New 'Spoiler' vulnerability in all Intel Core processors exposed by researchers

Posted:
in macOS
A function of Intel's processors dealing with speculative execution has another vulnerability that affects all Intel-based computers including Apple's Mac, researchers have revealed, with "Spoiler" potentially allowing an attacker the ability to view the layout of memory, and in turn potentially access sensitive data stored in those locations.




The speculative execution function of Intel's processors, used to increase the performance of a CPU by predicting paths an instruction will go through before the branch is completed, is a useful function but one that has caused Intel issues in the past. A new report from security researchers from Worcester Polytechnic Institute and the University of Lubeck published on March 1 indicates there's another issue that needs to be fixed.

Dubbed "Spoiler," the technique is able to determine how virtual and physical memory is related to each other, by measuring the timing of speculative load and store operations performed by the processor, reports The Register. By spotting discrepancies in the timing, it is possible for an attacker to determine the memory layout, and in turn know areas to attack.

"The root cause of the issue is that the memory operations execute speculatively and the processor resolves the dependency when the full physical address bits are available," researcher Daniel Moghimi advised to the report. "Physical address bits are security sensitive information and if they are available to user space, it elevates the user to perform other micro architectural attacks."

Speculative execution typically works by using a memory order buffer to track its operations, by copying data from a CPU register to main memory in the order it appears in code. Data can then be copied from the main memory to a register out of order, which potentially speeds up the overall speed of the operation if the speculative elements are right.

If they are wrong, the speculative elements are discarded and a normal non-speculative load of data is performed, allowing the instruction to be carried out, but without the performance boost.

The paper advises the main issue with Spoiler is Intel's performance of memory disambiguation, which tries to prevent computation on data loaded by an incorrect speculation attempt, with its timing behavior being the actual vulnerability.

By filling the store buffer with addresses using similar offsets but different virtual pages, then issuing a memory load with the same offset on a different memory page, the team measures the time of the load. After performing multiple loads across numerous virtual pages, the timing differences provide clues about the memory locations.

It is believed by the researchers the technique could make existing cache and "Rowhammer" attacks easier to perform, while at the same time enabling attacks using JavaScript to take seconds to complete, rather than weeks.

"There is no software mitigation that can completely erase this problem," according to the researchers. While the chip architecture could be fixed, it would considerably cut into the chip's performance.

Intel was advised about the vulnerability on December 1, 2018, and was disclosed to the public after a typical 90-day grace period. So far, Intel has not issued a CVE number for the problem, with Moghimi speculating the issue is not easily patchable with microcode in an efficient enough manner, and that a patch for the attack vector may take years to produce.

As it is an issue that affects all Intel Core processors from the first generation onwards to the most recent releases, regardless of operating system, it is almost certain that all Macs are susceptible to attacks that take advantage of the vulnerability. It is unclear if Apple has specifically responded to the issue due to it potentially affecting its macOS-running products.

The researchers note that ARM and AMD processor cores do not exhibit the same behavior, which means iPhones and iPads are safe from such attacks.

The speculative execution function was core to the Spectre vulnerabilities found in January 2018, which affected Intel processors as well as ARM-based versions, including both macOS and iOS devices, something which Apple quickly released mitigations to defend against. While similar in this regard, Spoiler functions quite differently from Spectre, and is a completely separate vulnerability.

"We expect that software can be protected against such issues by employing side channel safe development practices," said Intel regarding Rowhammer-style attacks. "Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research."

