Micro-architecture data sampling a new security threat to chips

May 16th, 2019 by Stephen Jones Leave a reply »

To address a novel set of side-channel attacks that allow microarchitecture data sampling (MDS).
this week Intel released a set of processor microcode fixes, for operating system and hypervisor patches from vendors like Microsoft and those distributing Linux and BSD code

These side-channel holes can be potentially exploited extract information, such as passwords and other secrets, from memory it is not allowed to touch. Browser histories can be sniffed, virtual machines snooped on, disk encryption keys stolen, and so on.

MDS can expose sensitive data held in a processor’s internal buffers: store buffers, fill buffers, and load buffers. MDS samples snippets of data as opposed to grabbing it all at once – more like eavesdropping on privileged communications than breaking in. It’s not easy to target specific data or to differentiate valuable information from background noise. Chipzilla maintains the vulnerabilities are difficult to exploit outside of a laboratory environment.

However Tech Republic commented “MDS attacks are as pernicious a threat as Spectre and Meltdown, and like those security vulnerabilities, the extent to which devices are vulnerable depends on vendor (i.e., Intel vs. AMD) and product generation. These vulnerabilities also affect cloud computing services, as they can be leveraged by attackers to escape software containers, hypervisors, paravirtualized systems, and virtual machines.”

To make such attacks more efficient, an attacker might seek to have a targeted app running on the same physical core. on an adjacent thread from the malware so as to run load and flush operations repeatedly

Speculative execution is a shortcut used by modern processors to execute software instructions before they’re needed. That boosts performance but creates vulnerabilities – however those appear to be limited to Intel hardware; and have not been replicated on Arm or AMD-designed processors.
The researchers who identified the flaws argue that hardware fixes for the Meltdown vulnerability implemented in Whiskey Lake and Coffee Lake CPUs are not enough and that software-based isolation of user and kernel space – which comes with a performance hit – need to be enabled even on current processors.

Intel acknowledges there may be a performance hit due to the microcode fixes in some circumstances for some workloads.

- Whiskey Lake and Coffee Lake CPUs have mitigations built in
- Earlier processors need to install microcode fixes.
- Operating systems and hypervisors need to be updated to work with the microcode updates to ensure those function properly.

Patches are rolling out today from Microsoft, Apple, Google, Linux distributions, and others.

The store buffer is a microarchitecture element that turns a stream of store operations into serialized data and masks the latency from writing the values to memory. It stores data asynchronously so the CPU can do out-of-order execution. The operations for reassembling everything in the right order make Meltdown-like unauthorized memory reads possible.A technique called Data Bounce can access supposedly inaccessible kernel addresses and break KASLR (Kernel address space layout randomization), reveal the address space of Intel SGX enclaves, and even break ASLR (address space layout randomization) from JavaScript.Data Bounce is also invisible to the operating system- it doesn’t involve a syscall and it doesn’t trigger an exception.

Intel disagrees about the need to disable hyperthreading, and says it plans to add additional hardware defenses to address these vulnerabilities into future processors.


Comments are closed.