Tuesday, May 14th 2019

Yet Another Speculative Malfunction: Intel Reveals New Side-Channel Attack, Advises Disabling Hyper-Threading Below 8th, 9th Gen CPUs

Ouch doesn't even begin to describe how much that headline hurt. As far as speculative execution goes, it's been well covered by now, but here's a refresher. Speculative execution essentially means that your CPU tries to think ahead of time on what data may or may not be needed, and processes it before it knows it's needed. The objective is to take advantage of concurrency in the CPU design, keeping processing units that would otherwise be left idle to process and deliver results on the off-chance that they are indeed required by the system: and when they are called for, the CPU saves time by not having to process them on the fly and already having them available.

The flaws have been announced by Intel in coordination with Austrian university TU Graz, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany and security firms Cyberus, BitDefender, Qihoo360 and Oracle. While some of the parties involved have named the four identified flaws with names such as "ZombieLoad", "Fallout", and RIDL, or "Rogue In-Flight Data Load", Intel is using the PEGI-13 "Microarchitectural Data Sampling (MDS)" name.

Update May 15th: Intel has released benchmarks that show the performance impact of the MDS mitigations.
Update May16th: Apparently Intel tried to swipe the issue under the rug with a generous donation to the researchers.

The issue at hand here, defined by Intel's pretty tame MDS, is that like other side-channel attacks, exploits may allow hackers to obtain information that was otherwise deemed secure, had it not been run through the CPU's speculative execution processes. While Meltdown read sensitive information that was being stored in memory due to the speculative execution functions on Intel's CPUs, MDS attacks read the data on the CPU's various buffers - between threads, along the way to the CPU cache, and others. The researchers say that this flaw can be used to siphon data from the CPU at a rate that can approach real-time, and can be used to selectively pull what information is deemed important: whether it's passwords or what websites the user is visiting at the moment of the attack, it's all fair game.

Intel says that significant software changes will be needed to harden systems against this exploit, not only from themselves, but from operating system vendors and third party app creators. One of the proposed solutions is that every time a processor would switch from one third-party app to another, from a Windows process to a third-party app, or even from less trusted Windows processes to more trusted ones, the buffers have to be cleared or overwritten. This means a whole new cycle of data gathering and writing beings every time you call up a different process - and you bet that carries a performance penalty, which Intel is putting at a "minimal" up to 9%.

Intel detailed the vulnerability in its whitepaper and admitted that disabling HT might be warranted as a protection against MDS attacks - and you can imagine how much the company must have loathed to publish such a thing. Intel's HT has been heavily hit by repeated speculative execution flaws found on Intel processors, with mitigations usually costing some sort of performance on Intel's concurrent processing technology. Intel says its engineers discovered the MDS vulnerabilities last year, and that it has now released fixes for the flaw in both hardware and software. Although obviously, the software fixes will have to be deployed either on microcode updates or will have to be implemented by every operating system, virtualization vendor, and other software makers.

Intel also said that its 8th and 9th generation processors already include the hardware mitigations that defeat the exploitation of MDS, but previous architectures back to Nehalem are vulnerable. But why play it on expectations: you can take a test that has been published by the researchers right here.

The CVE codes for the vulnerabilities stand as such:
  • CVE-2018-12126 Microarchitectural Store Buffer Data Sampling (MSBDS)
  • CVE-2018-12130 Microarchitectural Fill Buffer Data Sampling (MFBDS)
  • CVE-2018-12127 Microarchitectural Load Port Data Sampling (MLPDS)
  • CVE-2019-11091 Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
Sources: Wired, MDS Attacks Test
Add your own comment

104 Comments on Yet Another Speculative Malfunction: Intel Reveals New Side-Channel Attack, Advises Disabling Hyper-Threading Below 8th, 9th Gen CPUs

So I guess my G620 needs to be also disabled on HT ?
Posted on Reply
New One:
Fallout: Reading Kernel Writes From User Space

Marina Minkin, Daniel Moghimi, Moritz Lipp, Michael Schwarz, Jo Van Bulck, Daniel Genkin, Daniel Gruss, Frank Piessens, Berk Sunar, Yuval Yarom

(Submitted on 29 May 2019)

Recently, out-of-order execution, an important performance optimization in modern high-end processors, has been revealed to pose a significant security threat, allowing information leaks across security domains. In particular, the Meltdown attack leaks information from the operating system kernel to user space, completely eroding the security of the system. To address this and similar attacks, without incurring the performance costs of software countermeasures, Intel includes hardware-based defenses in its recent Coffee Lake R processors.
In this work, we show that the recent hardware defenses are not sufficient. Specifically, we present Fallout, a new transient execution attack that leaks information from a previously unexplored microarchitectural component called the store buffer. We show how unprivileged user processes can exploit Fallout to reconstruct privileged information recently written by the kernel. We further show how Fallout can be used to bypass kernel address space randomization. Finally, we identify and explore microcode assists as a hitherto ignored cause of transient execution.
Fallout affects all processor generations we have tested. However, we notice a worrying regression, where the newer Coffee Lake R processors are more vulnerable to Fallout than older generations.
Posted on Reply
New One:

Ironic that changes made in order to have more security VS some exploits actually makes it more vulnerable to this latest exploit.

Some clarification required:
Fallout affects all processor generations we have tested.
Does that include non-Intel CPUs?
Posted on Reply
Add your own comment