More Intel Processor HW Security Flaws. Meet Microarchitectural Data Sampling (MDS)

2018 did not start so well for processor vendors, especially Intel, but also AMD, Arm and others as some of their processors leveraging speculative execution were impacted by Spectre and/or Meltdown hardware security bugs. The workarounds to improve security had a downside as they affected performance in some specific use case. Panic ensued as the bug was revealed to the public a bit too early, so companies were not fully ready with their mitigations / workarounds.

Then in summer of 2018, another hardware security flaw known as Foreshadow or L1 Terminal Fault came to light. The new flaw potentially enabled the attacker to access data stored in L1 cache.  Provided you have updated your operating systems to the latest version, your computers and devices should be protected against those vulnerabilities, and you can even check with a script working in Linux or FreeBSD.

Intel Microarchitectural Data Sampling: Zombieload, RIDL, Fallout

But this now looks like a never ending game, as security researchers have found yet other hardware vulnerabilities in Intel CPUs, called Zombieload, RIDL and Fallout by researchers, but Intel refers to those as Microarchitectural Data Sampling (MDS).

Intel explains what’s going on and which processors are impacted:

MDS is a sub-class of previously disclosed speculative execution side channel vulnerabilities and is comprised of four related techniques. Under certain conditions, MDS provides a program the potential means to read data that program otherwise would not be able to see. MDS techniques are based on a sampling of data leaked from small structures within the CPU using a locally executed speculative execution side channel. Practical exploitation of MDS is a very complex undertaking. MDS does not, by itself, provide an attacker with a way to choose the data that is leaked.

MDS is addressed in hardware starting with select 8th and 9th Generation Intel® Core™ processors, as well as the 2nd Generation Intel® Xeon® Scalable processor family. We expect all future Intel® processors include hardware mitigations addressing these vulnerabilities.

More details on RIDL:

RIDL (Rogue In-Flight Data Load) shows attackers can exploit MDS vulnerabilities to mount practical attacks and leak sensitive data in real-world settings. By analyzing the impact on the CPU pipeline, we developed a variety of practical exploits leaking in-flight data from different internal CPU buffers (such as Line-Fill Buffers and Load Ports), used by the CPU while loading or storing data from memory.

We show that attackers who can run unprivileged code on machines with recent Intel CPUs – whether using shared cloud computing resources, or using JavaScript on a malicious website or advertisement – can steal data from other programs running on the same machine, across any security boundary: other applications, the operating system kernel, other VMs (e.g., in the cloud), or even secure (SGX) enclaves.

and Fallout:

Fallout demonstrates that attackers can leak data from Store Buffers, which are used every time a CPU pipeline needs to store any data. Making things worse, an unprivileged attacker can then later pick which data they leak from the CPU’s Store Buffer.

We show that Fallout can be used to break Kernel Address Space Layout Randomization (KASLR), as well as to leak sensitive data written to memory by the operating system kernel.

Ironically, the recent hardware countermeasures introduced by Intel in recent Coffee Lake Refresh i9 CPUs to prevent Meltdown make them more vulnerable to Fallout, compared to older generation hardware.

So hardware fixes made by Intel for Meltdown had some side effects…

The ZombieLoad attack is said to “resurrect” your private browsing-history and other sensitive data, and allows to leak information from other applications, the operating system, virtual machines in the cloud and trusted execution environments.

One of the workarounds for MDS is to disable hyper-threading, so it may not be that good for performance… Intel, Microsoft, Canonical, Google, and others have published detailed information about vulnerabilities and released upgrades to mitigate the issue. Disabling Hyper-Threading is still recommended for extra security.

Via Liliputing and cpu.fail

Share this:

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

ROCK 5 ITX Rockchip RK3588 mini-ITX motherboard
Subscribe
Notify of
guest
The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment.
7 Comments
oldest
newest
theguyuk
theguyuk
5 years ago

There are unconfirmed whispers of more possible hacks, only time will tell.

dgp
dgp
5 years ago

That’s almost as useful as saying water is wet.

tkaiser
tkaiser
5 years ago

As always

Sfinx
Sfinx
5 years ago

epic fail

Richard Crook
Richard Crook
5 years ago

So persons/companies/corporations/organisations will have no choice but to jettison their old Intel CPU machines and buy the latest Intel CPU machines in order to protect themselves from the exploits of the evil crackers.

Sounds to me that a flaw like this is good for future business, eh?

(If it does not have the sticker “Intel Inside” on the case, then it cannot be genuine Intel (TM) and that is what counts …)

blu
blu
5 years ago

‘Ironically, the recent hardware countermeasures introduced by Intel in recent Coffee Lake Refresh i9 CPUs to prevent Meltdown make them more vulnerable to Fallout, compared to older generation hardware.’

You can apply patches only so much to something which was not designed for the job, before you have to do things properly anew.

Boardcon Rockchip RK3588S SBC with 8K, WiFI 6, 4G LTE, NVME SSD, HDMI 2.1...