President Donald Trump had a Hanukkah reception at the White House on Wednesday afternoon. That would've been weird enough, given that the president told an Israeli American organization Saturday that they had "no choice" to vote for him because Elizabeth Warren would "take 100% of (their) wealth away," but Trump...
Editor's note: If you'd like an email notice whenever we publish Ross Ramsey's column, click here.
They wear their gunbelts a little tighter in Washington than in Texas.
You see that in the Texans in the U.S. Senate holding their ground on what’s known as “the boyfriend loophole” while statewide officials back home seem open to at least a conversation about some tougher gun regulation.
Don’t overstate what the locals are willing to do: Baby steps, folks. But officials like Gov. Greg Abbott and Lt. Gov. Dan Patrick have hinted at things that furrow the brows of people in the National Rifle Association and other Second Amendment groups.
That response to gun violence at the state level, however slight, isn’t being matched by Texas officials at the federal level. Here in Texas, there’s talk of “red flag” laws that would allow judges to temporarily seize the guns of people deemed dangerous to themselves or others. Expanding required background checks to include person-to-person sales between strangers.
The first was an Abbott suggestion after mass shootings at Santa Fe High School and at Sutherland Springs Baptist Church. The second, a Patrick statement after mass shootings at an El Paso Walmart and at a number of locations in Odessa.
The political weathervanes in Washington haven’t recorded any such changes.
Last Saturday’s killing of Houston Police Sgt. Christopher Brewster prompted Police Chief Art Acevedo to call out U.S. Sens. John Cornyn and Ted Cruz of Texas for their part in blocking legislation that would ban sales of guns to dating partners convicted of domestic abuse or subject to restraining orders for abuse. Such a ban exists for abusers of family members, but not for boyfriends and girlfriends.
That provision of the reauthorization of the Violence Against Women Act has been called a poison pill by gun rights advocates. It passed in the Democrat-controlled House and stalled in the Republican-controlled Senate.
“I don’t want to see their little smug faces about how much they care about law enforcement when I’m burying a sergeant because they don’t want to piss off the NRA,” Acevedo said. "Make up your minds. Whose side are you on? Gun manufacturers, the gun lobby, or the children that are getting gunned down in this country every single day?”
That angered some officers; the Houston Police Officers Union scolded Acevedo for making a political message of Brewster’s death. Cornyn and Cruz responded by saying they’re not against some restrictions. They also pointed to laws already in place they said should have kept guns out of the hands of the officer’s killer.
“I was surprised to hear the chief, who I've long considered a friend. He has my number, and if he had bothered to call me, I would’ve told him that we agree that convicted abusers shouldn’t be allowed to own a gun,” Cornyn said. In a phone call with reporters this week, he didn’t respond to questions about how he would vote on the boyfriend loophole.
He said it appears that Arturo Solis, the killer, shouldn’t have had a gun because of earlier convictions for family violence.
“The fact is that this killer was a criminal whom federal law already prohibited from having a gun,” Cruz said in a written statement.
Cruz won reelection last year and won’t be on the ballot for his current job again until 2024. But Cornyn is on the ballot next year, set to face the winner of a crowded Democratic primary in the general election in November.
The federal law expired almost a year ago. A new version passed the U.S. House, but is stuck in the Senate because of proposals to close the boyfriend loophole, expand the protections to transgender victims and allow U.S. citizens to be tried for domestic violence in tribal courts, and other provisions.
Even in Texas, where some leaders seem open to some changes in gun laws, the Legislature has been reluctant to increase restrictions. Abbott’s call for consideration of red flag laws, which preceded last year’s elections and this year’s legislative session, fell flat when Patrick said it wouldn’t get out of the Senate he leads.
The shootings in El Paso and Odessa occurred after the Legislature ended it’s 86th session. Lawmakers aren’t scheduled to return until January 2021 — after the 2020 elections.
To counter the growing sophistication of computer attacks, Intel and other chipmakers have built digital vaults into CPUs to segregate sensitive computations and secrets from the main engine computers use. Now, scientists have devised an attack that causes the Software Guard Extensions—Intel's implementation of this secure CPU environment—to divulge cryptographic keys and induce potentially dangerous memory errors.
Plundervault, as the attack has been dubbed, starts with the assumption that an attacker is able to run privileged software on a targeted computer. While that's a lofty prerequisite, it's precisely the scenario Intel's SGX feature is designed to protect against. The chipmaker bills SGX as a private region that uses hardware-based memory encryption to isolate sensitive computations and data from malicious processes that run with high privilege levels. Intel goes as far as saying that "Only Intel SGX offers such a granular level of control and protection."
