Wednesday, March 11th 2020

Intel Processors Hit with LVI Security Vulnerabilities, Mitigation Hits Performance Hard

A new class of security vulnerabilities affect Intel processors, which can cause them to leak out sensitive information if probed in a certain way, but that's not the worst news for Intel and its users. The software- or firmware-level mitigation for this vulnerability can inflict performance reductions "ranging from 2x to 19x," according to a report by The Register. A full mitigation for the new Load Value Injection (LVI) class of vulnerabilities requires Intel to redesign software compilers. The vulnerability is chronicled under CVE-2020-0551 and Intel-SA-00334. It is not a remote code execution threat, however, it puts multi-tenant machines, such as physical servers handling multiple tenants via virtual servers.

"LVI turns previous data extraction attacks around, like Meltdown, Foreshadow, ZombieLoad, RIDL and Fallout, and defeats all existing mitigations. Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: we smuggle — "inject" — the attacker's data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim's fingerprints or passwords," the reasearchers write in the abstract of their paper describing the vulnerability. Anti-virus manufacturer BitDefender independently discovered LVI and shared its study with Intel. The company could publish its findings in February. Additional technical details are found in the group's website here.
Many Thanks to biffzinker for the tip. Source: The Register
Add your own comment

91 Comments on Intel Processors Hit with LVI Security Vulnerabilities, Mitigation Hits Performance Hard

#1
btarunr
Editor & Senior Moderator
At this point I think the only way Intel can fight these vulnerability discoveries is by killing the bug bounty program, or significantly reducing the bounty. The program has clearly sprung up a cottage industry of security researchers (uni professors and their college grad minions) bruteforcing Intel processors for vulnerabilities that they can write papers on (earn citations), report back to Intel, and claim the cash bounties. The BBP has become a fountainhead of headache for CTOs and CIOs.

AMD is safer only because its market footprint is too small in the datacenter space, most of these side-channel attacks affect datacenters, and you can't hack AMD processors for rich bounties (it's similar to the "Macs don't get viruses" fallacy of the 1990s and 2000s).
Posted on Reply
#2
Yukikaze
Err, but the whole point of the bug bounty program is for people to actively research and report vulnerabilities. You can't fix what you don't know. The cottage industry is an important part of what drives security research, both in CPUs and in other areas.

Hiding the issues won't help the computing world, because determined attackers will find (a subset of) them.
Posted on Reply
#3
R0H1T
btarunr
At this point I think the only way Intel can fight these vulnerability discoveries is by killing the bug bounty program, or significantly reducing the bounty. The program has clearly sprung up a cottage industry of security researchers (uni professors and their college grad minions) bruteforcing Intel processors for vulnerabilities that they can write papers on (earn citations), report back to Intel, and claim the cash bounties. The BBP has become a fountainhead of headache for CTOs and CIOs.
That's ridiculous ~ you want your creditability down in the gutter, much like what many of us forum dwellers complain about, that's the one point plan that'll instantly teleport you over there. Killing BBP will spook more potential buyers especially in the enterprise segment!
Posted on Reply
#4
lexluthermiester
btarunr
At this point I think the only way Intel can fight these vulnerability discoveries is by killing the bug bounty program, or significantly reducing the bounty.
I disagree. This is a difficult learning process for both Intel and AMD, but the fruits of the bounty programs are clear, software and hardware are getting more secure and less prone to being hacked by criminals, malintent entities and even governments.
btarunr
The program has clearly sprung up a cottage industry of security researchers (uni professors and college grads) bruteforcing Intel processors for vulnerabilities that they can write papers on (earn citations), report back to Intel, and claim the cash bounties.
Nothing wrong with that. Been happening for decades, now they are just getting reward for their efforts, and rightly so.
Posted on Reply
#5
Ferrum Master
This is sad.

Bta should indeed tame down. Jesus(the living one) might see it.

No progress and development should be ceased because of hiding things down.

Black market will live further, now it is just more profitable to report it officially, before those things were sold to whoever did the offer...

If one cannot comprehend it, it is sad. The can of worms is open.
Posted on Reply
#7
lexluthermiester
Ferrum Master
This is sad.

Bta should indeed tame down. Jesus(the living one) might see it.

No progress and development should be ceased because of hiding things down.

Black market will live further, now it is just more profitable to report it officially, before those things were sold to whoever did the offer...

If one cannot comprehend it, it is sad. The can of worms is open.
I think you're over-reacting just a little bit.
Posted on Reply
#8
biffzinker
Intel is unable to fix their current CPU's with a microcode update this time to flush the buffers.
microcode updates to flush affected buffers are no longer sufficient. Instead, complementary to existing Spectre software mitigations, LVI necessitates compiler patches to insert explicit lfence speculation barriers which serialize the processor pipeline after potentially every vulnerable load instruction. Additionally and even worse, due to implicit loads, certain instructions have to be blacklisted, including the ubiquitous x86 ret instruction.
The SGX enclaves are affected by LVI. The expected performance impact 2x-19x is for accessing a SGX enclave. If I understood it correctly.
Posted on Reply
#9
Ferrum Master
biffzinker
Intel is unable to fix their current CPU's with a microcode update this time to flush the buffers.



