Attacks such as Spectre, Meltdown, and these hacking variants over the past two years have shown the difficulty of protecting chips, which can trick various processors into sniffing out sensitive data. It’s one thing for chip lords like Intel to rush to fix vulnerabilities, but for more than a year they haven’t even been able to take action on any of them, it’s a big difference.
But in this case, the researchers point out, Intel is not just experiencing a small vulnerability, but could potentially harbour a huge crisis. Despite warnings to Intel in September 2018 about the newly discovered MDS variant, the chip giant seemed unimpressed and has not fixed the vulnerability for nearly 14 months. Although Intel recently announced that it had patched dozens of vulnerabilities, researchers say the fixes are still not fully protected against MDS attacks.
All bug fixes are not fully started
Intel fixed its MDS vulnerability in May. But researchers at Liberty University say they have previously warned that Intel’s vulnerability has not been fully fixed. At Intel’s request, they have been silent about preventing hackers from exploiting these vulnerabilities until they are successfully fixed. Kaveh Razavi, one of the researchers on the VUSec team at Liberty University, said: “Intel’s patch of vulnerabilities released in May has been cracked and is currently completely unprotected and has no effect on the most dangerous attack variants available. ”
In fact, VUSec researchers say, since the vulnerability was first disclosed to Intel, they have successfully turned it into a hacking technology capable of stealing sensitive data in seconds, rather than hours or days previously thought.
VUSec and Graz University of Technology, along with the University of Michigan, the University of Adelaide, the University of Leuven, Worcester Polytechnic, the University of Saarland and the security firms Cyberus, BitDefender, Qihoo360 and Oracle, first disclosed the MDS attack in May. The attack, they point out, takes advantage of a strange feature of Intel’s processors: allowing users to run code on the victim’s computer processor and obtain sensitive data that they had no access to, potentially stealing privacy. In some cases, Intel chips can “presumably” execute commands or access a portion of a computer’s memory, making autonomous predictions before the program makes an inquiry to the user, reducing the chip’s reaction time. In some cases, however, speculative execution may occur when accessing invalid locations in memory, which in turn leads to a speculative process stop. When this happens, the processor gets any data from the buffer. A buffer is part of a chip that acts as a “pipeline” between different components, such as processors and caches.
In May, researchers said that not only could the buffer be manipulated to obtain sensitive data, such as encryption keys or passwords, but could also cause speculative memory access to abort. Eventually, hackers could get sensitive information from the chip buffer through MDS attacks.
To fix this problem, Intel did not choose a solution that prevented its processor from getting arbitrary data from the buffer when invalid memory access occurred. Instead, Intel updated the microcodes in the chip to prevent specific situations that allow edrited data to leak. But the researchers say Intel’s approach is still not a way to defend against variants of some vulnerabilities. A hacker technique called TSX asoabort (TAA) can trick the processor into using a feature called TSX that falls back to some kind of “save point” in memory when it collides with another process. An attacker can then trigger the collision, forcing sensitive data to leak out of the chip buffer, similar to an earlier MDS attack.
The TAA variant of MDS attacks is extremely powerful. In May, Intel tried to play down the MDS vulnerability, in part because technicians thought a successful attack would take at least a few days. But VUSec researcher Jonas Theis has discovered a way to use TAA to trick the target computer by getting an administrator hash password in as little as 30 seconds.
Hackers still have to crack hashtos to get a available password. “But it still means that Intel has to be strictly monitored,” said Cristiano Giuffrida, a researcher at VUSec. Intel says such MDS attacks are hard to exploit, but we can counter this with the most powerful vulnerability variants. ”
Intel and researchers working on MDS vulnerabilities ran into trouble in their first collaboration. Intel offers up to $100,000 in “vulnerability bounties” to hackers who report vulnerabilities in their products. When VUSec researchers alerted Intel about the MDS attack in September 2018, Intel offered them only $40,000 and then offered a “gift” worth $80,000, which the researchers rejected, and they believed Intel was trying to soften the severity of the error. In the end, Intel paid them a full $100,000 bounty.
In May, the VUSec team again warned Intel that the patch fixes made by the company were still defective. Not only does Intel release patches that are not protected against TAA attacks, but patches that clear sensitive data from buffers can be easily circumvented. Researchers at Graz University of Technology say they have warned Intel about both issues as early as May. “The fixes they released make it difficult, but they don’t effectively prevent them,” said michael Schwarz, a researcher. ”
So far, researchers say they are still not entirely sure whether Intel’s recent full-scale microcode updates will fully address those long-standing problems. The VUSec team says Intel is now able to prevent some buffer components from getting sensitive data, but not all of it.
Intel acknowledged in a statement that the fix was indeed not complete. “We believe that the defenses of TAA and MDS will significantly reduce potential attacks,” the chipmaker said in a blog post on Tuesday. However, shortly before the vulnerability was disclosed, we confirmed that it was still possible to use these techniques to steal some data through the left side door, a vulnerability that will be addressed in subsequent microcode updates. We continue to improve the technologies available to address these issues and thank the academic researchers who work with Intel. ”
When VUSec researchers told Intel about the problems in the patch, the company again asked them to delay disclosing them. But this time, the researchers rejected the request.
“We know it’s a very difficult issue, but we’re very disappointed with Intel,” Giuffrida said. Our complaint about the whole process is that the so-called security works are not actually reliable. We think their fix patch can only target one vulnerability variant at a time, but it doesn’t have the effect of cutting the root. ”
Two years after the micro-system variant attack, Intel’s silicon chips have taken another hit. This is a powerful suggestion that Intel may face more similar challenges in the future.