Endpoint Security , Hardware / Chip-level Security , Open XDR
Intel, AMD Dispute Findings on Chip Vulnerabilities
After Researchers Release Report, Chipmakers Assert That No New Defenses Are NeededIntel and AMD are disputing the findings of researchers from two universities who say they've discovered new attacks on Intel and AMD processors that can bypass most of the defenses put in place earlier for similar "Spectre" and "Meltdown" attacks.
See Also: Improving OT and IoT Security for Substations and Power Grids
An attacker exploiting the vulnerabilities could gain access to encryption keys, passwords and other data, the report says.
Intel and AMD insist that users of their chips do not need to take any additional security measures as a result of the discovery because existing protections are adequate.
The newly discovered attacks, like the previously demonstrated attacks, would prove difficult to execute, says Jared Semrau, director, vulnerability and exploitation, at Mandiant Threat Intelligence.
"Continued focus on branded vulnerabilities that are rarely ever exploited ultimately creates a misleading narrative of current and imminent threats, resulting in inefficient use of resources, unnecessary stress and increased risk of exploitation by not putting that time and effort into remediating things that do pose an active or imminent threat," he says.
A 14-page paper from researchers at the University of Virginia and the University of San Diego describes attacks on the chips' micro-op caches, which are part of the predictive computing feature to speed processing.
In January 2018, Google's Project Zero discovered the Spectre and Meltdown attacks that allowed the chips' memory to be read and data exfiltrated.
Intel and AMD then implemented firmware patches to mitigate the risks. Those updates slowed computer speed.
Newly Discovered Attacks
The university researchers describe the newly discovered attacks as:
- A same-thread cross-domain attack that leaks secrets across the userkernel boundary;
- A cross-SMT thread attack that transmits secrets across two SMT threads via the micro-op cache;
- A transient execution attack that can leak an unauthorized secret accessed along a misspeculated path, even before the transient instruction is dispatched to execution, breaking several existing invisible speculation and fencing-based solutions that mitigate Spectre.
In response to the researcher's findings, Intel says it "reviewed the report and informed researchers that existing mitigations were not being bypassed and that this scenario is addressed in our secure coding guidance. Software following our guidance already has protections against incidental channels, including the uop cache incidental channel. No new mitigations or guidance are needed."
Meanwhile, AMD said it "reviewed the research paper and believes existing mitigations were not being bypassed and no new mitigations are required. AMD recommends its existing side-channel mitigation guidance and standard secure coding practices be followed."
But Ashish Venkat, a researcher from the University of Virginia, responds: "The vulnerability we uncovered is in hardware, and it is important to also design processors that are secure and resilient against these attacks."
Risk Mitigation
The researchers say the vulnerabilities can be addressed with a few possible solutions, each of which, however, can cause additional problems.
For example, they suggest flushing the micro-op cache at domain crossings. But they note that frequent flushing of the micro-op cache could severely degrade performance because no processing can occur during this process.
A lighter-impact alternative is to leverage performance counters to detect anomalies and potentially malicious activity in the micro-op cache. But the researchers note this method is prone to misclassification errors and vulnerable to mimicry attacks.