Microarchitectural Data Sampling

Last updated

Microarchitectural Data Sampling
ZombieLoad Attack logo square.svg
Logo designed for the vulnerabilities, featuring a wounded hand holding a broken microprocessor.
CVE identifier(s) CVE- 2018-12126 (Fallout),
CVE- 2018-12127 (RIDL),
CVE- 2019-11091 (RIDL, ZombieLoad),
CVE- 2018-12130 (RIDL, ZombieLoad),
CVE- 2019-11135 (ZombieLoad v2)
Date discovered2018 [1]
Date patched14 May 2019
Discoverer Flag of Australia (converted).svg University of Adelaide
Flag of Austria.svg Graz University of Technology
Flag of Belgium (civil).svg Catholic University of Leuven
Flag of the People's Republic of China.svg Qihoo 360
Flag of Germany.svg Cyberus Technology
Flag of Germany.svg Saarland University
Flag of the Netherlands.svg Vrije Universiteit Amsterdam
Flag of Romania.svg Bitdefender
Flag of the United States.svg Oracle Corporation
Flag of the United States.svg University of Michigan
Flag of the United States.svg Worcester Polytechnic Institute [1]
Affected hardwarePre-April 2019 Intel x86 microprocessors
Website mdsattacks.com ZombieLoadAttack.com

The Microarchitectural Data Sampling (MDS) vulnerabilities are a set of weaknesses in Intel x86 microprocessors that use hyper-threading, and leak data across protection boundaries that are architecturally supposed to be secure. The attacks exploiting the vulnerabilities have been labeled Fallout, RIDL (Rogue In-Flight Data Load), ZombieLoad., [2] [3] [4] and ZombieLoad 2. [5]

Contents

Description

The vulnerabilities are in the implementation of speculative execution, which is where the processor tries to guess what instructions may be needed next. They exploit the possibility of reading data buffers found between different parts of the processor. [1] [2] [6] [7]

Not all processors are affected by all variants of MDS. [8]

History

According to Intel in a May 2019 interview with Wired, Intel's researchers discovered the vulnerabilities in 2018 before anyone else. [1] Other researchers had agreed to keep the exploit confidential as well since 2018. [9]

On 14 May 2019, various groups of security researchers, amongst others from Austria's Graz University of Technology, Belgium's Catholic University of Leuven, and Netherlands' Vrije Universiteit Amsterdam, in a disclosure coordinated with Intel, published the discovery of the MDS vulnerabilities in Intel microprocessors, which they named Fallout, RIDL and ZombieLoad. [1] [6] Three of the TU Graz researchers were from the group who had discovered Meltdown and Spectre the year before. [1]

On 12 November 2019, a new variant of the ZombieLoad attack, called Transactional Asynchronous Abort, was disclosed. [10] [11]

Impact

According to varying reports, Intel processors dating back to 2011 [12] or 2008 [1] are affected, and the fixes may be associated with a performance drop. [13] [14] Intel reported that processors manufactured in the month before the disclosure have mitigations against the attacks. [1]

Intel characterized the vulnerabilities as "low-to-medium" impact, disagreeing with the security researchers who characterized them as major, and disagreeing with their recommendation that operating system software manufacturers should completely disable hyperthreading. [1] [15] Nevertheless, the ZombieLoad vulnerability can be used by hackers exploiting the vulnerability to steal information recently accessed by the affected microprocessor. [16]

Mitigation

Fixes to operating systems, virtualization mechanisms, web browsers and microcode are necessary. [1] As of 14 May 2019, applying available updates on an affected PC system was the most that could be done to mitigate the issues. [17]

See also

Related Research Articles

<span class="mw-page-title-main">Hyper-threading</span> Proprietary simultaneous multithreading implementation by Intel

Hyper-threading is Intel's proprietary simultaneous multithreading (SMT) implementation used to improve parallelization of computations performed on x86 microprocessors. It was introduced on Xeon server processors in February 2002 and on Pentium 4 desktop processors in November 2002. Since then, Intel has included this technology in Itanium, Atom, and Core 'i' Series CPUs, among others.

The Time Stamp Counter (TSC) is a 64-bit register present on all x86 processors since the Pentium. It counts the number of CPU cycles since its reset. The instruction RDTSC returns the TSC in EDX:EAX. In x86-64 mode, RDTSC also clears the upper 32 bits of RAX and RDX. Its opcode is 0F 31. Pentium competitors such as the Cyrix 6x86 did not always have a TSC and may consider RDTSC an illegal instruction. Cyrix included a Time Stamp Counter in their MII.

