Intel CPUs are vulnerable to new "LVI" attack that breaks the secure enclave of the CPU

nanoguy

Posts: 657   +11
Staff member

To put things in context, 2018 was the year when the infamous Meltdown and Spectre attacks were disclosed to the public. Meltdown allows hackers to access memory that should theoretically be inaccessible, while Spectre makes it easy to alter branch prediction structures in order to execute malicious code.

In a collaborative analysis made by Bitdefender and an academics team led by Jo Van Bulck, we get to see the complicated details of a new attack method that's potentially worse. It is called Load Value Injection (LVI), and it's part of a new class of attacks on Intel CPU's speculative execution.

This new method allows an attacker to take advantage of a feature present in most modern CPUs that can essentially achieve higher performance by guessing the future instructions that are likely to be thrown at it and preparing a set of results. Once the instructions are confirmed the wrong results are discarded.

Researchers were able to use LVI to do what is essentially Meltdown in reverse

LVI is something that an attacker can do to get your CPU to spit out the bits of data that should technically be securely stored through Intel's Software Guard Extensions (SGX). Pretty much any application that works with passwords, digital rights management, and encryption keys uses SGX to run code and keep data inside an isolated environment.

If your machine happens to have an OS or firmware vulnerability, SGX should normally compensate for that. Researchers were able to use LVI to do what is essentially Meltdown in reverse: they inject data to poison a hidden CPU buffer with custom data values that makes it easier to access data used by an app. From there, there's nothing stopping an attacker from gaining access to a higher-privileged process and achieving a broad impact on personal and work computers.

Bitdefender researchers explain that "this type of attack is particularly devastating in multi-tenant environments such as enterprise workstations or servers in the data center, where one less-privileged tenant would be able to leak sensitive information from a more privileged user or from a different virtualized environment on top of the hypervisor." Here it is in action:

The good news for you is that you probably shouldn't worry all that much, since this new attack method is more complex and a cloud environment would be a more suitable target. The list of affected processors includes an assortment of different models ranging from 4th-gen Xeons to 10th-gen Comet Lake Core CPUs. Interestingly, CPUs based on the Ice Lake architecture are not affected.

The bad news for enterprises is that they'll have to assess the risks and implement a number of software mitigations. Intel will supply microcode patches, but some organizations may also opt to disable features like hyper-threading in critical systems. Researchers also note that besides the expensive software patches needed, Intel's SGX enclave will run between 2 to 19 times slower as a result of the necessary mitigations.

For its part, Intel is downplaying the severity of LVI due to the sophistication level required to perform such an attack. The Bitdefender report seems to support that assessment, but Intel will still have to make improvements in its future silicon before malicious actors can come up with similar attacks that are more practical for real-world use.

In related news, AMD's CPUs have also been affected by a newly disclosed vulnerability that supposedly carries a similar severity level, though the company has heavily downplayed its importance.

Permalink to story.

 
  • Like
Reactions: CharmsD

CharmsD

Posts: 411   +255
Expect these hair-raising revelations to get worse before they get better. LVI - tracked as CVE-2020-0551 was discovered and reported to Intel on April 4, 2019.

This is not a trivial attack to execute against a target, as several prerequisites have to be met," Bitdefender director of threat research Bogdan Botezatu told BleepingComputer. "This is not an average, run-of-the-mill malware attack that one would use against home users for instance."

"This is something that a determined threat actor, such as a hostile government-sponsored entity or a corporate espionage group would use against a high-profile target to leak mission-critical data from a vulnerable infrastructure.

"Although difficult to orchestrate, this type of attack would be impossible to detect and block by existing security solutions or other intrusion detection systems and would leave no forensic evidence behind."
 

JimboJoneson

Posts: 303   +498
Expect these hair-raising revelations to get worse before they get better. LVI - tracked as CVE-2020-0551 was discovered and reported to Intel on April 4, 2019.

This is not a trivial attack to execute against a target, as several prerequisites have to be met," Bitdefender director of threat research Bogdan Botezatu told BleepingComputer. "This is not an average, run-of-the-mill malware attack that one would use against home users for instance."

