Tuesday, May 14th 2019

Yet Another Speculative Malfunction: Intel Reveals New Side-Channel Attack, Advises Disabling Hyper-Threading Below 8th, 9th Gen CPUs

Ouch doesn't even begin to describe how much that headline hurt. As far as speculative execution goes, it's been well covered by now, but here's a refresher. Speculative execution essentially means that your CPU tries to think ahead of time on what data may or may not be needed, and processes it before it knows it's needed. The objective is to take advantage of concurrency in the CPU design, keeping processing units that would otherwise be left idle to process and deliver results on the off-chance that they are indeed required by the system: and when they are called for, the CPU saves time by not having to process them on the fly and already having them available.

The flaws have been announced by Intel in coordination with Austrian university TU Graz, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany and security firms Cyberus, BitDefender, Qihoo360 and Oracle. While some of the parties involved have named the four identified flaws with names such as "ZombieLoad", "Fallout", and RIDL, or "Rogue In-Flight Data Load", Intel is using the PEGI-13 "Microarchitectural Data Sampling (MDS)" name.
Update May 15th: Intel has released benchmarks that show the performance impact of the MDS mitigations.
Update May16th: Apparently Intel tried to swipe the issue under the rug with a generous donation to the researchers.

The issue at hand here, defined by Intel's pretty tame MDS, is that like other side-channel attacks, exploits may allow hackers to obtain information that was otherwise deemed secure, had it not been run through the CPU's speculative execution processes. While Meltdown read sensitive information that was being stored in memory due to the speculative execution functions on Intel's CPUs, MDS attacks read the data on the CPU's various buffers - between threads, along the way to the CPU cache, and others. The researchers say that this flaw can be used to siphon data from the CPU at a rate that can approach real-time, and can be used to selectively pull what information is deemed important: whether it's passwords or what websites the user is visiting at the moment of the attack, it's all fair game.


Intel says that significant software changes will be needed to harden systems against this exploit, not only from themselves, but from operating system vendors and third party app creators. One of the proposed solutions is that every time a processor would switch from one third-party app to another, from a Windows process to a third-party app, or even from less trusted Windows processes to more trusted ones, the buffers have to be cleared or overwritten. This means a whole new cycle of data gathering and writing beings every time you call up a different process - and you bet that carries a performance penalty, which Intel is putting at a "minimal" up to 9%.

Intel detailed the vulnerability in its whitepaper and admitted that disabling HT might be warranted as a protection against MDS attacks - and you can imagine how much the company must have loathed to publish such a thing. Intel's HT has been heavily hit by repeated speculative execution flaws found on Intel processors, with mitigations usually costing some sort of performance on Intel's concurrent processing technology. Intel says its engineers discovered the MDS vulnerabilities last year, and that it has now released fixes for the flaw in both hardware and software. Although obviously, the software fixes will have to be deployed either on microcode updates or will have to be implemented by every operating system, virtualization vendor, and other software makers.

Intel also said that its 8th and 9th generation processors already include the hardware mitigations that defeat the exploitation of MDS, but previous architectures back to Nehalem are vulnerable. But why play it on expectations: you can take a test that has been published by the researchers right here.

The CVE codes for the vulnerabilities stand as such:
  • CVE-2018-12126 Microarchitectural Store Buffer Data Sampling (MSBDS)
  • CVE-2018-12130 Microarchitectural Fill Buffer Data Sampling (MFBDS)
  • CVE-2018-12127 Microarchitectural Load Port Data Sampling (MLPDS)
  • CVE-2019-11091 Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
Sources: Wired, MDS Attacks Test
Add your own comment

104 Comments on Yet Another Speculative Malfunction: Intel Reveals New Side-Channel Attack, Advises Disabling Hyper-Threading Below 8th, 9th Gen CPUs

#1
HwGeek
It's not their year, The rush for new AMD Ryzen will be crazy IMO, dirty cheap and more performance for all "Old Intel " below 8th Gen.
Posted on Reply
#2
natr0n
You can disable cpu caching and etc.. in bios.
Posted on Reply
#3
Vulpesveritas
By what I've read, 9th generation processors may in fact be even more susceptible to these attacks, despite Intel's claims otherwise, due to the fix for spectre/meltdown making it easier for these new attacks to function.

