Two new Intel CPU flaws make it easy for hackers to extract sensitive data

N

nanoguy

Posts: 1,355   +27
Staff member
A hot potato: Just when you thought that Intel's largely undocumented CPU master controller didn't have any more flaws, two more have been revealed by security researchers at three universities. On a positive note, this time the issues are fixable and there's no evidence the new vulnerabilities have been exploited in the wild.

Security researchers revealed details about a new vulnerability in Intel processors that allows hackers to take advantage of the way multi-core architecture works in order to grant access to sensitive data on compromised systems. The findings were published by academics at the University of Michigan, the VU University of Amsterdam, and the University of Adelaide in Australia, who produced proof of concepts for two different attack methods dubbed SGAxe and CrossTalk.

The first appears to be an advanced version of the CacheOut attack revealed earlier this year, in which hackers could extract contents from the CPU's L1 cache. Researchers explain that SGAxe is a result of Intel's failed attempts at mitigating side-channel attacks against Software Guard Extensions (SGX), which is the dedicated area of a CPU that's supposed to ensure the integrity and confidentiality of code and data that is being processed.

Image being processed by the CPU

Image recovered using SGAxe

By using a "transient execution attack," an attacker can essentially recover the cryptographic keys stored in SGX, which are then used to "decrypt the long term storage of the quoting enclave, obtaining the machines EPID attestation keys." Attestation keys are used to protect the security of things such as financial transactions and DRM-protected content.

The second attack is of the Microarchitectural Data Sampling (MDS) variety and can be performed against data that is being processed by the CPU's Line Fill Buffer (LBF). The idea here is that by exploiting a "staging buffer" whose contents are accessible to all CPU cores, a hacker can use a specially crafted piece of software that runs on one core to compromise the private keys that guard the code and data of software running on a separate core.

The flaws affect several Intel CPUs released between 2015 and 2019, including some Xeon E3 (E5 and E7 have proven immune to the attacks). Intel said in its June security advisory that it's highly unlikely anyone would be able to perform these attacks outside of lab settings. The company will, however, release a microcode update as soon as possible and will also invalidate previously signed attestation keys.

Permalink to story.

https://www.techspot.com/news/85571-two-new-intel-cpu-flaws-make-easy-hackers.html

 
Yet another CPU flaw that will require yet another performance hit to fix properly. Itanium might just outperform x86-64 after all. [Also note: Itanium has been found immune to *all* these problems since it didn't need all those little performance-enhancing hacks to get performance.]
 
Perhaps sIntel should rename SGX from Software Guard eXtensions to Software Giveaway eXtensions. ?

Now the Blu-ray association needs to get rid of SGX as a requirement for PC UHD Blu-ray playback. There is more than one exploit where SGX dumps privileged UHD BR keys.
 
  • Like
Reactions: Charles Olson, SG736F6 and Irata
People ought to note that there are no teams of researchers working to find vulnerabilities in AMD CPUs. Intel pays quite well if you can find a vulnerability so groups are setup to try and find them. Not to mention that they also have by far the largest market presence in the planet, these researchers will be looking to test the most common CPUs.

These headlines are used by the media to bash Intel but really all that’s happened here is that an Intel vulnerability has been found and will be blocked. However, vulnerabilities on Ryzen chips will remain unknown. And believe me, it has vulnerabilities, every single CPU ever made has had dozens.

Of course, the not so bright members of the community genuinely think this is bad news for Intel. It’s good news, they discovered this hole before anyone with nasty intentions did.
 
  • Like
Reactions: SeekerJBP
Shadowboxer said:
People ought to note that there are no teams of researchers working to find vulnerabilities in AMD CPUs. Intel pays quite well if you can find a vulnerability so groups are setup to try and find them. Not to mention that they also have by far the largest market presence in the planet, these researchers will be looking to test the most common CPUs.

