Buffer the Intel flayer: Chipzilla, Microsoft, Linux world, etc emit fixes for yet more data-leaking processor flaws

Intel on Tuesday plans to release a set of processor microcode fixes, in conjunction with operating system and hypervisor patches from vendors like Microsoft and those distributing Linux and BSD code, to address a novel set of side-channel attacks that allow microarchitecture data sampling (MDS).

These side-channel holes can be potentially exploited by malicious software or rogue users already on a vulnerable machine to extract information, such as passwords and other secrets, from memory it is not allowed to touch. Browser histories can be sniffed, virtual machines snooped on, disk encryption keys stolen, and so on.

MDS provides a way to expose sensitive data held in a processor's internal structures, such as its store buffers, fill buffers, and load buffers. The various MDS techniques, developed by some of the same boffins who revealed the Spectre and Meltdown flaws last year, provide a link between memory side-channel attacks and the transient execution attacks exemplified by Meltdown.

Intel's patch dump coincides with the expected release of research papers by computer scientists – summarized at cpu.fail and zombieloadattack.com – detailing how the vulnerabilities arise from speculative execution – a shortcut taken by modern processors to execute software instructions before they're needed that has opened new avenues of attack. The vulnerabilities appear to be limited to Intel hardware; the researchers say they were unable to replicate any of their attack primitives on Arm or AMD-designed processors.

Chipzilla maintains the vulnerabilities being disclosed today are difficult to exploit outside of a laboratory environment.

MDS describes a way to sample snippets of data as opposed to grabbing it all at once; it's more like eavesdropping on privileged communications than cracking a safe. As a result, it's not easy to target specific data or differentiate valuable information from background noise.

To make such attacks more efficient, an attacker might seek to have a targeted app running on the same physical core on an adjacent thread from the malware in order to run load and flush operations repeatedly.

The chipmaker has classified three of the relevant CVEs as medium severity and the fourth as low severity, a numerical range that spans from 6.5 to 3.8. The company contends its recent model chips have hardware mitigations for MDS in place.

"MDS is already addressed at the hardware level in many of our recent 8th and 9th Generation Intel Core processors, as well as the 2nd Generation Intel Xeon Scalable Processor Family," an Intel spokesperson told The Register in an emailed statement.

"For other affected products, mitigation is available through microcode updates, coupled with corresponding updates to operating system and hypervisor software that are available starting today."

Spectre/Meltdown redux?

The researchers who identified the flaws argue that hardware fixes for the Meltdown vulnerability implemented in Whiskey Lake and Coffee Lake CPUs are not enough and that software-based isolation of user and kernel space – which comes with a performance hit – needs to be enabled even on current processors.

Intel insists that recent steppings of its Whiskey Lake and Coffee Lake CPUs make all the necessary changes to its current chipsets. However, the company acknowledges there may be a performance hit due to the microcode fixes in some circumstances for some workloads.

Chipzilla is expected to provide benchmark figures with its disclosure, but based on a discussion with Intel personnel, The Register understands that the microcode mitigations may cut chip performance in the WebXPRT 3 benchmark by about 3 per cent and in the Fio benchmark by 8 to 9 per cent.

So in short, the latest Whiskey Lake and Coffee Lake CPUs have mitigations built in; earlier processors will need to install microcode fixes. Operating systems and hypervisors need to be updated to work with the microcode updates to ensure they function properly; these patches are rolling out today from Microsoft, Apple, Google, Linux distributions, and others.

The following flaws, which as we stressed above depend on local code execution, are slated to be addressed:

• Microarchitectural Store Buffer Data Sampling (MSBDS)
  CVE-2018-12126
• Microarchitectural Fill Buffer Data Sampling (MFBDS)
  CVE-2018-12130
• Microarchitectural Load Port Data Sampling (MLPDS)
  CVE-2018-12127
• Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
  CVE-2019-11091

The vulnerabilities are described in two papers: Store-to-Leak Forwarding: Leaking Data on Meltdown-resistant CPUs, by Graz University of Technology researchers Michael Schwarz, Claudio Canella, Lukas Giner, and Daniel Gruss; and ZombieLoad: Cross-Privilege-Boundary Data Sampling, by Michael Schwarz, Moritz Lipp and Daniel Gruss from Graz University of Technology, Daniel Moghimi from Worcester Polytechnic Institute, Julian Stecklina and Thomas Prescher from Cyberus Technology, and Jo Van Bulck from KU Leuven.

We got there first, says Chipzilla

According to Intel, this research touches on techniques first identified internally by its eggheads Ke Sun, Henrique Kawakami, Kekai Hu and Rodrigo Branco and reported independently by academic researchers. The biz has published a deep-dive into the issue, which is aimed at developers.

In an email to The Register, Daniel Gruss said: "We reported LFB [line fill buffer] leakage to Intel in March 2018, they acknowledged it, and we continued to explore it. We found the store-to-leak attack and reported it in January 2019, then we continued and found the ZombieLoad attack and reported it to Intel in April 2019."

While Intel sponsored the researchers at TU Graz and KU Leuven, it did not disclose its findings or work with the academics on the techniques being disclosed, according to Gruss.

The Store-to-Leak Forwarding paper describes the store buffer as a microarchitecture element that turns a stream of store operations into serialized data and masks the latency from writing the values to memory. It stores data asynchronously so the CPU can do out-of-order execution. The operations for reassembling everything in the right order make Meltdown-like unauthorized memory reads possible.

The researchers describe a technique called Data Bounce that can access supposedly inaccessible kernel addresses. "With Data Bounce we break KASLR (Kernel address space layout randomization), reveal the address space of Intel SGX enclaves, and even break ASLR (address space layout randomization) from JavaScript," the paper says.

Data Bounce is also invisible to the operating system; it doesn't involve a syscall and doesn't trigger an exception.

The paper also describes a technique called Fetch+Bounce for monitoring kernel activity through the store buffer and translation lookaside buffer (TLB). A third technique combines speculative execution with Fetch+Bounce to leak arbitrary data from memory.

"Speculative Fetch+Bounce is a novel way to exploit Spectre. Instead of using the cache as a covert channel in a Spectre attack, we leverage the TLB to encode the leaked data," the Store-to-Leak Forwarding paper explains. "The advantage of Speculative Fetch+Bounce over the original Spectre attack is that there is no requirement for shared memory between user and kernel space."

The second paper, ZombieLoad, exploits the logic of the processor's fill-buffer. It's a transient-execution attack that exposes the values of memory load operations on the physical CPU, without respecting process barriers or privilege levels.

The attack, the researchers say, steals secret and sensitive data from across user-space processes, CPU protection rings, virtual machines, and SGX enclaves. "We demonstrated the immense attack potential by monitoring browser behaviour, extracting AES keys, establishing cross-VM covert channels or recovering SGX sealing keys," the ZombieLoad paper explains. "Finally, we conclude that disabling hyperthreading is the only possible workaround to mitigate ZombieLoad on current processors."

According to Gruss, the boffins also discovered that the line-fill buffer can be used to bypass Foreshadow mitigations, though that's not detailed in either paper.

Intel disagrees about the need to disable hyperthreading, and says it plans to add additional hardware defenses to address these vulnerabilities into future processors. ®