow mutually untrusting customers to run their arbitary code on the same physical hardware as they give arbitary read access across trust domains to anyone who can run their own code. On the other hand they're relatively irrelevant for most single purpose embedded devices that only run vendor supplied or approved code.

Supplementing CVEs with !CVEs: conflicts of interest

Posted Dec 7, 2023 19:53 UTC (Thu) by NYKevin (subscriber, #129325) [Link] (8 responses)

> Similarly vulerabilities like Spectre and Meltdown are a huge deal for cloud providers whose entire business is providing compute resources to allow mutually untrusting customers to run their arbitary code on the same physical hardware as they give arbitary read access across trust domains to anyone who can run their own code. On the other hand they're relatively irrelevant for most single purpose embedded devices that only run vendor supplied or approved code.

IMHO, a significant part of the problem is that Spectre-like attacks *don't* give arbitrary read access to arbitrary memory. They give narrow read access to specific parts of memory under specific circumstances. The problem is that it is very, very difficult to figure out exactly what memory and what circumstances are vulnerable. Spectre isn't really one attack, it's a family of attacks, and each attack has its own quirks. Your threat model ends up being this amorphous fog of unknown-unknown side channels.

If Spectre was just "memory protection is dead, you can't run untrusted code on trusted hardware," then this would be a much simpler (albeit more expensive) problem. You would provision a whole CPU for a customer, entirely distrust everything that CPU does until it is deprovisioned and reset, and call it a day. But you can't do that in the real world, because it's overkill - your competitors will implement a series of more targeted fixes instead, and then they would massively undercut you on pricing, because they don't have to provision a whole CPU for each customer. So if you want to stay on the market, you have to play the Spectre whac-a-mole game with everybody else.

Supplementing CVEs with !CVEs: conflicts of interest

Posted Dec 8, 2023 18:27 UTC (Fri) by anton (subscriber, #25547) [Link] (7 responses)

Spectre vulnerability typically give read access to all the memory in the address space. In case of the Linux kernel this includes all of the physical memory AFAIK; that's why the Linux kernel developers actually do the dance of selective Spectre mitigations even though that's far too much work to be reasonable in general IMO. For virtual machines, I guess the guest can only access the memory assigned to its VM; so guests should be secure from each other as long as the hypervisor is secure (which currently means it has to use mitigations).

As for single-purpose embedded systems, they are usually safe because they usually use CPUs without speculation that are not vulnerable to Spectre. If they are vulnerable to Spectre, they might be attacked through the network even if they are single-purpose.

And between cloud providers and single-purpose embedded systems, there are many systems, such as smartphones and PCs, where the hardware is vulnerable, and where I see many people who write that they think that Spectre attacks are too hard to affect them, so they want to disable the mitigations for more performance. As long as many customers think that way, it's no wonder that AMD, ARM, and Intel are not fixing Spectre in hardware.

Supplementing CVEs with !CVEs: conflicts of interest

Posted Dec 9, 2023 12:14 UTC (Sat) by wtarreau (subscriber, #51152) [Link] (6 responses)

> As long as many customers think that way, it's no wonder that AMD, ARM, and Intel are not fixing Spectre in hardware.

No, the reason is that as long as you have can make use of any bit of history in a processor to amortize certain costs and increase performance, there will exist ways to measure it and exploit it. Disabling such history means disabling branch prediction and disabling all caches, and we're back to 8088-like performance, maybe even worse due to the time needed to fetch and decode instructions.

I think many people underestimate how important are such features that are sometimes exploited. Branch prediction, caches, TLBs etc all have a critical role to play and not disabling them while trying to work around Spectre-like attacks means having to find compromises that only slightly affect performance and are considered safe enough to last an extra year or two before the next attack.

On any shared resource system, competing activities are observable to some extents, and there's a point where the only fix if no compromise is acceptable, is to entirely dedicate the platform.

