Security researchers from around the world this week revealed a new set of side channel vulnerabilities that could let malicious hackers steal sensitive information directly from Intel microprocessors.
Researchers also developed four different proof-of-concept attacks for these vulnerabilities — ZombieLoad, Fallout, Rogue In-Flight Data Load and Store-to-Leak Forwarding — that utilize security flaws in how Intel chips perform speculative execution, a feature that helps boost a chip’s performance. The new vulnerabilities and PoC attacks, which affect almost every Intel computer chip since 2011, are similar to the Meltdown and Spectre flaws that were first revealed in early 2018.
Intel is calling the new set of attacks Microarchitectural Data Sampling (MDS).
“Basically, it is exploiting information leakages at the microarchitectural level, to sample data that belong to other processes that you do not normally have privilege access to,” said Berk Sunar, professor of electrical and computer engineering at Worcester Polytechnic Institute (WPI) and a member of the Fallout research team.
The data sampling comes from the fact that the processor has different components and these components are all shared by the users, said Daniel Moghimi, a Ph.D. candidate in the computer science department at WPI. Moghimi is also a member of the ZombieLoad and Fallout research teams.
“The way it is exploited is that, you as an attacker leak data one byte at a time from different components and then you encode them and you sample them to some sort of information that you can coherently understand, like passwords, URLs and cryptographic keys,” Moghimi said.
Of the four PoC attacks, ZombieLoad is considered the most serious by the researchers. If exploited, the side-channel attack would allow a threat actor to break through layers of isolation, such as virtual machines, to read essentially another user’s data from another guest operating systems’ space or from the administrator’s privilege memory space, Sunar said.
Berk Sunar Professor of electrical and computer engineering, Worcester Polytechnic Institute
“It’s pretty devastating in that sense that you can go through boundaries and recover passwords and lots of other sensitive information,” Sunar said. “Think about a webpage loading into your browser. … The browser enforces strong isolation so that the script running in your browser does not break through boundaries to recover any secret that belongs to you. For example, it doesn’t know what the other tab contains, or what’s running locally on your machine. With this kind of an attack you can actually break through all of those kinds of isolations.”
Werner Haas, CTO of Cyberus Technology and one of the co-discoverers of Meltdown, said there is no simple answer as to how severe the ZombieLoad flaw is because it depends on the exploitation scenario.
“For standard PC users I would not be overly worried because the well-known exploit strategies are unfortunately highly effective still,” Haas said in an email interview. “Why break the door lock if the window is left ajar? If I was using cloud services, however, I would be worried about co-hosted, unknown virtual machines on ‘my’ physical CPU.”
Attackers can easily sample data from other protection domains, such as virtual machines, Haas said, making it a real threat.
“Note, however, that an attacker needs to execute code on the same physical CPU core as the victim process, i.e., I would not be overly worried about my (hopefully) heavily shielded industrial automation control system, either,” he said via email.
What enterprises can do
According to Sunar, these are fundamental vulnerabilities at the core of the CPU architecture that will take time to resolve and will require modifications at the lowest layers of the architecture.
Gartner analyst Alan Priestley advised enterprises to keep systems up to date and conduct a risk assessment to understand their exposure to flaws like ZombieLoad.
“Look at what opportunity there is for untrusted code to run on your infrastructure and then take appropriate actions based on that,” Priestley said. “If you are an enterprise organization with an on-premise data center, the chances are you don’t let untrusted code run inside your data center. If you’re a cloud service provider, every piece of code that runs inside the data centers is untrusted because you’re selling your access to your infrastructure to third parties.”
He also advised enterprises to work with their hardware suppliers and OEMs to get the updated firmware from them that include the new microcode updates.
“Wherever possible you should look to retiring older generation of the servers — which are most vulnerable … and look at the latest generation technologies because performance impact is minimal and in many cases those generation processors have already got hardware mitigation built into them,” Priestley said.
Shared resources always carry the risk of a protection domain break down — independent from ZombieLoads — so sensitive information should be properly isolated, Haas advised. In particular, unvetted, external input should never be used in high-security domains, he added.
“If you are paranoid, disable symmetric multiprocessing = Hyper-Threading on your Intel CPUs as this makes it significantly harder to leak data,” he said. “Otherwise, please apply the microcode updates provided by Intel and any software patches required to mitigate the issues.”
But those actions can be omitted if a careful risk assessment shows that other security mechanisms prevent untrusted code execution on the system in question, Haas added.
Sunar advised companies against sharing execution spaces or hardware.
“For example, for the cloud environment if you have a highly sensitive platform, maybe you are processing credit cards, or it’s a server hosting a commercial webpage, any of those situations where you have a high value target, you want to make sure that the hardware is isolated, it is only used for you,” Sunar said. “Cloud instances that are not shared, dedicated to your operating system allocated to a single guest only, that’s the strongest way to protect against this kind of an attack.”
Short-term remedies include making sure that companies have the latest OS and microcode patch of the CPU to apply some of the patches that the vendor has produced for these attacks, Moghimi said.
“Also by now the microarchitectural security community is pretty confident that Hyper-Threading is really dangerous,” Moghimi said. “Even if somebody’s on the cloud they still want to have some sort of sharing the hardware — they should at least disable Hyper-Threading and not share the same CPU core with multiple users. That could at least reduce the damage.”
Go to Original Article