Intel Failed to Fix a Hackable Chip Flaw Despite a Year of Warnings

Over the past two years, attacks like Spectre, Meltdown, and variants on those techniques—all capable of tricking a broad range of processors into coughing up sensitive data—have shown how hard it can be to secure a chip. But it’s one thing for a company like Intel to scramble to fix a vulnerability, and a very different one when it fails to act on one of those flaws for more than a year.

Today researchers at Vrije Universiteit in Amsterdam, KU Leuven in Belgium, the German Helmholtz Center for Information Security, and the Graz University of Technology in Austria revealed new versions of a hacking technique that takes advantage of a deep-seated vulnerability in Intel chips. They’re spins on something known as ZombieLoad or RIDL, an acronym for Rogue In-Flight Data Load; Intel refers to it instead as as microarchitectural data sampling, or MDS. Like the Spectre and Meltdown vulnerabilities—which some of the same Graz researchers were involved in uncovering in early 2018—the new MDS variants represent flaws that could allow any hacker who manages to run code on a target computer to force its processor to leak sensitive data. The scenarios for that attack could include anything from a website’s Javascript running in a victim’s browser to a virtual machine running on a cloud server, which could then target a virtual machine on the same physical computer.

But in this case, the researchers are pointing to a more serious failing on Intel’s part than just another bug. While they warned Intel of these newly revealed MDS variants as early as September 2018, the chip giant has nonetheless neglected to fix the flaws in the nearly 14 months since. And while Intel announced today that it has newly patched dozens of flaws, the researchers say and the company itself admits that those fixes still don’t fully protect against the MDS attacks.

Not All the Fix Is In

Intel had initially fixed some of its MDS vulnerabilities in May. But researchers at Vrije Universiteit say they warned Intel at the time that those efforts were incomplete. At Intel’s request, they’ve kept their silence until now, for fear of enabling hackers to take advantage of the unpatched flaw before the company finally fixed it. “The mitigation they released in May, we knew it could be bypassed. It wasn’t effective,” says Kaveh Razavi, one of the researchers in Vrije Universiteit’s VUSec group. “They missed completely a variant of our attack—the most dangerous one.”

In fact, the VUSec researchers say that in the time since they first disclosed the vulnerability to Intel, they’ve managed to hone it into a technique capable of stealing sensitive data in seconds rather than the hours or days they previously believed necessary.

The MDS attacks that VUSec and TU Graz originally published in May—along with a supergroup of other researchers at University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute, Saarland University in Germany, as well as security firms Cyberus, BitDefender, Qihoo360, and Oracle—take advantage of a strange quirk of Intel’s processors to allow users who can run code on a victim processor to potentially steal sensitive data from other parts of the computer that they shouldn’t have access to. Intel chips in some cases execute a command or access a part of a computer’s memory “speculatively,” guessing at what a program will want before it even asks for it as a time-saving measure. But in some cases that speculative execution results in accessing an invalid location in memory—one that would result in the speculative process aborting. When that happens, the processor instead grabs arbitrary data from buffers, parts of the chip that serve as the “pipes” between different components, like the processor and its cache.

The researchers showed in May that they could both manipulate those buffers to contain sensitive data like cryptographic keys or passwords, and also cause aborted speculative memory accesses. As a result, their MDS attack could leak that sensitive info from the chip’s buffers to an attacker.

social experiment by Livio Acerbo #greengroundit #wired