These headlines are used by the media to bash Intel but really all that’s happened here is that an Intel vulnerability has been found and will be blocked. However, vulnerabilities on Ryzen chips will remain unknown. And believe me, it has vulnerabilities, every single CPU ever made has had dozens.

Of course, the not so bright members of the community genuinely think this is bad news for Intel. It’s good news, they discovered this hole before anyone with nasty intentions did.
Click to expand...

What logic. The more vulnerabilities the safer you are!
 
  • Like
Reactions: Charles Olson, Nobina, wiyosaya and 3 others
gamerk2 said:
Yet another CPU flaw that will require yet another performance hit to fix properly. Itanium might just outperform x86-64 after all. [Also note: Itanium has been found immune to *all* these problems since it didn't need all those little performance-enhancing hacks to get performance.]
Click to expand...
Itanium was also immune to performing well, since VLIW architectures are hard to extract performance from :p. Apart from Intel ones, modern CPUs are resistant to most of these threats - though not all, of course. Most of side-channel and speculative execution vulnerabilities come from Intel-specific dirty performance hacks.
 
  • Like
Reactions: Charles Olson
Shadowboxer said:
People ought to note that there are no teams of researchers working to find vulnerabilities in AMD CPUs. Intel pays quite well if you can find a vulnerability so groups are setup to try and find them. Not to mention that they also have by far the largest market presence in the planet, these researchers will be looking to test the most common CPUs.

These headlines are used by the media to bash Intel but really all that’s happened here is that an Intel vulnerability has been found and will be blocked. However, vulnerabilities on Ryzen chips will remain unknown. And believe me, it has vulnerabilities, every single CPU ever made has had dozens.

Of course, the not so bright members of the community genuinely think this is bad news for Intel. It’s good news, they discovered this hole before anyone with nasty intentions did.
Click to expand...
This is doubly untrue.

First, not all of these vulnerabilities target any Intel-specific microarchitecture elements nor are driven by Intel at all. Meltdown and Spectre, the ones that "started it all", weren't found nor incentivized by Intel - they were discovered independently by a couple of different researchers and teams BEFORE Intel even knew these threats exists, and then disclosed to not just Intel, but other CPU vendors as well. What's more, some of these attacks are generic enough that they affect AMD or even non-x86 CPUs (some variants of aforementioned Spectre and Meltdown), some of them target generic x86 elements, but only in Intel's CPUs these elements are vulnerable (e.g. Foreshadow-NG targeting specific memory faults that can be triggered on any x86 arch, but are handled differently by Intel CPUs), and then some target Intel-specific mechanisms and buffers (all SGX attacks, CrossTalk described in this article). The fact that even though a lot of work is vendor-agnostic, Intel is the only one vulnerable, does not paint an optimistic picture for Chipzilla at all.

Second, there are there are of course AMD-specific attacks, e.g. attacks on Secure Encrypted Virtualization. These three are just a result of a quick Google lookup and they cite even more AMD-related research and attacks:
https://www.usenix.org/system/files/sec19-li-mengyuan_0.pdf
https://regmedia.co.uk/2019/07/10/amd.pdf
https://arxiv.org/pdf/1908.11680.pdf
 
  • Like
Reactions: HardReset, Evernessince, meric and 1 other person
enemys said:
This is doubly untrue.

First, not all of these vulnerabilities target any Intel-specific microarchitecture elements nor are driven by Intel at all. Meltdown and Spectre, the ones that "started it all", weren't found nor incentivized by Intel - they were discovered independently by a couple of different researchers and teams BEFORE Intel even knew these threats exists, and then disclosed to not just Intel, but other CPU vendors as well. What's more, some of these attacks are generic enough that they affect AMD or even non-x86 CPUs (some variants of aforementioned Spectre and Meltdown), some of them target generic x86 elements, but only in Intel's CPUs these elements are vulnerable (e.g. Foreshadow-NG targeting specific memory faults that can be triggered on any x86 arch, but are handled differently by Intel CPUs), and then some target Intel-specific mechanisms and buffers (all SGX attacks, CrossTalk described in this article). The fact that even though a lot of work is vendor-agnostic, Intel is the only one vulnerable, does not paint an optimistic picture for Chipzilla at all.