Here's a detailed webpage covering things on how it works, for anyone interested: https://mdsattacks.com/
Posted on Reply
#4
R0H1T
At this point Intel should just trademark their own variety of Swiss Cheese :shadedshu:
Posted on Reply
#5
Lindatje
Heavy performance hit on Intel CPU`s incoming.

How relevant are the benchmarks after any software updates? And how secure are the software updates if it needs to be resolved by a hardware fix?

Bye Intel, hello AMD.
Posted on Reply
#6
HD64G
And because of another major vulnerability, i7s are becoming i5s. Imho, many servers and data centers will soon change to Zen cpus without 2nd thoughts with all those security problems.
Posted on Reply
#7
ShurikN
With security like this, it's no wonder they managed to achieve such high IPC.
Another performance nerf incoming.
Posted on Reply
#8
Eskimonster
oh my goat, i cant wait to build new AMD platform.
Posted on Reply
#9
altcapwn
"This includes the latest 9th-generation processors, despite their in-silicon mitigations for Meltdown. Ironically, 9th-generation CPUs are more vulnerable to some of our attacks compared to older generation hardware. "

Oh well
Posted on Reply
#10
ExV6k
natr0n, post: 4047395, member: 102496"
You can disable cpu caching and etc.. in bios.
And for only a mere 70% drop in CPU performance.
/s
Posted on Reply
#12
Assimilator
This is really starting to get ridiculous now...
Posted on Reply
#13
lemonadesoda
Rävenlord, someone needs to profo raed yuor hihgspede typnig. Pellscheck?


Posted on Reply
#14
adulaamin
Ooohhh... I might just sell the unassembled parts I have for an Intel build...
Posted on Reply
#15
natr0n
ExV6k, post: 4047421, member: 168246"
And for only a mere 70% drop in CPU performance.
/s
On my xeon server I disabled all caching/prefeching and gained performance. So no idea where you got that info.
Posted on Reply
#16
krykry
[IMG width="453px"]https://i.imgur.com/7bLvcmL.png[/IMG]
Posted on Reply
#17
zlobby
natr0n, post: 4047435, member: 102496"
On my xeon server I disabled all caching/prefeching and gained performance. So no idea where you got that info.
Even if true, it's highly dependent on workloads. It's there for a reason!

Assimilator, post: 4047431, member: 7058"
This is really starting to get ridiculous now...
It always has been. Only before people were 'Ermahgerd my intelz makes moar performancez' and naturally, intel let it go, looking at the ceiling.
Posted on Reply
#19
TheGuruStud
They ignored the last one lol. I guess they'll comment on this one, so you can "upgrade".
Posted on Reply
#20
N3utro
How convenient for intel that most of their older processors are impacted so we buy their new ones.

Until we see a working proof of concept, intel can bite my ass. I'm not changing my CPU for a dark CVE number with no proof.
Posted on Reply
#21
efikkan
As I've mentioned before, we shouldn't be surprised about new attack vectors for these timing attacks, as long as there is an underlying weakness, there is a potential for more undiscovered attack vectors.

Still, for desktop users risks will be very low as long as the malicious software has to be run locally, and for e.g. the Spectre variants where it's more like a theoretical possibility than something that would be practical to actually steal useful information.

I would advice against participating in "schadenfreude", just because these specific attack vectors are Intel specific, doesn't mean others are not affected by similar problems. We've see in the past how vulnerabilities from Intel has led to discoveries of similar problems in other designs, not only AMD, but also the huge spectrum of ARM designs in existence. We should not assume they are "invulnerable" to this class of attacks just because we haven't found anything yet, we can't know that with a reasonable certainty until they have been carefully vetted. Hopefully the last two years of discoveries will lead to more consciousness about designing for security in hardware, something which seems to be largely "lacking" until now.

Once again we see both speculative execution and SMT as elements of vulnerabilities. It's important to emphasize that none of these are flawed in principle, but have certain security implications that people have either ignored or been unaware of. Speculative execution have certain pitfalls by itself, but have magnitudes more once SMT is put into the mix. While it's still possible to actually do this securely, the pitfalls of SMT will only increase with architectural complexity, and the cost of dealing with this does too, and since the performance gains from SMT are diminishing with increasing IPC, SMT should be abandoned sooner rather than later. One interesting side-note is that recent rumors of Zen 3 claim support for 4-thread SMT, which would if true increase the potential pitfalls even more.

