A new silicon-level side-channel vulnerability, dubbed Spoiler, has been found in Intel CPUs as far back as the first generation Intel Core processors. The bug was discovered by the Worcester Polytechnic Institute, Massachusetts in partnership with the University of Lübeck in Northern Germany and reported to Intel on the 1st of December, 2018 in a research paper titled “SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks.”
This vulnerability comes on the metaphorical heels of the near catastrophic discovery last year of Specter and Meltdown, two other side-channel vulnerabilities determined to affect nearly every CPU manufactured in the last 20 years. And while the NSA reports that all processor manufacturers have been affected by at least one side-channel vulnerability, to have such a large scale flaw identified in only Intel’s CPUs across all Operating Systems, has some users predicting a mass migration to AMD, whose CPUs have so far been determined unaffected by this new bug.
What to do about it
Unfortunately, at this time there’s still not a lot that is known about how this bug will be mitigated. Speculation from the research group’s findings suggest that since the vulnerability occurs below the OS level, a software solution may not be possible. Intel’s response however is that they believe otherwise, and that this issue may not be as critical as the original report indicates.
"Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research."
Therefore the best recommendation we at Cozaq can make is to be on the lookout for OS and firmware updates, keep your antivirus and anti-malware applications up-to-date, run both application types regularly, and always keep external (preferably off-site) backups of your important data. The later suggestion may not prevent your data from being accessed by a vulnerability like this one, but it can help prevent data loss due to one.
Dissecting the bug
To understand this vulnerability, you’ll need to understand two key phrases:
- Speculative execution
Normally when people think of processors, or even computers in general, they think of them as complex machines that operate based off of clear and exact instructions. In order to perform the function XYZ, you’d expect to have to issue that command to the processor. With Speculative execution however, the processor may have already executed XYZ in expectation of your request for it to do so by working under a predictable set of assumptions. In this way, a processor can perform more work simultaneously, including work that wasn’t explicitly requested but instead might be requested, in order to make the result of that work more readily available if the request does indeed occur. This makes better use of the time available to the processor, and will generally allow faster task completion since the processor already has a head start.
To make this concept easier to understand, assume you’re typing a document, and you decide to close the application. If you haven’t saved your document, most users would expect to be presented with a pop up notice asking if you wanted to save your work before closing the application. From your perspective as the user, you are given two options: to Save the document or to Discard it, thus deleting the temporary document from wherever it logically resides. In a speculative execution example scenario, the processor would begin to perform the work necessary in the background necessary to do both tasks (effectively creating a “Schrodinger's file” situation), knowing at least one of the two requests is expected to occur.
A side-channel is an observed characteristic of a computer system, or one of its components, such as timing, power consumption, generated sounds, or reaction to specific commands. The analysis of such characteristics can be used to improve performance or reduce power requirements through software manipulation, or to improve designs for future models of those components. Malicious users, however, may identify ways to use these characteristics to create unintended side-effects in what is known as a side-channel attack, usually for the purpose of gaining access to privileged information.
A side-channel vulnerability therefore is a method of abusing a physical characteristic of a component or set of components in order to bypass user/account permissions, virtualization boundaries, or protected memory regions to ultimately expose protected information.
Putting it all back together
So the research group identifying this bug explained that Intel's speculative execution of certain workloads requires that the full physical address for the information in memory to be known. That means that this address would also have to reside in a location in memory. This allows a side-channel attack to potentially gain access to this physical address, ultimately making that address available in user space. Having access to that address then allows for privilege escalation and further attack, as that addressable space can then be freely read or modified.
As always, Cozaq wants to remind you to keep all of your devices up-to-date whenever possible, run virus and malware scans regularly, and always keep critical data backed up to an external off-site location. While this vulnerability isn’t a direct threat to on-site backups, it could allow for a malicious user to access, compromise, or even delete data from your otherwise secure system.
If you need a backup solution, contact a member of our support team through your dedicated support channel (for existing customers), or by creating a support ticket through the Submit a request link.