But it turns out that subtle fluctuations in voltage powering the main CPU can corrupt the normal functioning inside the SGX. By subtly increasing or decreasing the current delivered to a CPU—operations known as "overvolting" and "undervolting"—a team of scientists has figured out how to induce SGX faults that leak cryptographic keys, break integrity assurances, and potentially induce memory errors that could be used in other types of attacks. While the exploit requires the execution of privileged code, it doesn't rely on physical access, raising the possibility of remote attacks.
The breakthrough leading to these attacks was the scientists' ability to use previous research into the undocumented model-specific register inside the x86 instruction set to abuse the dynamic voltage scaling interface that controls the amount of voltage used by a CPU. Also noteworthy is surgically controlling the voltage in a way that introduces specific types of attacks.
In this paper, we present Plundervolt, a novel attack against Intel SGX to reliably corrupt enclave computations by abusing privileged dynamic-voltage-scaling interfaces. Our work builds on reverse engineering efforts that revealed which ModelSpecific Registers (MSRs) are used to control the dynamic voltage scaling from software [64, 57, 49]. The respective MSRs exist on all Intel Core processors. Using this interface to very briefly decrease the CPU voltage during a computation in a victim SGX enclave, we show that a privileged adversary is able to inject faults into protected enclave computations. Crucially, since the faults happen within the processor package, i.e., before the results are committed to memory, Intel SGX's memory integrity protection fails to defend against our attacks. To the best of our knowledge, we are the first to
practically showcase an attack that directly breaches SGX's integrity guarantees. In summary, our main contributions are:
1) We present Plundervolt, a novel software-based fault attack on Intel Core x86 processors. For the first time,
we bypass Intel SGX's integrity guarantees by directly injecting faults within the processor package.
2) We demonstrate the effectiveness of our attacks by injecting faults into Intel's RSA-CRT and AES-NI implementations running in an SGX enclave, and we reconstruct full cryptographic keys with negligible computational efforts.
3) We explore the use of Plundervolt to induce memory safety errors into bug-free enclave code. Through various case studies, we show how in-enclave pointers can be redirected into untrusted memory and how Plundervolt may cause heap overflows in widespread SGX runtimes.
4) Finally, we discuss countermeasures and why fully mitigating Plundervolt may be challenging in practice.
The researchers privately reported the vulnerability to Intel ahead of Tuesday's publication. In response, Intel has released a microcode and BIOS updates that mitigate attacks by locking voltage to the default settings. Readers using Intel Core processors from Skylake onward and some platforms based on Xeon E should install INTEL-SA-00289 once it becomes available from respective computer makers. The vulnerability is tracked as CVE-2019-11157.
Plundervolt most resembles the second category of attack, which abuses "speculative execution," a feature that speeds up operations by anticipating tasks and memory accesses before they're actually called. Like Plundervolt, Foreshadow also allowed attackers to read contents stored in the SGX. Plundervolt, however, uses means other than speculative execution.
Instead, Plundervolt causes voltage-induced faults inside the SGX that corrupt the computations that take place there. Among other things, these errors can be useful in reconstructing the cryptographic keys stored in SGX-regions of a CPU. The attack works by inducing faults in the encrypted plaintext data and comparing it with the same underlying text that has been properly encrypted.
The researchers explained:
Given a pair of correct and faulty ciphertext on the same plaintext, this attack is able to recover the full 128-bit AES key with a computational complexity of only 232+256 encryptions on average. We have run this attack in practice and it only took a couple of minutes to extract the full AES key from the enclave, including both fault injection and key computation phases.
The researchers went on to provide the steps required to reproduce the attack. The video below shows it in action:
Plundervolt- Faulting AES inside SGX
The researchers also used Plundervolt to "cause memory safety misbehavior in certain situations." The misbehavior allows attackers to cause normally secure code to access memory regions that are outside of architecturally defined bounds. That raises the possibility of conditions leading to dangerous buffer overflows, Spectre-style attacks, or corruptions or disclosures involving the heap.
Don’t sweat it
As noted, researchers have devised previous attacks that chip away at the confidentiality and integrity provided by silicon chips, including functions inside the SGX and similar secure environments built into chips from Intel competitors. Plundervolt goes a step further, in part by targeting the x86 instruction set architecture of the CPU.
The researchers wrote:
While there is a long line of work on dismantling SGX's confidentiality guarantees as well as exploiting classical memory safety vulnerabilities in enclaves, Plundervolt represents the first attack that directly violates SGX's integrity guarantees for functionally correct enclave software. By directly breaking ISA-level processor semantics, Plundervolt ultimately undermines even relaxed "transparent enclaved execution" paradigms that solely require integrity of enclave computations while assuming unbounded side-channel leakage.