Second, there are there are of course AMD-specific attacks, e.g. attacks on Secure Encrypted Virtualization. These three are just a result of a quick Google lookup and they cite even more AMD-related research and attacks:
https://www.usenix.org/system/files/sec19-li-mengyuan_0.pdf
https://regmedia.co.uk/2019/07/10/amd.pdf
https://arxiv.org/pdf/1908.11680.pdf
Click to expand...
It is true, Intel didn’t discover it themselves but they pay out to people who discover flaws. They provide an incentive for people to do so.

I work in cyber security and can assure you that the industry rates Intel as far more secure than AMD as the vulnerabilities are known and managed.

I understand that misinformed people who like to see bad headlines against Intel think this is a bad thing for them. However those people do not have all the facts. Anyone who believes these vulnerabilities being discovered is not a good thing for Intel is categorically uninformed..

Here inform yourself;
www.google.co.uk

Why Intel Heavily Funds Security Research To Find Vulnerabilities In Its Own Chips

What you might be surprised to know, especially with some of the more recent discoveries, is that Intel brought much of this pain upon itself through an aggressive program of bug bounties and investments in internal and external research.
www.google.co.uk www.google.co.uk

The community is severely lacking in knowledge on these issues because the tech press is taking advantage of people’s hatred for Intel. You have been failed by Techspot and other press for not giving you the whole picture.

It’s ok mate, everyday is a learning experience. You’ll get there eventually ?.
 
Last edited:
Shadowboxer said:
It is true, Intel didn’t discover it themselves but they pay out to people who discover flaws. They provide an incentive for people to do so.
Click to expand...
Yeah, they do, but, like I pointed out, the whole process started independent of that as a culmination of a couple of years research into, if I recall correctly, cache-based side-channel attacks. And this doesn't change the fact that you straight up lied about the lack of AMD-targeting research.

Shadowboxer said:
I work in cyber security and can assure you that the industry rates Intel as far more secure than AMD as the vulnerabilities are known and managed.
Click to expand...
Funny you should say that, because I work in cybersecurity, too, actually did OSINT gathering for a living when these vulns started popping out and, well, I'm not sure I could agree with that. There is some point in this view, because Intel has more sophisticated, mature management solutions and a proven track record in server and corporate space. AMD will get more heat from researchers in time, since they are clawing back market share. But the history of side-channel attack research so far does suggest that Intel's microarchitecture-level performance optimizations are less secure than AMD ones. It's hard to deny, since almost all of them are vendor-agnostic, yet most affect only Intel.

Shadowboxer said:
I understand that misinformed people who like to see bad headlines against Intel think this is a bad thing for them. However those people do not have all the facts. Anyone who believes these vulnerabilities being discovered is not a good thing for Intel is categorically uninformed..

Here inform yourself;
www.google.co.uk

Why Intel Heavily Funds Security Research To Find Vulnerabilities In Its Own Chips

What you might be surprised to know, especially with some of the more recent discoveries, is that Intel brought much of this pain upon itself through an aggressive program of bug bounties and investments in internal and external research.
www.google.co.uk www.google.co.uk
Click to expand...
First, it's no surprise that Chipzilla has a bug bounty covering a category of bugs that affect their CPUs a lot, but were only discovered over past two years - that's no heroism, that's just common sense. They would be thrashed by the community if they didn't start paying attention to that after Spectre and Meltdown.

Second, this situation isn't that simple, anyone from cybersec should know that. It's a double edged sword and you're missing this other edge. If you don't find many or any vulns, that could mean either there aren't many of them to find, or, more probably, that noone looked in the right place - this is kinda AMD's case right now. If you find A LOT of vulns, though, that means there are a lot of them for sure and most probably a lot more waiting to be found - and this is Intel's case. It's good that they are finding and fixing them, but it's bad that there are so many to find.

