They detected a vulnerability in Intel processors that leads to data leakage

vulnerability

If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems

A group of Researchers from universities in China and the United States have identified a new vulnerability in processors Intel leading to information leak on the result of speculative operations through third-party channels, which can be used, for example, to organize a hidden communication channel between processes or detect leaks during Meltdown attacks.

The essence of the vulnerability is a change in the EFLAGS processor registry, that occurred as a result of speculative execution of instructions, affects the subsequent execution time of JCC instructions (jump when specified conditions are met).

Speculative operations are not completed and the result is discarded, but the discarded EFLAGS change can be determined by analyzing the execution time of the JCC instructions. Speculatively performed pre-jump comparison operations, if the comparison is successful, result in a small delay that can be measured and used as a content matching feature.

The transient execution attack is a type of attack exploiting the vulnerability of CPU optimization technologies. New attacks emerge quickly. The side channel is a key part of transient execution attacks to exfiltrate data.

In this work, we discovered a vulnerability that changed the EFLAGS register in transient execution that may have a side effect on the Jcc (Jump Condition Code) instruction on Intel CPUs. Based on our discovery, we propose a new side channel attack that exploits transient execution timing and Jcc instructions to deliver data.

This attack encrypts secret data by changing the registry which causes the execution time to be slightly slower and which can be measured by the attacker to decode data. This attack does not depend on the cache system.

Unlike other attacks similar through third-party channels, the new method does not analyze the change in the access time to the cached data and not cached and does not require the step of resetting the EFLAGS record to the initial state, which makes it difficult to detect and block the attack.

for demo, the researchers implemented a variant of the Meltdown attack, using in it a new method to obtain information about the result of a speculative operation. The operation of the method to organize the leak of information during a Meltdown attack has been successfully demonstrated on systems with Intel Core i7-6700 and i7-7700 CPUs in an environment with Ubuntu 22.04 kernel and Linux 5.15. On a system with an Intel i9-10980XE CPU, the attack was only partially successful.

The Meltdown vulnerability is based on the fact that during the speculative execution of instructions, the processor can access a private data area and then discard the result, since the set privileges prohibit such access from the user process.

In a program, a speculatively executed block is separated from the main code by a conditional jump, which in real conditions is always triggered, but due to the fact that the conditional statement uses a computed value that is not known to the processor during preemptive code. execution, all branch options are executed speculatively.

In classic Meltdown, since the same cache is used for speculatively executed operations as for normally executed instructions, it is possible during speculative execution to set markers in the cache that reflect the contents of individual bits in a closed memory area, and then in normally executed code to determine its meaning through analysis of access time to cached and uncached data.

The new variant uses the change in the EFLAGS registry as a marker of a leak. In the Covert Channel demo, one process modulated the data being sent to change the contents of the EFLAGS record, and another process parsed the change in the JCC runtime to recreate the data sent by the first process.

Finally, if you are interested in knowing more about it, you can consult the details in the following link.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.