<span class="mw-page-title-main">Intel Core</span> Line of CPUs by Intel

Intel Core is a line of streamlined midrange consumer, workstation and enthusiast computer central processing units (CPUs) marketed by Intel Corporation. These processors displaced the existing mid- to high-end Pentium processors at the time of their introduction, moving the Pentium to the entry level. Identical or more capable versions of Core processors are also sold as Xeon processors for the server and workstation markets.

RDRAND is an instruction for returning random numbers from an Intel on-chip hardware random number generator which has been seeded by an on-chip entropy source. Intel introduced the feature around 2012, and AMD added support for the instruction in June 2015.

In computer security, virtual machine escape is the process of a program breaking out of the virtual machine on which it is running and interacting with the host operating system. A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". In 2008, a vulnerability in VMware discovered by Core Security Technologies made VM escape possible on VMware Workstation 6.0.2 and 5.5.4. A fully working exploit labeled Cloudburst was developed by Immunity Inc. for Immunity CANVAS. Cloudburst was presented in Black Hat USA 2009.

perf is a performance analyzing tool in Linux, available from Linux kernel version 2.6.31 in 2009. Userspace controlling utility, named perf, is accessed from the command line and provides a number of subcommands; it is capable of statistical profiling of the entire system.

<span class="mw-page-title-main">Intel Management Engine</span> Autonomous computer subsystem

The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards.

Intel Software Guard Extensions (SGX) is a set of security-related instruction codes that are built into some Intel central processing units (CPUs). They allow user-level and operating system code to define protected private regions of memory, called enclaves. SGX is designed to be useful for implementing secure remote computation, secure web browsing, and digital rights management (DRM). Other applications include concealment of proprietary algorithms and of encryption keys.

<span class="mw-page-title-main">Kernel page-table isolation</span>

Kernel page-table isolation is a Linux kernel feature that mitigates the Meltdown security vulnerability and improves kernel hardening against attempts to bypass kernel address space layout randomization (KASLR). It works by better isolating user space and kernel space memory. KPTI was merged into Linux kernel version 4.15, and backported to Linux kernels 4.14.11, 4.9.75, and 4.4.110. Windows and macOS released similar updates. KPTI does not address the related Spectre vulnerability.

<span class="mw-page-title-main">Meltdown (security vulnerability)</span> Microprocessor security vulnerability

Meltdown is one of the two original transient execution CPU vulnerabilities. Meltdown affects Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

<span class="mw-page-title-main">Spectre (security vulnerability)</span> Processor security vulnerability

Spectre refers to one of the two original transient execution CPU vulnerabilities, which involve microarchitectural timing side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.

Speculative Store Bypass (SSB) is the name given to a hardware security vulnerability and its exploitation that takes advantage of speculative execution in a similar way to the Meltdown and Spectre security vulnerabilities. It affects the ARM, AMD and Intel families of processors. It was discovered by researchers at Microsoft Security Response Center and Google Project Zero (GPZ). After being leaked on 3 May 2018 as part of a group of eight additional Spectre-class flaws provisionally named Spectre-NG, it was first disclosed to the public as "Variant 4" on 21 May 2018, alongside a related speculative execution vulnerability designated "Variant 3a".

Lazy FPU state leak, also referred to as Lazy FP State Restore or LazyFP, is a security vulnerability affecting Intel Core CPUs. The vulnerability is caused by a combination of flaws in the speculative execution technology present within the affected CPUs and how certain operating systems handle context switching on the floating point unit (FPU). By exploiting this vulnerability, a local process can leak the content of the FPU registers that belong to another process. This vulnerability is related to the Spectre and Meltdown vulnerabilities that were publicly disclosed in January 2018.

TLBleed is a cryptographic side-channel attack that uses machine learning to exploit a timing side-channel via the translation look-aside buffer (TLB) on modern microprocessors that use simultaneous multithreading. As of June 2018, the attack has only been demonstrated experimentally on Intel processors; it is speculated that other processors may also potentially be vulnerable to a variant of the attack, but no proof of concept has been demonstrated. AMD had indicated that their processors would not be vulnerable to this attack.

<span class="mw-page-title-main">Foreshadow</span> Hardware vulnerability for Intel processors

Foreshadow, known as L1 Terminal Fault (L1TF) by Intel, is a vulnerability that affects modern microprocessors that was first discovered by two independent teams of researchers in January 2018, but was first disclosed to the public on 14 August 2018. The vulnerability is a speculative execution attack on Intel processors that may result in the disclosure of sensitive information stored in personal computers and third-party clouds. There are two versions: the first version (original/Foreshadow) targets data from SGX enclaves; and the second version (next-generation/Foreshadow-NG) targets virtual machines (VMs), hypervisors (VMM), operating systems (OS) kernel memory, and System Management Mode (SMM) memory. A listing of affected Intel hardware has been posted.

