Flaws In Intel Processors Would Allow Hackers To Eavesdrop On Millions Of PCs

No product is perfect, as bugs and security flaws can go unnoticed for years, or even longer.

After more than a year passed after security researchers discovered Meltdown and Spectre, a pair of flaws that reside deep inside the millions of computer chips sold by both Intel and AMD, researchers warn that they weren't the last of their kind.

From the same researchers who uncovered the two fatal security bug in 2018, they have discovered yet more flaws in Intel's hardware.

This time, the bug can allow attackers to eavesdrop on virtually every single bit of raw data that a victim's processor touches.

Only Intel processors are seem to be vulnerable, meaning that AMD and ARM chips are safe.

The serious form of the hackable vulnerability present in Intel chips comes in four distinct attacks:

  1. CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS), also known as 'Fallout attack'.
  2. CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS), also known as 'Zombieload', or 'RIDL' (Rogue In-Flight Data Load).
  3. CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS), also part of RIDL class of attacks.
  4. CVE-2019-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM), also part of RIDL class of attacks.

The distinct flaws are together dubbed by Intel as 'Microarchitectural Data Sampling' (MDS attacks), a class of vulnerabilities which unlike existing attacks that leak data stored in CPU caches, can leak arbitrary in-flight data from CPU-internal buffers, such as Line Fill Buffers, Load Ports, or Store Buffers.

Researchers have assembled from the Austrian university TU Graz, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany, and security firms Cyberus, BitDefender, Qihoo360, and Oracle.

Intel asked the researchers, who split into two groups working independently, to keep their findings secret, some for more than a year, at least until Intel could release fixes for the vulnerabilities.

Unfortunately after some times, the company has sought to downplay the severity of the bugs, saying that it has released patches in its new chips to fix the problem.

But according to the researchers, who warned that the attacks represent a serious flaw in Intel's hardware that may require disabling some of its features, even beyond the company's patch. All of Intel's chips that the researchers tested, going back as early as 2008, were affected.

"It's clear what Intel is doing," said Cristiano Giuffrida, one of the researchers in the VUSec group at Vrije Universiteit Amsterdam who discovered the MDS attack.

"It's in their interest to say, 'No, after Spectre and Meltdown, we didn't overlook other vulnerabilities; it's just that these were so minor that they slipped by.'"

The researchers who found the bug have created a website (https://cpu.fail/) to detail the matter, and also wrote a white paper diving into their discoveries.

"While programs normally only see their own data, a malicious program can exploit the fill buffers to get hold of secrets currently processed by other running programs. These secrets can be user-level secrets, such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys. The attack does not only work on personal computers but can also be exploited in the cloud."

Like Meltdown and Spectre, the MDS attack takes advantage of security flaws in how Intel chips perform speculative execution, a feature in which a processor guesses ahead of time at what operations and data it will be asked to execute, in order to speed up performance.

If the data is wrong, the CPU will discard it. But if it's right, it'll have the speed advantage because the data is already ready.

In the four distinct attacks, the researchers found that they could use speculative execution process to Intel chips to grab sensitive data that's moving from one component of a chip to another.

But unlike Meltdown, which used speculative execution to grab sensitive data sitting in memory, MDS attacks focus on the buffers that sit between a chip's components, such as between a computer's processor and its cache.

"It's kind of like we treat the CPU as a network of components, and we basically eavesdrop on the traffic between them," explained Giuffrida. "We hear anything that these components exchange."

What this means, hackers who can exploit the flaw, could essentially run a software on a target chip, in a form of malicious app, virtual machine or even a rogue website with JavaScript in the target's browser.

With it, the hacker could trick the target's CPU into revealing sensitive data that should be protected from untrusted code running on that machine.

All four different MDS attack variants take advantage of a quirk in how Intel's chips perform their time-saving trick.

Because Intel's CPU does this speculative execution repetitively, the hacking process involves the hacker in stealing at most a few bytes of arbitrary data from one of the CPU's buffers, but repeats the process millions of times in succession.

But to save time, hackers can apparently persuade affected CPU to start pulling streams of sensitive data into its buffer, where they can be retrieved by the MDS flaw.

As a whole, the attack can happen between milliseconds to hours, with varying time depending on the target's data and CPU activity.

After realizing the potential damage, Intel said that its own researchers have released fixes for the flaw in both hardware and software. A software patch by the company should clears all data from buffers whenever the processor crosses a security boundary, so that data can't be stolen and leaked.

Intel says the patch will have "relatively minimal" performance costs in most cases, though for a few data center instances it could slow its chips down by as much as 8 or 9 percent.

The patch should be implemented by every operating system, virtualization vendor, and other software makers.

Apple said that it released a fix as part of a recent Mojave and Safari update; Google said that it had implemented updates for its affected products, and so did Amazon, Mozilla and Microsoft.

"There are still more components, and many of them are not documented at all, so it's not unlikely this continues for a while," said says TU Graz's Moritz Lipp.

"We always expected this would keep us busy for years," added Daniel Gruss, another researcher. In other words, don't be surprised if more hidden holes are found in the heart of your computer's processor for years to come.

"We drink from the firehose. If you’re clever, and you process the stuff carefully, you don’t drown."

Previously, months after Meltdown and Spectre, Intel, Google and Microsoft Found another variant of the Spectre-Meltdown flaw. This followed the discovery of yet another eight variants of the Spectre.