Shadowboxer said:
The community is severely lacking in knowledge on these issues because the tech press is taking advantage of people’s hatred for Intel. You have been failed by Techspot and other press for not giving you the whole picture.

It’s ok mate, everyday is a learning experience. You’ll get there eventually ?.
Click to expand...
Yeah, after a couple of years doing security research for a living I'd say I already got there, but I won't cry if you think otherwise.
 
  • Like
Reactions: HardReset, Evernessince and Charles Olson
enemys said:
Yeah, they do, but, like I pointed out, the whole process started independent of that as a culmination of a couple of years research into, if I recall correctly, cache-based side-channel attacks. And this doesn't change the fact that you straight up lied about the lack of AMD-targeting research.


Funny you should say that, because I work in cybersecurity, too, actually did OSINT gathering for a living when these vulns started popping out and, well, I'm not sure I could agree with that. There is some point in this view, because Intel has more sophisticated, mature management solutions and a proven track record in server and corporate space. AMD will get more heat from researchers in time, since they are clawing back market share. But the history of side-channel attack research so far does suggest that Intel's microarchitecture-level performance optimizations are less secure than AMD ones. It's hard to deny, since almost all of them are vendor-agnostic, yet most affect only Intel.


First, it's no surprise that Chipzilla has a bug bounty covering a category of bugs that affect their CPUs a lot, but were only discovered over past two years - that's no heroism, that's just common sense. They would be thrashed by the community if they didn't start paying attention to that after Spectre and Meltdown.

Second, this situation isn't that simple, anyone from cybersec should know that. It's a double edged sword and you're missing this other edge. If you don't find many or any vulns, that could mean either there aren't many of them to find, or, more probably, that noone looked in the right place - this is kinda AMD's case right now. If you find A LOT of vulns, though, that means there are a lot of them for sure and most probably a lot more waiting to be found - and this is Intel's case. It's good that they are finding and fixing them, but it's bad that there are so many to find.


Yeah, after a couple of years doing security research for a living I'd say I already got there, but I won't cry if you think otherwise.
Click to expand...
You are incorrect. I did not lie about the lack of AMD research. If you say I’m wrong tell me exactly who is researching? Show me on their website where they offer value or pay developers to do this for them. There is very little work on AMD CPUs and AMD don’t have a great reputation within the data sector, not really for security vulnerabilities but for being inconsistent. You say it’s because they are smaller, perhaps but exactly how big do AMD need to be before you dare let this be criticism against them? I say it’s an excuse, It would be more prudent of them to do this pre emotively. A fan like yourself should want to see AMD do this kind of work, especially if you genuinely do work in cyber security.

The situation isn’t simple. However, the fallacy is that people seem to think these vulnerability discoveries are a bad thing. They really aren’t

However you called me out for being a liar for saying Intel fund the research and I flat out just proved you wrong. Clearly I have a much better idea of what’s going on than you do.
 
Shadowboxer said:
You are incorrect. I did not lie about the lack of AMD research. If you say I’m wrong tell me exactly who is researching?
Click to expand...
Dude, I already pointed you to several whitepapers in the matter.

Shadowboxer said:
Show me on their website where they offer value or pay developers to do this for them.
Click to expand...
I don't think AMD does that, but you're shifting the goalposts. You said there are no research teams looking into AMD vulns, not that there are no teams funded by AMD.

Shadowboxer said:
There is very little work on AMD CPUs and AMD don’t have a great reputation within the data sector, not really for security vulnerabilities but for being inconsistent.
Click to expand...
There is less work, but I wouldn't call it "very little", especially since I have already pointed to multiple pieces of research just regarding SEV. Then there's work into PSP, which was widely spoken about in 2018, though first work in that field came from Google in 2017. And just a few months ago a new cache-based attack targeting AMD was discovered, with full whitepaper available here: https://mlq.me/download/takeaway.pdf
As for the reputation of inconsistency, I can at least partially agree (though it seems to be changing), but that goes beyond the scope of discussion.