The SGX enclaves are affected by LVI. The expected performance impact 2x-19x is for accessing a SGX enclave. If I understood it correctly.
Hard to tell.

"In our current assessment, we believe that LVI is mainly only relevant to Intel SGX enclaves. However, in the academic paper we showed that none of the ingredients for LVI are unique to Intel SGX and LVI attacks can in principle apply to non-SGX traditional cross-process, cross-virtual-machine, or user-to-kernel environments."
Posted on Reply
#10
r.h.p
btarunr
At this point I think the only way Intel can fight these vulnerability discoveries is by killing the bug bounty program, or significantly reducing the bounty. The program has clearly sprung up a cottage industry of security researchers (uni professors and their college grad minions) bruteforcing Intel processors for vulnerabilities that they can write papers on (earn citations), report back to Intel, and claim the cash bounties. The BBP has become a fountainhead of headache for CTOs and CIOs.

AMD is safer only because its market footprint is too small in the datacenter space, most of these side-channel attacks affect datacenters, and you can't hack AMD processors for rich bounties (it's similar to the "Macs don't get viruses" fallacy of the 1990s and 2000s).
If any , does this affect the regular Intel gamer or home user ?
Posted on Reply
#11
john_
btarunr
At this point I think the only way Intel can fight these vulnerability discoveries is by killing the bug bounty program, or significantly reducing the bounty. The program has clearly sprung up a cottage industry of security researchers (uni professors and their college grad minions) bruteforcing Intel processors for vulnerabilities that they can write papers on (earn citations), report back to Intel, and claim the cash bounties. The BBP has become a fountainhead of headache for CTOs and CIOs.

AMD is safer only because its market footprint is too small in the datacenter space, most of these side-channel attacks affect datacenters, and you can't hack AMD processors for rich bounties (it's similar to the "Macs don't get viruses" fallacy of the 1990s and 2000s).
Putting the head in the sand doesn't make the CPUs more secure. And the latest example with those two AMD vulnerabilities prove that Intel is paying for ANY security bug, not just for those in Intel CPUs. And if we consider that we have a dozen or even dozens of vulnerabilities of Intel CPUs already exposed, I guess most of those researchers will turn to AMD CPUs hoping to prove your point, that AMD CPUs are not as secured as people think or say. That means that it's not in Intel's best interest to stop financing those researchers now, now that almost all Intel CPUs vulnerabilities are exposed and researchers might turn to AMD CPUs. Except if of course AMD CPUs ARE in fact much more secure and even now a researcher will have more chances with an Intel CPU than an AMD CPU.
Posted on Reply
#12
btarunr
Editor & Senior Moderator
r.h.p
If any , does this affect the regular Intel gamer or home user ?
No, but if Intel decides to shove a mitigation down our throats via Windows 10 Cumulative Update or BIOS updates, it will cost performance all the same.

As I mentioned in many older threads, the problem is not the CVE discoveries, but the forced mitigations chipping away at performance. Even if by tiny bits.
Posted on Reply
#13
thevoiceofreason
At this point I think the only way Intel can fight these vulnerability discoveries is by killing the bug bounty program, or significantly reducing the bounty.
Ah yes, security through obscurity, because that has ever worked before.

Everybody gangsta until a new wave of bitcoin ransomware.
Posted on Reply
#14
btarunr
Editor & Senior Moderator
thevoiceofreason
Everybody gangsta until a new wave of bitcoin ransomware.
Name a ransomware that leverages a CPU-level vulnerability. Bonus points for one that leverages a side-channel attack vector.
Posted on Reply
#15
thevoiceofreason
It is now in the toolkit of malware writers so why wouldn't they use it.

And trying to shift the blame on researchers is ridiculous, all of these attacks stem from a single decision Intel made about deferring access checks in speculation to chase cheap performance gains and now they are getting punished for it.
Posted on Reply
#16
Dredi
btarunr
As I mentioned in many older threads, the problem is not the CVE discoveries, but the forced mitigations chipping away at performance. Even if by tiny bits.
How insane can you get? If no bug bounties are present, the findings could be sold on the black market instead. Now the work is effectively incentivized making the black marked angle a lot more difficult to pursue.

The mitigations are important in this scheme, as otherwise we will end up with machines that have publicly known vunerlabilities. You don’t find malware using these exploits, as the vunerlabilities are typically fixed at the time the research papers are released.

Also, no-one is forcing you to use the mitigations, so stop complaining! Just install linux and disable them, problem solved. Most of the windows mitigations can also be disabled if you like living on the edge.
Posted on Reply
#17
Vayra86
I figured it out. CVE actually stands for Corona Virus for Electronics.

