If the onslaught of Coronavirus news wasn't enough, there are now some new machine bugs to worry about too. Being termed as the "Load Value Injection," this new class of transient-execution attacks exploit microarchitectural flaws in processors enabling attackers to inject their own data into a victim program. This eventually leads to attackers stealing sensitive data and keys from Intel SGX - the Software Guard eXtensions, which is a secure digital vault used for securing most sensitive data, that stores encryption keys, passwords, digital rights management technology, and other sensitive data.
This new transient-execution attack is similar to exploits like Spectre and Meltdown, however, goes a step further. Researchers explained that LVI "turns previous data extraction attacks around," and "defeats all existing mitigations."
Calling it a “reverse Meltdown”-type attack, researchers explained that while Meltdown allowed attackers to read an app's data from inside a CPU's memory while in a transient state, LVI enables attackers to inject their own code to get access to sensitive data.
Unlike Spectre, Meltdown, Foreshadow, and other similar exploits, LVI doesn't leak data from the victim to the attacker. Instead, it "smuggles" the data by injecting attacker's data into a victim program and hijacking transient execution to acquire sensitive information. This essentially means that attacker would get the target machine to run a malicious code (JavaScript through a malicious site or an app) to exploit a side channel to get access to content that should technically be inaccessible.
Intel itself explains:
If an adversary can cause a specified victim load to fault, assist, or abort, the adversary may be able to select the data to have forwarded to dependent operations by the faulting/assisting/aborting load. For certain code sequences, those dependent operations may create a covert channel with data of interest to the adversary. The adversary may then be able to infer the data's value through analyzing the covert channel. This transient execution attack3 is called load value injection (LVI) and is an example of a cross-domain transient execution attack.
Impacted Intel chips
Load Value Injection or LVI impacts all families where SGX is supported. Intel has published the following list of processors that are "potentially" affected by the Load Value Injection:
- Intel® Xeon® processor E5 Family based on Intel microarchitecture code name Sandy Bridge, Intel® Core
i7-39xx Processor Extreme Edition
- Intel® Xeon® processor E3-1200 product family; 2nd Generation Intel® Core
- Intel® Xeon® processor E7-8800/4800/2800 v2 product families based on Ivy Bridge-E microarchitecture
- Intel® Xeon® processor E5-2600/1600 v2 product families and Intel® Xeon® processor E5-2400 v2 product family and Intel® Core
- 3rd Generation Intel® Core
- Intel® Xeon® processor E5-4600/2600/1600 v3 product families, and Intel® Xeon® processor E7 v3 product families Intel® Core
- 4th Generation Intel® Core
- Intel® Xeon® processor D-1500 product family based on Broadwell microarchitecture
- Intel® Xeon® processor E5 v4 Family based on Broadwell microarchitecture, Intel® Xeon® processor E7 v4 Family, Intel® Core
- 5th generation Intel® Core
- Intel® Core
- First generation Intel® Xeon® Scalable Processor Family based on Skylake microarchitecture
- Second generation Intel® Xeon® Scalable Processor Family based on Cascade Lake microarchitecture
- Second generation Intel® Xeon® Scalable Processor Family based on Cascade Lake microarchitecture
- 6th generation Intel® Core
- 7th/8th generation Intel® Core
- 7th/8th generation Intel® Core
- 8th/9th generation Intel® Core
- 8th Generation Intel® Core
- 8th Generation Intel® Core
- Intel Xeon E-2200 Processor product family based on Coffee Lake-R microarchitecture†
- 8th/10th Generation Intel® Core
- 10th Generation Intel® Core
- 10th Generation Intel® Core
More details about the affected chips available over here.
Are there any fixes / mitigations?
Similar to other transient-execution flaws, we can only look forward to mitigations and not fixes as these require silicon changes. According to researchers, experimental mitigations resulted in performance reduction varying from 2x to 19x depending upon workload. While this could eventually be avoided through hardware changes, but the current systems are potentially at risk of performance degradation.
"Crucially, LVI is much harder to mitigate than previous attacks, as it can affect virtually any access to memory," researchers wrote."Unlike all previous Meltdown-type attacks, LVI cannot be transparently mitigated in existing processors and necessitates expensive software patches, which may slow down Intel SGX enclave computations 2 up to 19 times."
Intel has said that the attack is theoretical, but it has still released updates to the SGX Platform Software and SDK to mitigate the issue. Fixes will be deployed in the future silicon design to completely address the exploit.
Intel is saying attack is too impractical in real world
In a statement released today, Intel has said that there are several requirements that have to be met for this exploit to work. The company said it doesn't believe if LVI is practical in real world environments. Here is the complete statement:
Researchers have identified a new mechanism referred to as Load Value Injection (LVI). Due to the numerous complex requirements that must be satisfied to successfully carry out, Intel does not believe LVI is a practical method in real world environments where the OS and VMM are trusted. New mitigation guidance and tools for LVI are available now and work in conjunction with previously released mitigations to substantively reduce the overall attack surface. We thank the researchers who worked with us, and our industry partners for their contributions on the coordinated disclosure of this issue.
To mitigate the potential exploits of Load Value Injection (LVI) on platforms and applications utilizing Intel SGX, Intel is releasing updates to the SGX Platform Software and SDK starting today. The Intel SGX SDK includes guidance on how to mitigate LVI for Intel SGX application developers. Intel has likewise worked with our industry partners to make application compiler options available and will conduct an SGX TCB Recovery.
Researchers at Bitdefender believe that these type of attacks are "particularly devastating in multi-tenant environments such as enterprise workstations or servers in the data center, where one less-privileged tenant would be able to leak sensitive information from a more privileged user or from a different virtualised environment on top of the hypervisor."
While Intel processors are confirmed impacted, researchers have warned not to rule out AMD and ARM chips. "In principle, any processor that is vulnerable to Meltdown-type data leakage would also be vulnerable to LVI-style data injection," researchers wrote. "Some non-Intel processors have been shown to be affected by some variants of Meltdown and Foreshadow."
Intel along with some security experts strongly suggest the impracticality of the LVI attacks, which is why the microcode updates will probably be avoided by many considering the performance hits. However, these researches would eventually push chipmakers to redesign their chips.
- Tracked as CVE-2020-0551, you can read the complete report on Intel LVI exploits here.
The post Intel Chips Vulnerable to “Reverse-Meltdown” Attacks – Mitigations Carry Significant Performance Hit by Rafia Shaikh appeared first on Wccftech.
Refference- https://wccftech.com
0 Comments