Plundervolt is newsworthy because it defeats a hardware region that's reserved for a user's most sensitive computations and data. It may also provide building blocks for more serious types of attacks in the future.
At the same time, a combination of factors prevents the attack from working at all against average people and posing only a remote threat to users inside data centers and business settings. The reasons: SGX is by default turned off and is only enabled with tweaks to the BIOS. What's more, getting privileged code to run on a targeted machine is a high bar, and attackers who succeed have much easier ways to obtain sensitive data. Last, the skill required to make Plundervolt work is also considerable, making it more esoteric than practical.
Readers should check with their computer maker to find out how to get patches, and when fixes become available, people should install them. Until then, they should go on with their normal computing routine and not sweat it.
Last year, Dallas' police and fire departments teamed up with Parkland Hospital to rethink how they responded to 911 calls involving mental health crises. They placed a social worker inside the dispatch center to triage calls and sent out a special team staffed with a mental health professional whenever possible...
President Donald Trump has made his son-in-law, Jared Kushner, the de facto project manager for constructing his border wall, frustrated with a lack of progress over one of his top priorities as he heads into a tough reelection campaign, according to current and former administration officials.
Kushner convenes biweekly meetings in the West Wing, where he questions an array of government officials about progress on the wall, including updates on contractor data, precisely where it will be built and how funding is being spent. He also shares and explains the president’s wishes with the group, according to the officials familiar with the matter, who spoke on the condition of anonymity to discuss internal White House deliberations.
The president’s son-in-law and senior adviser is pressing U.S. Customs and Border Protection and the U.S. Army Corps of Engineers to expedite the process of taking over private land needed for the project as the government seeks to meet Trump’s goal of erecting 450 miles of barriers along the U.S.-Mexico border by the end of 2020. More than 800 filings to seize private property will need to be made in the coming months if the government is going to succeed, officials said.
Kushner has told other West Wing officials that he is in charge of the wall, according to aides, and that it is paramount to Trump that at least 400 miles be built by Election Day.
“The point is to get as much built in the next year or so, so the president can say in the face of intense, almost demented opposition he has made reasonable progress,” said Mark Krikorian, director of the Center for Immigration Studies, a Washington think tank that seeks to restrict immigration and supports many of Trump’s policies.
Trump campaigned on a promise to construct a wall along the southern border and to make Mexico pay for the project as part of his plan to limit illegal immigration. But Mexico scoffed at paying for a barrier it opposes, and Trump has not been able to get Congress to provide the funding he has requested because of Democrats’ opposition over what they have called the symbol of the president’s anti-immigrant agenda. The result is that, while some existing barriers have been replaced with sturdier structures, only limited areas of new wall have been built.
Now Trump is banking on his son-in-law to turn what has been an intractable problem for his administration into a success.
Mark Morgan, the acting CBP commissioner, said Kushner expedited decisions on land acquisitions and construction issues and was key to bringing everyone together in the same room.
“He doesn’t need to know the intricacies of the wall. He understands building stuff. He understands timelines,” Morgan said.
But Kushner has clashed with the career officials who have questioned some of his ideas, such as installing web cameras to livestream construction. He has blamed former chief of staff John F. Kelly and former homeland security Secretary Kirstjen Nielsen for not focusing enough on the wall, senior administration officials said. For their part, former officials have said Kushner displays a lack of knowledge of the policy issues and politics involved in the immigration debate.
The wall adds to Kushner’s growing portfolio of responsibilities, which some of his critics have said border on comical. Since the start of the Trump presidency, Kushner has been entrusted with striking a Middle East peace deal, taking a lead role on trade policy, overseeing criminal justice reform and modernizing the government, with mixed results. Kushner is also seeking to again push an overhaul of the legal immigration system after his first attempt failed to gain much support in Congress, and he has taken on a leadership role in the 2020 presidential campaign.
Some of Kushner’s critics say he can be tone deaf when it comes to politics and does not understand or respect the value of having multiple agencies work through an official process on a project. And they snidely joke that it is ironic that an aide Trump occasionally mocks as a Democrat is in charge of the project, which has attracted significant criticism. But he remains the most influential adviser in the West Wing and enjoys a level of trust from the president that makes him unique within the administration, according to current and former administration officials.
“My hope is Jared can put a more laser focus on the project and the process. Maybe he can light a fire under the responsible agencies, but if recent history is any indication, he will get frustrated before he gets results,” said Sen. Kevin Cramer, a North Dakota Republican who has frequently talked with Trump about the project.