"This is something that a determined threat actor, such as a hostile government-sponsored entity or a corporate espionage group would use against a high-profile target to leak mission-critical data from a vulnerable infrastructure.

"Although difficult to orchestrate, this type of attack would be impossible to detect and block by existing security solutions or other intrusion detection systems and would leave no forensic evidence behind."
The vast majority of all these new holes is of little concern to the average home user. But makes great fodder for certain styles of discussion, lol.

Data center patching is probably almost a full time job these days though ... ;)
 

Shadowboxer

Posts: 1,164   +767
So as usual the researchers that Intel have paid have been working hard to uncover another potential flaw so that Intel can protect against it and the comments section is filled with *****s who misunderstand the situation and take the opportunity to demonstrate that they both don’t understand and have a loyalty to a certain massive American corporation for some reason - AMD. You know the corporation who spends nothing on hunting out vulnerabilities in its silicon, potentially because it’s beneficial to ride the PR wave of no news in this area.

Replace Intel data centres with AMD data centres? Are you mad? Intel actually supports it’s enterprise customers after they have your money! The extra performance from AMD doesn’t make up for that. In fact I have never worked on a project that has less than 200% of the performance required anyway, it’s not an area that is in need!

AMD has the better silicon, Intel has the better support, security and features. Not to mention that they have been around for a lot longer and as a company are saying more consistent than AMD. Singular users should be lapping up AMD chips but not enterprise users.
 
  • Like
Reactions: JimboJoneson

Irata

Posts: 1,152   +1,822
TechSpot Elite
Let replace all Intel severs with AMD servers ... oh wait dont they have a similar vulnerability, yep. ?‍♂
I am sure that at least larger server operators have people who can evaluate the risks in depth. They will also consider that Intel‘s security enclave is broken and Epyc has hardware memory encryption with a minimal performance impact.

It seems that no solution offers 100% security against attacks but the quantity and quality of threats for each vendor will certainly be considered.

Just checked cvedetails.com - they list 247 vulnerabilities for Intel and 16 for AMD. Both include GPU related vulnerabilities but that is quite a difference.
 
Last edited:

quadibloc

Posts: 252   +145
As these vulnerabilities wouldn't need to be patched, and systems could run at full efficiency, as long as we could be sure there was no malicious code running on them, one would think that there would be some focus on making that possible. Direct all code coming from external untrusted sources to sandboxes running on 486-type cores that don't have problems like that, while code that needs performance, I.e., games and one's FORTRAN programs for number crunching, runs at full speed.
 

wiyosaya

Posts: 5,578   +3,763
IMO, Intel should rename SGX to Software Giveaway eXtentions. :laughing:

The vast majority of all these new holes is of little concern to the average home user. But makes great fodder for certain styles of discussion, lol.

Data center patching is probably almost a full time job these days though ... ;)
The thing is, the Bu-ray association _requires_ the use of SGX to play back UHD Blu-ray discs on PC. You can bet that those wanting to crack UHD Blu-ray encryption to break this draconian requirement of Intel only hardware for UHD Blu-ray playback will be all over this as it will be possible to recover the supposedly secure master keys for UHD Blu-ray playback, and thus, crack the encryption. If it did not require Intel hardware, I would likely already be playing back UHD Blu-ray on my PC. The Blu-ray Association is likely having fits about this because cracking AACS 2.1 is highly likely, if not certain, because of this, and I am sure there are actors out there that will crack it using this, or any of several other similar, and known, SGX exploits. The difference here is that those attempting to crack AACS 2.X will have access to the hardware since they will own it.
 

CaptainTom

Posts: 414   +220
"Interestingly, CPUs based on the Ice Lake architecture are not affected."

Duh. Those are 10nm. All of these security vulnerabilities are a result of Intel using the same architecture for so long that hackers have time to devise some insanely intricate methods of breaking security.
 
