The year 2018 has been unusually eventful for security researchers dealing with processor vulnerabilities. Just the discovery of one major processor vulnerability can be severe enough to have a lasting impact. However, this year we witnessed the revelations of multiple processor vulnerabilities besides new variants of previously known vulnerabilities.
Let us take a look at the top 10 processor vulnerabilities discovered in 2018.
Spectre and Meltdown - January 2018
It all began with a bang as the announcement of Spectre and Meltdown vulnerabilities rocked the security community while many were still reeling from the Christmas and New Year holiday season. Both these flaws resulted from improper handling of caching and speculative execution in modern processors. Almost all the modern processors from Intel, AMD, and ARM were affected by these flaws and were vulnerable to side-channel attacks.
Many of the recently discovered security flaws stem from an optimization technique called speculative execution. Modern processors use this technique to predict and execute commands before they are issued. This is done to save time when the command is actually needed. Attackers can exploit the flaws in the implementation of speculative execution to access the system memory data which could contain protected information like passwords and encryption keys.
BranchScope - March 2018
Since the Spectre and Meltdown exposé, many security researchers began scouring the processor architecture for more flaws which led to several related discoveries.
In March, researchers from Carnegie Mellon University, University of California Riverside, and Binghamton University, jointly announced another flaw in speculative execution in Intel processors. The researchers found that the Branch Target Buffer in Intel processors leaked information due to the branch predictor’s behavior. The flaw was aptly named BranchScope by the researchers.
AMD Ryzenfall - March 2018
Not just Intel, but AMD also came under fire for processor vulnerabilities discovered in 2018. In a somewhat haphazard revelation, an Israeli security company CTS Labs announced four new vulnerabilities affecting AMD Ryzen processors which came to be known as Ryzenfall, Masterkey, Fallout, and Chimera. The number of processor vulnerabilities eventually rose to 13 for the AMD Secure Processor firmware and the AMD Promontory chipsets.
SPI Flash - April 2018
In April, a not-so-flashy flaw (no pun intended) in several Intel processors was discovered which could alter the behavior of the chip’s SPI Flash Memory — a mandatory component used during the boot-up process. By exploiting this flaw, attackers could block BIOS/UEFI updates, or corrupt the chip’s firmware. Intel deployed fixes for this vulnerability on April 3.
Speculative Store Bypass - May 2018
The Spectre/Meltdown saga continued with the discovery of more and more related flaws. In May, researchers at Microsoft Security Response Center and Google Project Zero announced the discovery of new Spectre variants 3a and 4.
Both these variants were based on speculative store bypass flaws which can be exploited to share memory data and access information from one process to another. The isolation of application processes running on the same processor is essential for security. However, this security flaw negates the protections from process isolation and puts the security of legitimate processes in jeopardy.
Lazy FP - June 2018
Adding to Intel processors’ speculative execution side channel flaws, the Lazy FP state restore feature was found to be vulnerable to side channel attacks as well. The feature is responsible for saving and restoring floating point unit data. As compared to Spectre, it was a less severe vulnerability with a moderate impact rating. Attackers could exploit it to leak floating point data used by other processes to a malicious process.
TLBleed - June 2018
The list of side-channel flaws in Intel processors grew in June with the discovery and a demonstration of TLBleed by a team of researchers from the Systems and Network Security Group at Vrije Universiteit Amsterdam, in the Netherlands. The name comes from the Translation Lookaside Buffer (TLB) which is the source of this vulnerability in the case of chips with hyperthreading enabled. It differs from the Meltdown and Spectre attacks which rely on flaws in speculative execution.
Ben Gras, one of the researchers, opined that the cache side-channel protections cannot prevent this kind of attack as shown in their demonstration.
Spectre 1.1 & 1.2 - July 2018
In July, a couple of security researchers published a research paper detailing two new variants of Spectre. A Spectre 1.1 attack can successfully access protected memory locations by exploiting speculative execution to overflow CPU store cache buffers so as to run the malicious code. In the case of Spectre 1.2, attackers could write data to read-only CPU memory sectors, thus corrupting critical data and negating sandbox protections.
The researchers were awarded $100,000 for the discovery of this vulnerabilities under Intel’s bug bounty program.
L1TF aka Foreshadow - August 2018
Intel could not catch a breathe as every passing month brought forth new vulnerabilities. This time, it was a flaw affecting one of the most secure parts in Intel chips, the Secure Guard Extensions (SGX). Programs running on the chip use SGX to handle sensitive data within secure enclaves provided by SGX which remain unaffected from most malware, or virus attacks.
As it turned out, researchers from five different institutions discovered that while SGX could protect the data stored in it from Spectre and Meltdown attacks, Foreshadow could bypass the security measures. The security key used to sign the data in SGX could be leaked which would negate its security.
PortSmash - October 2018
Continuing the pattern, a team of five academics from the Tampere University of Technology in Finland and Technical University of Havana in Cuba discovered a new side-channel vulnerability named PortSmash. This flaw impacts all CPUs that use a Simultaneous Multithreading (SMT) architecture, a technology that allows multiple computing threads to be executed simultaneously on a CPU core. An attack based on this flaw, however, does not rely on speculative execution for an exploit.
A malicious program can run parallel to a legitimate one leveraging SMT’s parallel thread running features. Then, the malicious program could gradually leak encrypted data from the legitimate process, thus compromising its security. Intel’s processors which come with HyperThreading, a custom implementation of SMT are affected by this flaw and AMD Ryzen processors featuring SMT could also be vulnerable. The flaw was reported on October 1 but was patched a month later by Intel.
Despite the high shock value of the processor vulnerabilities discovered this year, the actual damage to users caused by attacks exploiting them is quite less. Intel, AMD, and ARM, the three large processor manufacturers all faced their share of the criticism and were also questioned by some regarding their response to these discoveries.
However, the chaos caused due to it might prove beneficial in the long run as hardware manufacturers, by and large, hopefully, learn a tough lesson on securing their products.