Officials closely involved with the border wall project said Kushner has become increasingly involved in the details related to acquiring needed properties and pushing government attorneys to gain control of the parcels as quickly as possible, acting on Trump’s directive to “take the land.”
The White House declined to comment, but Kushner’s defenders in the administration said he is bringing a private sector approach to the project.
Army Corps leaders have expressed concerns about Kushner’s aggressive view of the government’s eminent domain authorities, which allow it to take over private land for public use, telling him they are committed to following established legal procedures.
During a recent meeting with officials at the border, Army Corps Lt. Gen. Todd Semonite told them to follow the law and not worry about politics, a person with knowledge of the meeting said.
One person involved in the construction of the wall, who spoke on the condition of anonymity to talk candidly, said Kushner has annoyed officials involved in the process because they said he displayed a lack of knowledge about the government procurement process and the “realities” of the project.
“So he took a much more hands-on role in figuring out, mile by mile, how to get more wall up,” this person said. “It didn’t help put wall up faster and cheaper. His interventions actually just created more inefficiency in the process.”
The Trump administration has completed 83 miles of new barriers so far, according to the latest CBP figures, but nearly all of that is classified as “replacement wall,” typically swapping out older, smaller structures for a row of steel bars 18 to 30 feet in height.
Kushner insists the administration remains on target to meet the president’s goal of 450 miles by the end of next year, a pace that will require construction to accelerate at least fourfold, according to government data reviewed by The Washington Post. The president’s son-in-law has set a goal of 30 to 35 miles of new barriers per month by spring, requiring crews to average a new linear mile of fencing every day.
In recent months, the project has picked up momentum in Western states where crews are able to build on remote desert land already controlled by the government.
Administration officials acknowledge that building in those areas amounts to the lowest-hanging fruit for the border wall project. In Texas, the project is significantly more complex.
There, the border runs more than 1,200 miles along the sinuous course of the Rio Grande, and nearly all of the land where the government needs to build is privately owned.
The Trump administration’s plan includes 166 miles of new barriers in Texas, and nearly all of that will have to be built on private land. For Kushner to meet Trump’s timeline, the government will have to obtain hundreds of privately owned parcels and complete construction in the next 13 months.
The area presents engineering challenges to the administration, as well as real estate ones, because the Rio Grande flood plain requires much of the structure to be installed along river levees, at a significantly higher cost.
Former officials closely involved with the project disputed that Kushner will have an easier time making progress than past officials who ran point on the issue and disputed the claim that Nielsen and Kelly lacked focus or urgency, insisting that the pace of construction has been determined by the availability of funding and the acquisition of private land.
One former Department of Homeland Security official said the administration, to date, has been careful to follow established guidelines for the use of eminent domain. “We weren’t taking people’s land willy-nilly,” said the official.
Another official who defended Nielsen said she struggled to get former defense secretary Jim Mattis to view the wall project as a priority, and his frustration with the president’s plans to use military funding contributed to a lack of urgency at the Pentagon and the Army Corps.
The president’s frequently shifting design requests also sapped momentum, former officials said, and it usually fell to Nielsen to explain why some of his ideas were not feasible. Trump grew irritated at Nielsen’s naysaying and fired her in April.
Trump regularly changes his mind about the project, according to current and former aides. Growing frustrated with contractors, he has at times encouraged aides to eschew the traditional contracting process — and just go with a firm he knows from New York — which has drawn resistance, these aides said.
Trump has called for irregular requests, like building large ditches, using pointy spikes or painting the wall matte black so it will be hot to the touch.
After Kushner took control of the project, he elevated the regular meetings to executive-level gatherings at the White House requiring the attendance of Cabinet-level officials. He also demanded a new project plan with timetables and construction targets. Kushner has talked with other officials about securing money for the wall — even mentioning using military construction funds again, a notion that is likely to attract resistance from Capitol Hill.
Morgan said Kushner asked detailed questions and “nitty-gritty details” about specific parts of the project in the meetings, which often stretch more than an hour.
“There are very real concerns,” Morgan said. “We’re being sued on a regular basis on multiple fronts. Land acquisition is a very, very challenging process. We’re trying to become more efficient and get more done. There are real challenges.”
In early January, Kushner asked then-acting CBP Commissioner Kevin McAleenan whether closing border loopholes or building the wall would do the most to curb illegal immigration, and McAleenan said closing loopholes would do far more to curb immigration.
Still, Kushner has told others that a wall has to be built because his father-in-law promised it would be.
“Kushner said something to the effect of, ‘We’ve basically wasted two years,’” said a person with knowledge of the meeting with McAleenan.