It gets the elderly architectures first.
Posted on Reply
#18
lexluthermiester
btarunr
Name a ransomware that leverages a CPU-level vulnerability. Bonus points for one that leverages a side-channel attack vector.
None. And there aren't likely to be any.
Posted on Reply
#19
Ferrum Master
Dredi
Also, no-one is forcing you to use the mitigations, so stop complaining! Just install linux and disable them, problem solved. Most of the windows mitigations can also be disabled if you like living on the edge.
No the cannot be disabled already for a year+. Those are baked permanently in the kernel.

Your provided solution doesn't make sense much either.
Posted on Reply
#20
Octopuss
btarunr
At this point I think the only way Intel can fight these vulnerability discoveries is by killing the bug bounty program, or significantly reducing the bounty. The program has clearly sprung up a cottage industry of security researchers (uni professors and their college grad minions) bruteforcing Intel processors for vulnerabilities that they can write papers on (earn citations), report back to Intel, and claim the cash bounties. The BBP has become a fountainhead of headache for CTOs and CIOs.

AMD is safer only because its market footprint is too small in the datacenter space, most of these side-channel attacks affect datacenters, and you can't hack AMD processors for rich bounties (it's similar to the "Macs don't get viruses" fallacy of the 1990s and 2000s).
You forgot to take the brain pill today or what?
Posted on Reply
#21
btarunr
Editor & Senior Moderator
Dredi
How insane can you get? If no bug bounties are present, the findings could be sold on the black market instead. Now the work is effectively incentivized making the black marked angle a lot more difficult to pursue.
Bug Bounty Program provides a legitimate way of making money and paying taxes. Selling exploits on the dark web isn't something you can write in your income-tax filing, resume, or PhD application (not sure about its legality). I doubt there would be half as many cybersec researchers without the program (legit means of making money and earning academic citations).

A different kind of cyber-sec researchers are funded by Wall Street (hedge fund managers or those holding shorting positions against tech companies, remember CTSFlaws?).

Dredi
The mitigations are important in this scheme, as otherwise we will end up with machines that have publicly known vunerlabilities. You don’t find malware using these exploits, as the vunerlabilities are typically fixed at the time the research papers are released.
All that BBPs without permanent non-disclosure clauses end up achieving is giving malware writers ideas so they can go after the vast majority of computers that stay unpatched or rarely patched.

Dredi
Also, no-one is forcing you to use the mitigations, so stop complaining! Just install linux and disable them, problem solved. Most of the windows mitigations can also be disabled if you like living on the edge.
These mitigations are made part of cumulative updates that include other fixes or feature updates, and eventually become part of Windows codebase with each version. The manner in which they're distributed makes them a ramthroat.
Posted on Reply
#22
Dredi
Ferrum Master
No the cannot be disabled already for a year+. Those are baked permanently in the kernel.

Your provided solution doesn't make sense much either.
Well then use the old kernel until the new one is faster with mitigations than the old one without mitigations. Gentoo works as well, if you wish to have better control over what security patches you wish to have in your computer. As for windows you can use inSpectre tool to make your computer less safe. Easy.

btarunr
Bug Bounty Program provides a legitimate way of making money and paying taxes. Selling exploits on the dark web isn't something you can write in your income-tax filing, resume, or PhD application. I doubt there would be half as many cybersec researchers without the program (legit means of making money).
You are absolutely correct! Without this the same easy exploits could be achievable to black hats, who now have much harder time than before due to having to beat a bunch a researchers to the party.

also, please refrain from the ”security through obscurity” -fallacy.
https://www.isaca.org/resources/isaca-journal/issues/2017/volume-5/exposing-the-fallacies-of-security-by-obscurity-full-disclosure
Posted on Reply
#23
Ferrum Master
Dredi
Well then use the old kernel until the new one is faster with mitigations than the old one without mitigations. Gentoo works as well, if you wish to have better control over what security patches you wish to have in your computer. As for windows you can use inSpectre tool to make your computer less safe. Easy.
Refrain from commenting if you do not have a clue about windows ecosystem.

Linux is not a magic bullet either way regarding to CPU flaw exposure.
Posted on Reply
#24
Dredi
Ferrum Master
Refrain from commenting if you do not have a clue about windows ecosystem.

Linux is not a magic bullet either way regarding to CPU flaw exposure.
Do you imply that the inspectre tool does not work? You can also make hardware changes to limit the number of mitigations that are loaded when the OS starts.
Posted on Reply
#25
btarunr
Editor & Senior Moderator
Dredi
You are absolutely correct! Without this the same easy exploits could be achievable to black hats, who now have much harder time than before due to having to beat a bunch a researchers to the party.
I concede to that argument. But those black hats now have a steady stream of ideas with which to build malware and target unpatched machines. We have a steady stream of patches that cost performance.
Posted on Reply
Add your own comment