Intel Is Patching the Patch for the Patch for Its ‘Zombieload’ Flaw

Credit to Author: Andy Greenberg| Date: Mon, 27 Jan 2020 18:00:00 +0000

Intel's made two attempts to fix the microprocessor vulnerability it was warned about 18 months ago. Third time’s the charm?

Over the last two years, security researchers have dug up one technique after another that lets a hacker trick Intel's microprocessors into spilling a computer's deepest secrets. As those flaws have been exposed, chipmakers have scrambled to patch them. But for one serious form of those attacks it turns out that Intel still hasn't successfully patched the underlying problem despite 18 months of warnings—and not one but two failed attempts to do so.

On Monday, Intel announced that it will issue yet another update to its processors designed to solve a problem it calls "microarchitectural data sampling," or MDS. Different teams of researchers who independently discovered the issue call it RIDL or Zombieload, and warned Intel about the problem as early as June of 2018. The new update, which Intel says will be made available "in the coming weeks," is intended to fix two methods to exploit Intel chips via MDS, which have remained possible even after Intel released MDS patches in May of 2019 and then again last November. Some of the researchers first warned Intel about the more serious of the two flaws that it's trying to fix now in a paper shared with Intel fully a year ago. Other researchers even shared proof-of-concept code with the company last May.

"Security engineering at Intel (or rather lack thereof) is still business as usual," writes Cristiano Giuffrida, one of the researchers at Vrije Universiteit in Amsterdam who first discovered the MDS attacks, in an email to WIRED. "These issues aren't trivial to fix. But after eighteen months, they're still waiting for researchers to put together proofs-of-concept of every small variation of the attack for them? It’s amazing. We don’t know the inner workings of Intel's team. But it’s not a good look from the outside."

"Researchers find these things without even trying very hard. And it probably means that other adversaries will find them, too."

Herbert Bos, Vrije Universiteit]

A supergroup of researchers from nearly a dozen universities and security firms brought the MDS attack to light last May after warning Intel nearly a year earlier and holding their findings in secret at Intel's request. Like the notorious Spectre and Meltdown attacks that surfaced in early 2018, it takes advantage of a feature of Intel's processors known as speculative execution.

As a time-saving measure, Intel processors sometimes execute a command or access a part of a computer's memory "speculatively," guessing at what a program will want before it even asks. When that speculative execution accesses an invalid location in memory, the process aborts. In that event, the processor is designed to access arbitrary data from buffers, parts of the chip that serve as the "pipes" between different components, such as its processor and cache. The researchers who discovered MDS showed last year that a hacker could use that trick to obtain information that should be protected—anything from sensitive user data and passwords to decryption keys.

Intel first attempted to patch the MDS flaw by adding a safeguard to the chips' microcode that wipes all sensitive data from the chip's buffers when it switches from one process to another that has different security privileges. But despite that May 2019 update—and then another one for a variant of the attack not covered in Intel's initial patch, despite the researchers' warning about it a year earlier—two other variations on MDS attacks remain possible even now. "When the processor goes from one security context to another, it wipes the buffer, overwriting it, so the buffer is 'clean' with nothing in it," says University of Michigan researcher Stephan van Schaik, a member of the team that worked on the new MDS attack variants as well as the original discovery of the vulnerability. "The only challenge is to get something interesting in it. There are ways to put information back in the buffer despite the overwriting."

The most practical still-viable trick targets a component called the L1 cache, using what the researchers call "L1 data eviction sampling," or L1DES. (The Michigan researchers gave the technique a catchier name: CacheOut.) The researchers found—and the team at TU Graz in Austria first demonstrated in code sent to Intel last year—that with certain techniques, they could cause a processor to write information to that L1 cache, filling it up so certain data is "evicted" into a buffer called the line-fill buffer to make space, leaving it vulnerable. In a separate technique, they could cause the processor to read certain sensitive information that's missing from the L1 cache, which also loads it into the leaky line-fill buffer. In either instance, the researchers can then use the same MDS techniques they previously exposed to steal the data.

The L1DES attack does have significant limitations compared to the earlier MDS techniques. Michigan's researchers say it only works on Intel chips sold before the fourth quarter of 2018, and can't attack a target computer via its web browser like some earlier MDS variants. It also doesn't affect cloud computing setups if the chips underlying those cloud servers received an update to an earlier Intel flaw known as Foreshadow. But L1DES can still allow malware that's gained low privileges on a target machine to access more sensitive, highly privileged parts of a computer, including Intel's Secure Guard Extensions, the Michigan researchers say.

The security advisory Intel released today gives the L1DES attack a severity rating of 6.5 out of 10. But the University of Michigan's Daniel Genkin points out that Intel gave similarly low scores to other serious vulnerabilities in recent years, including Meltdown and Spectre.

More broadly, Genkin characterizes Intel's response to the MDS variants as piecemeal and incomplete. Rather than try to seek out the source of flaws, they only patch when researchers prove each individual variant. "As long as they’re trying to do symptomatic fixes, stuff like this will keep happening," Genkin says.

In a statement to WIRED responding to researchers' criticisms, an Intel spokesperson wrote that "Intel makes every effort to validate PoCs as quickly as possible when we receive them." The statement added that, "we work with all the necessary parties and develop well-tested patches that work across the diverse computing environments."

But the fact that Intel has left variants of MDS unpatched for more than 18 months, in fact, raises the question of whether sophisticated hackers may have already used them on real targets, says Vrije Universiteit researcher Herbert Bos. Intel noted in a blog post about its latest MDS patch that "to date, we are not aware of any use of these issues outside of a controlled lab environment." But Bos points out that the technique leaves no trace that would make in-the-wild attacks detectable. "Researchers find these things without even trying very hard. And it probably means that other adversaries will find them, too," says Bos. "If you have a powerful group of hackers associated with an intelligence agency, they're not going to say 'here’s one proof-of-concept, now I’m going to stop looking.'"

Just as troubling, argues Vrije Universiteit's Giuffrida, is the fact that Intel doesn't seem to be taking proactive steps to find new vulnerabilities or variants of existing ones on its own. "If Intel isn’t looking and is making no effort," Giuffrida asks, "who knows how many vulnerabilities are left?"

https://www.wired.com/category/security/feed/