Most, if not all of these require the attacker to already have access to a machine, and in many cases a whole lot of additional conditions have to apply. Another unrelated example would be the much hyped AMD vulnerability of flashing unsigned BIOSes, which still required root access and/or physical access.
We should never assume a single security measure is impenetrable by itself, and instead build security in layers, where multiple vulnerabilities are required to execute a successful attack. Doing so have been established as good practices for ages, but times are now actually changing for the worse, as companies are moving more and more of their essential infrastructure into the public cloud, where a single vulnerability in either hardware, hypervisor or the cloud management is enough to bypass any security measure. All of a sudden, we have just a single line of defense against the attackers. I'm just hoping this cloud hype dies down before some major incident occurs.
</rant>
Posted on Reply
#22
Ferrum Master
I have a feeling... It is like intentional.

Push to upgrade... Halo threats...
Posted on Reply
#23
mugatopdub21
You sir deserve a medal! Yes yes and more yes! Finally, someone with some common sense to hopefully enlighten the masses. Listen to this person! You'll notice I didn't amend anything - it was written perfectly =)

efikkan, post: 4047473, member: 150226"
As I've mentioned before, we shouldn't be surprised about new attack vectors for these timing attacks, as long as there is an underlying weakness, there is a potential for more undiscovered attack vectors.

Still, for desktop users risks will be very low as long as the malicious software has to be run locally, and for e.g. the Spectre variants where it's more like a theoretical possibility than something that would be practical to actually steal useful information.

I would advice against participating in "schadenfreude", just because these specific attack vectors are Intel specific, doesn't mean others are not affected by similar problems. We've see in the past how vulnerabilities from Intel has led to discoveries of similar problems in other designs, not only AMD, but also the huge spectrum of ARM designs in existence. We should not assume they are "invulnerable" to this class of attacks just because we haven't found anything yet, we can't know that with a reasonable certainty until they have been carefully vetted. Hopefully the last two years of discoveries will lead to more consciousness about designing for security in hardware, something which seems to be largely "lacking" until now.

Once again we see both speculative execution and SMT as elements of vulnerabilities. It's important to emphasize that none of these are flawed in principle, but have certain security implications that people have either ignored or been unaware of. Speculative execution have certain pitfalls by itself, but have magnitudes more once SMT is put into the mix. While it's still possible to actually do this securely, the pitfalls of SMT will only increase with architectural complexity, and the cost of dealing with this does too, and since the performance gains from SMT are diminishing with increasing IPC, SMT should be abandoned sooner rather than later. One interesting side-note is that recent rumors of Zen 3 claim support for 4-thread SMT, which would if true increase the potential pitfalls even more.

Most, if not all of these require the attacker to already have access to a machine, and in many cases a whole lot of additional conditions have to apply. Another unrelated example would be the much hyped AMD vulnerability of flashing unsigned BIOSes, which still required root access and/or physical access.
We should never assume a single security measure is impenetrable by itself, and instead build security in layers, where multiple vulnerabilities are required to execute a successful attack. Doing so have been established as good practices for ages, but times are now actually changing for the worse, as companies are moving more and more of their essential infrastructure into the public cloud, where a single vulnerability in either hardware, hypervisor or the cloud management is enough to bypass any security measure. All of a sudden, we have just a single line of defense against the attackers. I'm just hoping this cloud hype dies down before some major incident occurs.
</rant>
Posted on Reply
#24
R-T-B
N3utro, post: 4047456, member: 174748"
Until we see a working proof of concept
That test in the article is one.

altcapwn, post: 4047419, member: 175039"
"This includes the latest 9th-generation processors, despite their in-silicon mitigations for Meltdown. Ironically, 9th-generation CPUs are more vulnerable to some of our attacks compared to older generation hardware. "

Oh well
Citation?
Posted on Reply
#25
Manu_PT
Glad I jumped straight from an i5 4690 to a 9700k wich doesnt have HT.
Posted on Reply
Add your own comment