  • Like
Reactions: Charles Olson

JimboJoneson

Posts: 303   +498
So as usual the researchers that Intel have paid have been working hard to uncover another potential flaw so that Intel can protect against it and the comments section is filled with *****s who misunderstand the situation and take the opportunity to demonstrate that they both don’t understand and have a loyalty to a certain massive American corporation for some reason - AMD. You know the corporation who spends nothing on hunting out vulnerabilities in its silicon, potentially because it’s beneficial to ride the PR wave of no news in this area.

Replace Intel data centres with AMD data centres? Are you mad? Intel actually supports it’s enterprise customers after they have your money! The extra performance from AMD doesn’t make up for that. In fact I have never worked on a project that has less than 200% of the performance required anyway, it’s not an area that is in need!

AMD has the better silicon, Intel has the better support, security and features. Not to mention that they have been around for a lot longer and as a company are saying more consistent than AMD. Singular users should be lapping up AMD chips but not enterprise users.
There's some sense in all that you wrote there, but this is about the 17th argument I've seen saying that no one needs powerful CPUs anymore. This strange phenomenon has been happening ever since Zen2 and Epyc Rome launched. :p

I think it might be true that people who buy Intel, don't need powerful CPUs as the sentiment in the quoted post indicates - this might be true -- that is why they are ok to still buy Intel ... and that is why AMD has all the enthusiast and supercomputer wins ... ?

Makes some sense?

I mean if you need servers to run simulations, do any sort of rendering, heavy financial calculations and such, you are certainly going to gladly except a $7000 rome CPU, that outperforms a $30,000 solution from the competitor.

But if we just need a standard file/web server/general use or whatever, and are used to using Intel and are ok paying it, the performance is "good enough", plus you get extra support if you need it, or whatever, then that makes sense to just keep with the status quo. Which many datcenters are still doing, which you pointed out.

But the costs? Well Intel has recently shifted some of its server pricing in response to their lack of competitive performance, so that helps.
 
Last edited:

JimboJoneson

Posts: 303   +498
IMO, Intel should rename SGX to Software Giveaway eXtentions. :laughing:


The thing is, the Bu-ray association _requires_ the use of SGX to play back UHD Blu-ray discs on PC. You can bet that those wanting to crack UHD Blu-ray encryption to break this draconian requirement of Intel only hardware for UHD Blu-ray playback will be all over this as it will be possible to recover the supposedly secure master keys for UHD Blu-ray playback, and thus, crack the encryption. If it did not require Intel hardware, I would likely already be playing back UHD Blu-ray on my PC. The Blu-ray Association is likely having fits about this because cracking AACS 2.1 is highly likely, if not certain, because of this, and I am sure there are actors out there that will crack it using this, or any of several other similar, and known, SGX exploits. The difference here is that those attempting to crack AACS 2.X will have access to the hardware since they will own it.
Yeah that's totally different ... but an interesting proposition, for sure.
 
  • Like
Reactions: Charles Olson

JimboJoneson

Posts: 303   +498
There is still ARM.
Apparently amazon is having some success with the leftovers from AMDs short foray into attempting to build ARM servers. There's a "sort-of" review on Anandtech that is pretty interesting. Performance is better than I expected, but the platform still has a ways to go before its a proper Intel/AMD competitor.
 
  • Like
Reactions: Charles Olson

Shadowboxer

Posts: 1,164   +767
Il make the argument through and through. I am a systems engineer and am involved in providing new data centre solutions all the time. I have never seen a project limited by performance. In fact the only solution I have seen limited by performance recently was built back in 2004 running on single core Xeon and was well out of support.

Companies typically spend more on the support contract for the first year than they do on the hardware solution itself. It would be very unusual for a company to not be able to afford more silicon yet can afford the syssup for it.

AMDs silicon is no doubt superior but the product that companies actually pay the most for - the support is where AMD Solutions are lacking.

I am sure however that 3rd party vendors will start offering AMD solutions as soon as they can build up a big enough customer base to make it worth spending the money on a syssup team for it. But this is something that takes years. AMD need to show they can be consistent to obtain consumer confidence here. By contrast Intel syssup teams have been around for years!