Over the past two years, attacks like Spectre, Meltdown, and variants on those techniques—all capable of tricking a broad range of processors into coughing up sensitive data—have shown how hard it can be to secure a chip. But it’s one thing for a company like Intel to scramble to fix a vulnerability, and a very different one when it fails to act on one of those flaws for more than a year.
But in this case, the researchers are pointing to a more serious failing on Intel’s part than just another bug. While they warned Intel of these newly revealed MDS variants as early as September 2018, the chip giant has nonetheless neglected to fix the flaws in the nearly 14 months since. And while Intel announced today that it has newly patched dozens of flaws, the researchers say and the company itself admits that those fixes still don’t fully protect against the MDS attacks.
Not All the Fix Is In
Intel had initially fixed some of its MDS vulnerabilities in May. But researchers at Vrije Universiteit say they warned Intel at the time that those efforts were incomplete. At Intel’s request, they’ve kept their silence until now, for fear of enabling hackers to take advantage of the unpatched flaw before the company finally fixed it. “The mitigation they released in May, we knew it could be bypassed. It wasn’t effective,” says Kaveh Razavi, one of the researchers in Vrije Universiteit’s VUSec group. “They missed completely a variant of our attack—the most dangerous one.”
In fact, the VUSec researchers say that in the time since they first disclosed the vulnerability to Intel, they’ve managed to hone it into a technique capable of stealing sensitive data in seconds rather than the hours or days they previously believed necessary.
“They missed completely a variant of our attack—the most dangerous one.”
KAVEH RAZAVI, VUSEC
The MDS attacks that VUSec and TU Graz originally published in May—along with a supergroup of other researchers at University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany, as well as security firms Cyberus, BitDefender, Qihoo360, and Oracle—take advantage of a strange quirk of Intel’s processors to allow users who can run code on a victim processor to potentially steal sensitive data from other parts of the computer that they shouldn’t have access to. Intel chips in some cases execute a command or access a part of a computer’s memory “speculatively,” guessing at what a program will want before it even asks for it as a time-saving measure. But in some cases that speculative execution results in accessing an invalid location in memory—one that would result in the speculative process aborting. When that happens, the processor instead grabs arbitrary data from buffers, parts of the chip that serve as the “pipes” between different components, like the processor and its cache.
The researchers showed in May that they could both manipulate those buffers to contain sensitive data like cryptographic keys or passwords, and also cause aborted speculative memory accesses. As a result, their MDS attack could leak that sensitive info from the chip’s buffers to an attacker.
For its fix, Intel opted against stopping its processors from grabbing arbitrary data out of buffers when invalid memory access took place. Instead, it updated the microcode in its chips to prevent the specific situations that allow that data to leak. But in doing so, the researchers say, Intel missed a few variants. One technique, called TSX asynchronous abort, or TAA, tricks a processor into using a feature called TSX that’s designed to fall back to a kind of “savepoint” in memory if it conflicts with another process. An attacker can then trigger that conflict to force a leak of sensitive data from the chip’s buffers, just in the earlier MDS attacks.
That TAA variant of the MDS attack turns out to particularly serious. Intel sought to downplay the MDS flaws back in May, in part because it was then thought that a successful attack would take days to execute. But VUSec researcher Jonas Theis found a way to use TAA to trick a target machine into revealing a hash of an administrator’s password……Read More>>