Comments

  • Reply 1 of 7
    Rowhammer is scarier than Spectre. A budget the size of one Space Shuttle might be able to get Rowhammer to work. Maybe someone has had it working for ten years already, and in 50 years we'll get to watch a documentary movie about it just like we now watch about the Engima breakers. 
    bakedbananas
  • Reply 2 of 7
    Please remove the paragraph starting "Speculative execution typically works by using a memory order buffer". And maybe edit down some of the stuff after that. It's barely better than word salad, and to the extent you can derive meaning from it, it's wrong.
    prismatics
  • Reply 3 of 7
    Rowhammer is scarier than Spectre. A budget the size of one Space Shuttle might be able to get Rowhammer to work. Maybe someone has had it working for ten years already, and in 50 years we'll get to watch a documentary movie about it just like we now watch about the Engima breakers. 
    It already works. And this paper makes it a lot easier, in practice.
    elijahgprismatics
  • Reply 4 of 7
    lkrupplkrupp Posts: 6,806member
    Rowhammer is scarier than Spectre. A budget the size of one Space Shuttle might be able to get Rowhammer to work. Maybe someone has had it working for ten years already, and in 50 years we'll get to watch a documentary movie about it just like we now watch about the Engima breakers. 
    It already works. And this paper makes it a lot easier, in practice.
    Nice fear mongering. So when do YOU plan on dumping all your Mac gear and moving to an AMD based PC? And if you're not going to dump your Apple gear please tell us why. 
    elijahgmwhitebakedbananas
  • Reply 5 of 7
    lorin schultzlorin schultz Posts: 2,641member
    lkrupp said:
    Nice fear mongering.
    Is it fear mongering if the statement is true? Where is the line between fear mongering and just warning?

    lkrupp said:
    So when do YOU plan on dumping all your Mac gear and moving to an AMD based PC? And if you're not going to dump your Apple gear please tell us why. 
    I won't be dumping my Apple gear because things like this will never happen to me. They only happen to someone else. Like earthquakes, tornados, cancer, and car accidents.

    But seriously, like  earthquakes, tornados, cancer, and car accidents, there are prudent actions to reduce risk where possible and mitigate consequences where it's not. I don't know what those steps would be in this case as I'm not a hardware engineer, but by being aware of the issue, brighter minds than mine can begin working on them.
    bakedbananas
  • Reply 6 of 7
    lkrupp said:
    Rowhammer is scarier than Spectre. A budget the size of one Space Shuttle might be able to get Rowhammer to work. Maybe someone has had it working for ten years already, and in 50 years we'll get to watch a documentary movie about it just like we now watch about the Engima breakers. 
    It already works. And this paper makes it a lot easier, in practice.
    Nice fear mongering. So when do YOU plan on dumping all your Mac gear and moving to an AMD based PC? And if you're not going to dump your Apple gear please tell us why. 
    You are incredibly ignorant for someone who posts with such authority.

    Rowhammer is not dependent on processor architecture. It's a DRAM architectural issue, and as such can be present in any system using DDR3 or DDR4 or variants. That means pretty much every system being made today, aside from a few obsolete long-lifetime industrial gizmos.

    There are a number of modifications that can be made to DRAM to mitigate the rowhammer issue. They mostly consist of monitoring row accesses and doing an early row refresh if access count goes high enough between normal refreshes to make a bitflip possible. More basic mitigations include simply increasing refresh frequency, though that strategy is not viable as a complete protection since refresh frequency would have to go up by almost an order of magnitude, significantly decreasing memory subsystem performance.

    The biggest problem I see here is that this attack finally makes double-sided rowhammer a viable attack for unprivileged users with no visibility into the VM system. That substantially changes the math with respect to the effectiveness of mitigations. I don't know if currently available DRAM can withstand double-sided attacks- I haven't looked at this in a while. Even if it can, it may be that most large deployments are not configured to withstand attacks right now. I don't know, but I expect we'll be hearing about this soon enough.

    I just took a quick look at wikipedia. Their rowhammer article is pretty good, in that it will educate you on the basics of the attack and the relevant parts of how DRAM works. You should read it before posting anything else.
  • Reply 7 of 7
    It makes more and more sense for Apple to launch its own RISC CPU to equip Macs, Intel x86_64 is falling apart.
Sign In or Register to comment.