Shadowboxer said:
You say it’s because they are smaller, perhaps but exactly how big do AMD need to be before you dare let this be criticism against them?
Click to expand...
Wait, what? I never spoke about "letting criticism" in relation to AMD's size, I spoke about the fact that they are smaller, so they are a less popular target. Which you mentioned first, by the way.

Shadowboxer said:
I say it’s an excuse, It would be more prudent of them to do this pre emotively. A fan like yourself should want to see AMD do this kind of work, especially if you genuinely do work in cyber security.
Click to expand...
Who says they don't? Yeah, I'd like them to have an open public bug bounty program, but the lack of such doesn't mean they aren't investigating the matters internally. That's two different things.

Shadowboxer said:
The situation isn’t simple. However, the fallacy is that people seem to think these vulnerability discoveries are a bad thing. They really aren’t
Click to expand...
Yeah, that is a truism. But, like I pointed out, a surge of discovered vulnerabilities isn't very good, either.

Shadowboxer said:
You are incorrect. I did not lie about the lack of AMD research. If you say I’m wrong tell me exactly who is researching? Show me on their website where they offer value or pay developers to do this for them. There is very little work on AMD CPUs and AMD don’t have a great reputation within the data sector, not really for security vulnerabilities but for being inconsistent. You say it’s because they are smaller, perhaps but exactly how big do AMD need to be before you dare let this be criticism against them? I say it’s an excuse, It would be more prudent of them to do this pre emotively. A fan like yourself should want to see AMD do this kind of work, especially if you genuinely do work in cyber security.

The situation isn’t simple. However, the fallacy is that people seem to think these vulnerability discoveries are a bad thing. They really aren’t

However you called me out for being a liar for saying Intel fund the research and I flat out just proved you wrong. Clearly I have a much better idea of what’s going on than you do.
Click to expand...
No, I called you a liar for saying " People ought to note that there are no teams of researchers working to find vulnerabilities in AMD CPUs." which I have proven untrue multiple times and in response you shifted your position from "there are no teams" to "AMD funds no teams".
 
  • Like
Reactions: HardReset and Burty117
Shadowboxer said:
It is true, Intel didn’t discover it themselves but they pay out to people who discover flaws. They provide an incentive for people to do so.

I work in cyber security and can assure you that the industry rates Intel as far more secure than AMD as the vulnerabilities are known and managed.

I understand that misinformed people who like to see bad headlines against Intel think this is a bad thing for them. However those people do not have all the facts. Anyone who believes these vulnerabilities being discovered is not a good thing for Intel is categorically uninformed..

Here inform yourself;
www.google.co.uk

Why Intel Heavily Funds Security Research To Find Vulnerabilities In Its Own Chips

What you might be surprised to know, especially with some of the more recent discoveries, is that Intel brought much of this pain upon itself through an aggressive program of bug bounties and investments in internal and external research.
www.google.co.uk www.google.co.uk

The community is severely lacking in knowledge on these issues because the tech press is taking advantage of people’s hatred for Intel. You have been failed by Techspot and other press for not giving you the whole picture.

It’s ok mate, everyday is a learning experience. You’ll get there eventually ?.
Click to expand...
Choked on my coffie when I read that
I work in cyber security and can assure you that the industry rates Intel as far more secure than AMD as the vulnerabilities are known and managed.
 
You must log in or register to reply here.

Similar threads

Daniel Sims
Google's new AI tool can turn images into playable mini-games
Replies
2
Views
188
VaRmeNsI
V
midian182
Ring subscription price hike: Basic plan jumps to $5 a month, no extra features
Replies
6
Views
235
Axeia
Axeia
midian182
Buyer of new Tesla Model Y faced $14,000 repair bill one day after purchase, company blamed...
2
Replies
31
Views
666
Nobina
Nobina

Latest posts

Back