MORE THAN A year has passed since security researchers revealed Meltdown and Spectre, a pair of flaws in the deep-seated, arcane features of millions of chip sold by Intel and AMD, putting practically every computer in the world at risk. But even as chipmakers scrambled to fix those flaws, researchers warned that they weren’t the end of the story, but the beginning—that they represented a new class of security vulnerability that would no doubt surface again and again. Now, some of those same researchers have uncovered yet another flaw in the deepest guts of Intel’s microscopic hardware. This time, it can allow attackers to eavesdrop on virtually every bit of raw data that a victim’s processor touches.
Today Intel and a coordinated supergroup of microarchitecture security researchers are together announcing a new, serious form of hackable vulnerability in Intel’s chips. It’s four distinct attacks, in fact, though all of them use a similar technique, and all are capable of siphoning a stream of potentially sensitive data from a computer’s CPU to an attacker.
MDS Attacks
The researchers hail from the Austrian university TU Graz, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany, and security firms Cyberus, BitDefender, Qihoo360, and Oracle. The groups have named variants of the exploit techniques ZombieLoad, Fallout, and RIDL, or Rogue In-Flight Data Load. Intel itself has more tamely labeled the new set of attacks Microarchitectural Data Sampling, or MDS.
Intel had asked all the researchers—who split into two groups working independently—to keep their findings secret, some for more than a year, until it could release fixes for the vulnerabilities. But at the same time, the company has sought to downplay the severity of the bugs, according to the researchers, who warn that the attacks represent a serious flaw in Intel’s hardware that may require disabling some of its features, even beyond the company’s patch. AMD and ARM chips don’t appear to be vulnerable to the attacks, and Intel says that some models of chip it’s released in the past month include a fix for the problem. Otherwise, all of Intel’s chips that the researchers tested, going back as early as 2008, were affected. You can test if your system is affected with a tool the researchers published here.
Like Meltdown and Spectre, the new MDS attack takes advantage of security flaws in how Intel chips perform speculative execution, a feature in which a processor guesses ahead of time at what operations and data it will be asked to execute, in order to speed up the chip’s performance.
In these new cases, researchers found that they could use speculative execution to trick Intel’s processors into grabbing sensitive data that’s moving from one component of a chip to another. Unlike Meltdown, which used speculative execution to grab sensitive data sitting in memory, MDS attacks focus on the buffers that sit between a chip’s components, such as between a processor and its cache, the small portion of memory allotted to the processor to keep frequently accessed data close at hand.
“It’s kind of like we treat the CPU as a network of components, and we basically eavesdrop on the traffic between them,” says Cristiano Giuffrida, one of the researchers in the VUSec group at Vrije Universiteit Amsterdam who discovered the MDS attack. “We hear anything that these components exchange.”
That means any attacker who can run a program on a target chip—whether in the form of a malicious application, a virtual machine hosted on the same cloud server as the target, or even a rogue website running Javascript in the target’s browser—could trick the CPU into revealing data that should be protected from untrusted code running on that machine. That data can include information like what website the user is browsing, their passwords, or the secret keys to decrypt their encrypted hard drive.
“In essence, [MDS] puts a glass to the wall that separates security domains, allowing attackers to listen to the babbling of CPU components,” reads one line of a VUSec paper on the flaws, which will be presented next week at the IEEE Symposium on Security and Privacy.
‘Easy To Do and Potentially Devastating’
The four different MDS attack variants all take advantage of a quirk in how Intel’s chips perform their time-saving trick. In speculative execution, a CPU frequently follows a branch of commands in code before a program asks it to, or guesses at the data the program is requesting, in order to get a head start. Think of that guess like a lazy waiter offering a random drink from his tray, in hopes of sparing himself a trip back to the bar. If the CPU guesses incorrectly, it immediately discards it. (Under different conditions, the chip can grab data out of three different buffers, hence the researchers’ multiple attacks.)
Intel’s chip designers may have believed that a wrong guess, even one that serves up sensitive data, didn’t matter. “It throws these results away,” says VUSec’s Guiffrida. “But we still have this window of vulnerability that we use to leak the information.”
Just as with Meltdown and Spectre, the attacker’s code can leak the data that the processor has taken from the buffer via the processor’s cache. That whole process steals at most a few bytes of arbitrary data from one of the CPU’s buffers. But repeat it millions of times in succession and an attacker can start leaking streams of all the data the CPU is accessing in real time. With some other tricks, a low-privilege attacker can make requests that persuade a CPU to pull sensitive data like secret keys and passwords into its buffers, where they’re then sucked out by the MDS attack. Those attacks can take between milliseconds and hours, depending on the target data and the CPU’s activity. “It’s easy to do and potentially devastating,” says VUSec researcher Herbort Bos.
To read the original article:
https://www.wired.com/story/intel-mds-attack-speculative-execution-buffer/