[ad_1]
More than one The year since security researchers revealed Meltdown and Specter, a pair of loopholes in the deep and mysterious functions of millions of chips sold by Intel and AMD, endangering virtually every computer in the world. But even if the chip makers were looking to solve these problems, the researchers warned that they were not the end of the story, but the beginning – that they represented a new class of the security vulnerability that would undoubtedly surface again and again. Now, some of these same researchers have discovered another flaw in the deepest bowels of Intel's microscopic hardware. This time, it can allow attackers to listen to virtually every bit of raw data that a victim's processor touches.
Today, Intel and a coordinated supergroup of microarchitecture security researchers are announcing a new, serious form of hackable vulnerability in Intel chips. In fact, there are four separate attacks, although they all use a similar technique and they are all capable of siphoning a potentially sensitive data stream from a computer's processor to an attacker.
MDS attacks
The researchers come from the Austrian University TU Graz, the Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven in Belgium, the Worcester Polytechnic Institute, Saarland University in Germany and security companies Cyberus, BitDefender, Qihoo360 and Oracle. The groups named variants of the ZombieLoad, Fallout, and RIDL operating techniques, or "Unauthorized Flight Data Loading." Intel has more appropriately qualified the new set of attacks "Microarchitectural Data Sampling".
Intel had asked all researchers to keep their discoveries secret, some for more than a year, until they could release patches for vulnerabilities. At the same time, the company has sought to minimize the severity of the bugs, according to the researchers, who divide into two independent groups, warning everyone that the attacks represent a serious flaw in Intel hardware, which may require disabling some devices. its characteristics, even beyond the patch of society. The AMD and ARM chips do not seem vulnerable to attack, and Intel says some chip models released last month include a solution to the problem. Otherwise, all Intel chips tested by researchers in 2008 were affected. You can test if your system is affected with a tool published here by the researchers.
Like Meltdown and Specter, the new MDS attack takes advantage of security vulnerabilities inherent in the speculative execution of Intel chips, a function in which a processor determines what operations and what data it will be prompted to execute or access. in advance to speed up the processing of the chip. performance.
"We drink in the fire pit, if you are clever and treat the contents carefully, you will not drown."
Herbort Bos, VUSec
In these new cases, researchers discovered that they could use a speculative run to get Intel processors to grab sensitive data moving from one component of a chip to another . Unlike Meltdown, which uses speculative execution to capture sensitive data stored in memory, MDS attacks focus on buffers located between components of a chip, for example between a processor and its cache, the small portion of the memory allocated to the processor to maintain frequent access. the data at your fingertips.
"It's a bit like treating the processor as a network of components, and we're watching the traffic between them," says Cristiano Giuffrida, one of the VUSEC researchers at the Vrije Universiteit Amsterdam who discovered the attack. MDS. "We hear everything these components exchange."
This means that any attacker who can run a program on a target chip, that it is a malicious application, has a virtual machine hosted on the same server as the target in the cloud Amazon's, or even an unreliable website running Javascript in the target's browser, could cause the processor to reveal data to protect unreliable code running on that machine. This data may include information such as the website on which the user is browsing, their passwords or secret keys to decrypt their encrypted hard drive.
"Essentially, [MDS] puts a glass on the wall that separates the security domains, allowing attackers to listen to the botch of CPU components, "reads a line from a VUSEC article about flaws, which will be presented next week at the IEEE conference Security and Privacy.
"Easy to do and potentially devastating"
The four different MDS attack variants all benefit from a quirk in how Intel chips accomplish their trick to save time. During a speculative run, a CPU frequently follows a branch of commands in code before a program requests it or guesses the data that the program asks for, in order to obtain a length of ########################################################################## 39; advance. Think of this proposal as a lazy waiter offering a random drink on his tray, hoping to save himself a trip to the bar. If the processor does not know it correctly, it rejects it immediately. (Under different conditions, the chip can recover data in three different buffers, hence the multiple attacks of the researchers.)
Intel chip designers may have thought that an erroneous assumption, even one that contains sensitive data, was not serious. "He throws these results aside," says Guiffrida of VUSec. "But we still have this window of vulnerability that we use to disclose information."
Just as with Meltdown and Specter, the attacker's code can leak the data that the processor has extracted from the buffer through the processor cache. This entire process steals at most a few bytes of arbitrary data in one of the buffers of the CPU. But repeat it millions of times in a row, and an attacker can begin streaming streams of all the data that the processor accesses in real time. With some other tricks, an attacker with few privileges can make requests persuading a processor to extract sensitive data such as secret keys and passwords into its buffers, where they are then sucked by the MDS attack. . These attacks can take between a few milliseconds and hours, depending on the target data and the CPU activity. "It's easy to do and potentially devastating," said Herbort Bos, researcher at VUSec.