In digital computing, hardware security bugs are hardware bugs or flaws that create vulnerabilities affecting computer central processing units (CPUs), or other devices which incorporate programmable processors or logic and have direct memory access, which allow data to be read by a rogue process when such reading is not authorized. Such vulnerabilities are considered "catastrophic" by security analysts.

Spoiler is a security vulnerability on modern computer central processing units that use speculative execution. It exploits side-effects of speculative execution to improve the efficiency of Rowhammer and other related memory and cache attacks. According to reports, all modern Intel Core CPUs are vulnerable to the attack as of 2019. AMD has stated that its processors are not vulnerable.

Transient execution CPU vulnerabilities are vulnerabilities in a computer system in which a speculative execution optimization implemented in a microprocessor is exploited to leak secret data to an unauthorized party. The classic example is Spectre that gave its name to this kind of side-channel attack, but since January 2018 many different vulnerabilities have been identified.

SWAPGS, also known as Spectre variant 1 (swapgs), is a computer security vulnerability that utilizes the branch prediction used in modern microprocessors. Most processors use a form of speculative execution, this feature allows the processors to make educated guesses about the instructions that will most likely need to be executed in the near future. This speculation can leave traces in the cache, which attackers use to extract data using a timing attack, similar to side-channel exploitation of Spectre.

Retbleed is a speculative execution attack on x86-64 and ARM processors, including some recent Intel and AMD chips. First made public in 2022, it is a variant of the Spectre vulnerability which exploits retpoline, which was intended as a mitigation for speculative execution attacks.

References

  1. 1 2 3 4 5 6 7 8 9 10 11 Greenberg, Andy (2019-05-14). "Meltdown Redux: Intel Flaw Lets Hackers Siphon Secrets from Millions of PCs". WIRED . Retrieved 2019-05-14.
  2. 1 2 Ilascu, Ionut (2019-05-14). "New RIDL and Fallout Attacks Impact All Modern Intel CPUs". Bleeping Computer. Retrieved 2019-05-14.
  3. Spectre-NG-Lücken: OpenBSD schaltet Hyper-Threading ab, heise.de, 2018-06, accessed 2019-09-29
  4. Let's Talk To Linux Kernel Developer Greg Kroah-Hartman | Open Source Summit, 2019, TFIR, 2019-09-03
  5. Winder, Davey (2019-11-13). "Intel Confirms 'ZombieLoad 2' Security Threat". Forbes . Archived from the original on 2020-01-14. Retrieved 2020-01-14.
  6. 1 2 "ZombieLoad Attack". zombieloadattack.com. Retrieved 2019-05-14.
  7. 1 2 "INTEL-SA-00233". Intel. Retrieved 2019-05-14.
  8. "Microarchitectural Data Sampling". The Linux kernel user's and administrator's guide. 2019-05-14.
  9. "MDS attacks". mdsattacks.com. Retrieved 2019-05-20.
  10. Nichols, Shaun (2019-11-12). "True to its name, Intel CPU flaw ZombieLoad comes shuffling back with new variant". www.theregister.co.uk. Retrieved 2019-11-12.
  11. Cimpanu, Catalin. "Intel's Cascade Lake CPUs impacted by new Zombieload v2 attack". ZDNet. Retrieved 2019-11-12.
  12. Whittaker, Zach (2019-05-14). "New secret-spilling flaw affects almost every Intel chip since 2011". TechCrunch. Retrieved 2019-05-14.
  13. "Intel Zombieload bug fix to slow data centre computers". BBC News . 2019-05-15. Retrieved 2019-05-15.
  14. Larabel, Michael (2019-05-24). "Benchmarking AMD FX vs. Intel Sandy/Ivy Bridge CPUs Following Spectre, Meltdown, L1TF, Zombieload". Phoronix . Retrieved 2019-05-25.
  15. Mah Ung, Gordan (2019-05-15). "Intel: You don't need to disable Hyper-Threading to protect against the ZombieLoad CPU exploit - "ZombieLoad" exploit seems to put Intel's Hyper-Threading at risk of being put down". PC World . Retrieved 2019-05-15.
  16. Kastrenakes, Jacob (2019-05-14). "ZombieLoad attack lets hackers steal data from Intel chips". The Verge . Retrieved 2019-05-15.
  17. O'Neill, Patrick Howell (2019-05-14). "What To Do About the Nasty New Intel Chip Flaw". Gizmodo . Retrieved 2019-05-15.
  18. "ChangeLog-5.1.2". The Linux Kernel Archives. 2019-05-14. Archived from the original on 2019-05-15. Retrieved 2019-05-15.
  19. Whittaker, Zach. "Apple, Amazon, Google, Microsoft and Mozilla release patches for ZombieLoad chip flaws". TechCrunch. Retrieved 2019-05-14.

Further reading

Original papers by the researchers

Information from processor manufacturers

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.