Intel Failed to Fix a Hackable Chip Flaw Despite a Year of Warnings
Credit to Author: Andy Greenberg| Date: Tue, 12 Nov 2019 17:59:52 +0000
Speculative execution attacks still haunt Intel, long after researchers told the company what to fix.
Over the past two years, attacks like Spectre, Meltdown, and variants on those techniques—all capable of tricking a broad range of processors into coughing up sensitive data—have shown how hard it can be to secure a chip. But it's one thing for a company like Intel to scramble to fix a vulnerability, and a very different one when it fails to act on one of those flaws for more than a year.
Today researchers at Vrije Universiteit in Amsterdam, KU Leuven in Belgium, the German Helmholtz Center for Information Security, and the Graz University of Technology in Austria revealed new versions of a hacking technique that takes advantage of a deep-seated vulnerability in Intel chips. They're spins on something known as ZombieLoad or RIDL, an acronym for Rogue In-Flight Data Load; Intel refers to it instead as as microarchitectural data sampling, or MDS. Like the Spectre and Meltdown vulnerabilities—which some of the same Graz researchers were involved in uncovering in early 2018—the new MDS variants represent flaws that could allow any hacker who manages to run code on a target computer to force its processor to leak sensitive data. The scenarios for that attack could include anything from a website's Javascript running in a victim's browser to a virtual machine running on a cloud server, which could then target a virtual machine on the same physical computer.
But in this case, the researchers are pointing to a more serious failing on Intel's part than just another bug. While they warned Intel of these newly revealed MDS variants as early as September 2018, the chip giant has nonetheless neglected to fix the flaws in the nearly 14 months since. And while Intel announced today that it has newly patched dozens of flaws, the researchers say and the company itself admits that those fixes still don't fully protect against the MDS attacks.
Intel had initially fixed some of its MDS vulnerabilities in May. But researchers at Vrije Universiteit say they warned Intel at the time that those efforts were incomplete. At Intel's request, they've kept their silence until now, for fear of enabling hackers to take advantage of the unpatched flaw before the company finally fixed it. "The mitigation they released in May, we knew it could be bypassed. It wasn’t effective," says Kaveh Razavi, one of the researchers in Vrije Universiteit's VUSec group. "They missed completely a variant of our attack—the most dangerous one."
In fact, the VUSec researchers say that in the time since they first disclosed the vulnerability to Intel, they've managed to hone it into a technique capable of stealing sensitive data in seconds rather than the hours or days they previously believed necessary.
"They missed completely a variant of our attack—the most dangerous one."
Kaveh Razavi, VUSec
The MDS attacks that VUSec and TU Graz originally published in May—along with a supergroup of other researchers at University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany, as well as security firms Cyberus, BitDefender, Qihoo360, and Oracle—take advantage of a strange quirk of Intel's processors to allow users who can run code on a victim processor to potentially steal sensitive data from other parts of the computer that they shouldn't have access to. Intel chips in some cases execute a command or access a part of a computer's memory "speculatively," guessing at what a program will want before it even asks for it as a time-saving measure. But in some cases that speculative execution results in accessing an invalid location in memory—one that would result in the speculative process aborting. When that happens, the processor instead grabs arbitrary data from buffers, parts of the chip that serve as the "pipes" between different components, like the processor and its cache.
The researchers showed in May that they could both manipulate those buffers to contain sensitive data like cryptographic keys or passwords, and also cause aborted speculative memory accesses. As a result, their MDS attack could leak that sensitive info from the chip's buffers to an attacker.
For its fix, Intel opted against stopping its processors from grabbing arbitrary data out of buffers when invalid memory access took place. Instead, it updated the microcode in its chips to prevent the specific situations that allow that data to leak. But in doing so, the researchers say, Intel missed a few variants. One technique, called TSX asynchronous abort, or TAA, tricks a processor into using a feature called TSX that's designed to fall back to a kind of "savepoint" in memory if it conflicts with another process. An attacker can then trigger that conflict to force a leak of sensitive data from the chip's buffers, just in the earlier MDS attacks.
That TAA variant of the MDS attack turns out to particularly serious. Intel sought to downplay the MDS flaws back in May, in part because it was then thought that a successful attack would take days to execute. But VUSec researcher Jonas Theis found a way to use TAA to trick a target machine into revealing a hash of an administrator's password in as little as 30 seconds, as shown in the video below.
A hacker would still have to crack that hash to produce a usable password. But it nonetheless represents a serious oversight by Intel. "Intel said this class of MDS attacks is very difficult to exploit," says VUSec's Cristiano Giuffrida. "So we thought, OK, let’s use the most effective variant to demonstrate that you can do this efficiently."
Intel and the researchers working on its MDS vulnerabilities have butted heads from their first interactions. Intel offers a "bug bounty" of as much as $100,000 for hackers who report vulnerabilities in its products. When the VUSec researchers warned Intel of the MDS attacks in September 2018, Intel offered them only $40,000, and then suggested a "gift" of $80,000—a maneuver the researchers refused, arguing that Intel was seeking to make the bug they'd discovered look less severe. Intel eventually paid them the full $100,000 bounty.
The VUSec team also warned Intel in May that its fix at the time was incomplete. Not only had Intel missed the TAA attack, but another part of the fix, which cleared buffers of sensitive data, could also be bypassed. The researchers at TU Graz say that they warned Intel about both problems ahead of the May release as well. "They make the attack harder, but they don’t prevent it," says Michael Schwarz, one of the TU Graz researchers.
Even now, the researchers say that they're still not entirely sure that a sweeping microcode update Intel is releasing today deals with those long-lingering issues. The VUSec team says that the company has now prevented sensitive data from some of its buffer components, but not all of them.
In a statement, Intel essentially confirmed that the fix remains incomplete. "We believe that the mitigations for TAA and MDS substantively reduce the potential attack surface," the chipmaker wrote in a blog post Tuesday. "Shortly before this disclosure, however, we confirmed the possibility that some amount of data could still be inferred through a side-channel using these techniques (for TAA, only if TSX is enabled) and will be addressed in future microcode updates. We continuously improve the techniques available to address such issues and appreciate the academic researchers who have partnered with Intel."
When the VUSec researchers told Intel about those problems in its patch, they say Intel yet again asked them to delay revealing them. This time, the researchers have refused.
"We know this stuff is difficult, but we’re extremely disappointed with Intel," says Giuffrida. "Our complaint with the entire process is the lack of security engineering that we see. Our impression is that they look at one variant at a time, but they’re not able to address the root cause."
After two years of one variant of microarchitectural attack after another plaguing Intel's silicon, that's a strong suggestion there will still be more to come.