VUSec
VUSec, for example, has created a proof of concept, illustrated above, that can extract hashed passwords, encrypted password strings that can often be deciphered by hackers, from the D & C component. A target chip called line fill buffer. The video below of TU Graz shows a simple demonstration in which an unreliable program on the computer can determine which websites a person visits.
A fight for the solution
In a call with WIRED, Intel said its own researchers were the first to discover MDS vulnerabilities last year and published patches for the hardware and software flaw. A hotfix for the attack erases all data from the buffers whenever the processor crosses a security limit, so that it can not be stolen and leaking. Intel says the fix will have "relatively minimal" performance costs in most cases, although for some instances of data centers, it can slow down its chips by eight to nine percent. To take effect, the fix should be implemented by each operating system, virtualization provider, and other software manufacturers. Apple says it has released a patch in connection with a recent update of Mojave and Safari. A spokesman for Microsoft said the company would release security updates today to address this problem. "We are aware of this sector-wide problem and are working closely with the relevant chip manufacturers to develop and test solutions to protect our customers," said a spokesman for Microsoft. "We are working on deploying mitigation solutions for cloud services and publishing security updates to protect Windows clients from vulnerabilities affecting supported hardware chips." Google, Mozilla, VMware and Amazon have not immediately responded to a request for information regarding the status of their patch.
A more permanent hardware fix, already included in some chips released by Intel last month, solves the problem more directly, preventing the processor from recovering data out of the buffer during a speculative run. "For other affected products, microcode updates, along with corresponding updates to the operating system and hypervisor software, are available from today." , says an Intel spokesman.
"We always expected it to occupy us for years."
Daniel Gruss, TU Graz
In the meantime, however, researchers and Intel are in conflict over the severity of the problem and how to sort it out. TU Graz and VUSec recommend that software vendors turn off "hyperthreading," a feature of Intel chips that speeds up processing by allowing multiple tasks to run in parallel, while dramatically easing the success of some variants MDS attacks. In a phone call with WIRED, Intel insisted that the flaws did not justify disabling this feature, which would have a serious cost in terms of performance for users. In fact, the company rated the four vulnerabilities as simply "low to medium" severity, a note disputed by researchers at TU Graz and VUSec.
Intel engineers say, for example, that while MDS vulnerabilities can leave secrets, they also generate a tremendous amount of noise from computer operations. But security researchers discovered that they could reliably tap into this raw output to find the valuable information that they were looking for. To facilitate this filtering, they showed that an attacker could fool the processor by fleeing the same secret repeatedly, helping to distinguish it from ambient noise.
"If we tackle hard disk encryption, we will only attack it in a short time when the key is loaded into memory, so we have a great chance of getting the key and key. other data, "says Michael Schwarz, one of the TUs. The Graz researchers who worked on both the new MDS attacks and the earlier discoveries of Specter and Meltdown. "Some data will always be the same and others will change, we see what happens most often, it's the data we're interested in. These are basic statistics."
Or, as VUSec's Bos put it, "We drink from the fire hose, if you are smart, and you treat things with care, you do not get drunk and you get everything you need."
Minimize the gravity
The researchers argue that all this casts doubt on the severity of Intel for MDS attacks. TU Graz researchers, three of whom worked on the Specter and Meltdown attacks, evaluate the MDS attacks between these two earlier vulnerabilities, less severe than Meltdown but worse than Specter. (They point out that Intel has attributed to Specter and Meltdown an "average" severity as well, a judgment with which they did not agree at the time.)
Giuffrida of VUSec notes that Intel paid $ 100,000 to its team for its work under the company's "Bug Bounty" program, which rewards researchers who warn the company of critical flaws. It's hardly the kind of money paid for insignificant problems, he notes. But he also said that at one point, Intel offered VUSec only a $ 40,000 bug bonus, along with a $ 80,000 "gift" – something Giuffrida saw as an attempt to reduce the amount of the premium quoted publicly and therefore the perceived seriousness of the defects of MDS. VUSEC declined to offer more total money in favor of a premium better reflecting the severity of their findings and threatened to pull out of a bug bonus to protest. Intel has changed its offer to $ 100,000.
"It's clear what Intel is doing," says Giufrrida. "It's in their interest to say that" no, after Spectrum and Meltdown, we did not neglect other vulnerabilities, it's just that they were so minor that they spun. In a call with WIRED, Intel denied trying to manipulate the perceived premium size.
It may seem odd that so many researchers have found the flaws of MDS in the same amount of time – at least two independent teams of seven organizations and Intel itself – TU Graz researchers say that it is necessary to The Specter and Meltdown discovery has opened up a new, deeply complex and unexplored attack surface for hackers, a surface that could lead to serious and fundamental hardware security breaches in the future.
"There are even more components, and many of them are not documented at all, so it is not unlikely that this will continue for a while," says Moritz Lipp of TU Graz. His research colleague, Daniel Gruss, added, "We always expected this to occupy us for years." In other words, do not be surprised if more hidden holes are in the heart of your computer's processor for years to come.
More great cable stories
[ad_2]
Source link