Supplementing CVEs with !CVEs: conflicts of interest

Posted Dec 10, 2023 16:19 UTC (Sun) by anton (subscriber, #25547) [Link] (5 responses)

You fail to distinguish between Spectre and other side-channel attacks. It is possible to fix Spectre while still using caches, branch prediction, and even speculative execution: Treat microarchitectural state like architectural state, as having a speculative state that gets thrown away when mispredictions are resolved, and a committed state; look for "invisible speculation" in the literature. It's also necessary to prevent side channels from resource contention, but there has been work on that, too.

It may not be possible to fix side-channel attacks on the architectural (i.e., committed) state, but at least in that case the mitigations are easier (at least if we only want to protect secret keys and the like): Write all the code that deals with these data in a way that is constant-time wrt. the data. The main bonus compared to Spectre mitigations is that the code that deals with secret keys (and where the mitigation has to be applied) is much smaller than all the code in the address space.

One reason why the pressure is so low on the hardware manufacturers for fixing Spectre in hardware is that many people have been made to think that we have to disable speculation in order to do that, and that costs too much performance to be acceptable. Some layman reading your post might even think that we have to disable branch predictors and caches, and that this results in 8088-like performance. We don't have to disable any of these performance techniques to fix Spectre. Besides, a modern CPU with modern RAM without caches and without branch prediction is at least as fast as a 386 without cache (and many were delivered without cache), probably somewhat faster.

Supplementing CVEs with !CVEs: conflicts of interest

Posted Dec 11, 2023 13:12 UTC (Mon) by paulj (subscriber, #341) [Link] (3 responses)

You could have 20k+ i386 cores on a chip today if you wanted, running at at least 5x the MHz of the original.

Supplementing CVEs with !CVEs: conflicts of interest

Posted Dec 11, 2023 14:44 UTC (Mon) by geert (subscriber, #98403) [Link]

And how will you manage to feed them code/data, from a bursty high-latency DDR5 memory interface?

Supplementing CVEs with !CVEs: conflicts of interest

Posted Dec 13, 2023 4:30 UTC (Wed) by raven667 (subscriber, #5198) [Link] (1 responses)

ok, now I want to see someone manufacture a 20k-core i386 system just for the hell of it. I suppose it'd be treated like a GPU at this point.

Supplementing CVEs with !CVEs: conflicts of interest

Posted Dec 13, 2023 8:08 UTC (Wed) by zdzichu (subscriber, #17118) [Link]

I think Intel tried with Larrabee (and later with Xeon Phi). The original was tens of Pentium-like cores on a single chip.
You may guess how successful it was.

Supplementing CVEs with !CVEs: conflicts of interest

Posted Dec 11, 2023 14:02 UTC (Mon) by farnz (subscriber, #17727) [Link]

To put it slightly differently; we only care that the hardware makes it possible to avoid having side-channels in our software. We care about some side-channel attacks (e.g. ones that let a browser tab run JavaScript to dump session keys used by the browser for TLS), but not about others (e.g. ones that let my editor inspect the source code my compiler is reading, given that my editor can just open those source files directly).

As long as it is possible to write code that has no side-channels, therefore, we don't care if it's also possible to write code that's chock-full of side-channels. The problem with Spectre family attacks is that it's impossible to write code without side-channels when running on a processor that's vulnerable to any attack in that family.

Supplementing CVEs with !CVEs: conflicts of interest

Posted Dec 7, 2023 9:35 UTC (Thu) by pombredanne (guest, #113982) [Link]

Geofft wrote:

> The only people who would actually benefit, again, are the folks who want to catch CVEs like they're Pokémon.

This is an awesome way to state this. I will steal this quote from you

[...]

> Franky I don't think LWN should be giving these guys the publicity. This is just taking one of the major flaws of the CVE program and calling it a feature.

IMHO these discussions must happen to uncover the scams, and are therefore needed. And beyond the discussions, how to fix the problem *sigh* ?