Downfall, Inception Highlight the Challenges of Securing Hardware
The security vulnerabilities in Intel and AMD processors that could lead to hackers stealing passwords, encryption keys, and other sensitive information put a spotlight on the difficulty of securing CPUs.
The news of the Downfall flaw in several generations of Intel’s Core processors and the Inception and Zenbleed bugs in AMD’s Ryzen and Epyc processors reverberated through the IT industry in recent weeks. They potentially affect billions of processors and echo back to the Meltdown and Spectre vulnerabilities disclosed in x86 and other chip architectures five years ago.
The security holes outlined in 2018 and now the newer ones come after years of work by Intel, AMD, and other chip makers to integrate a range of security capabilities in their products to push back against increasingly aggressive and sophisticated threat groups.
A good idea, but never an easy task at a time when the pressure is on vendors to make chips that are increasingly faster and high performing, according to experts at Google who discovered the Downfall and Zenbleed vulnerabilities.
“The more complex a system becomes, the harder it is to secure – and that is also the case with computing hardware and processors, which have developed highly advanced capabilities over the years,” software engineer Tavis Ormandy and Daniel Moghimi, senior research scientist, wrote in a blog post about Downfall and Zenbleed. “These long existing vulnerabilities, their discovery and the mitigations that followed have provided several lessons learned that will help the industry move forward in vulnerability research.”
There are Bugs
Ormandy in late July disclosed Zenbleed – tracked as CVE-2023-20593 – a flaw affecting Ryzen PC and Epyc server chips based on the Zen2 architecture and that can be used to steal sensitive data like passwords and encryption keys. According to Ormandy, the bug – which was disclosed to AMD in May – can be exploited by incorrectly implementing the Zeroupper instruction during speculative execution, one of the techniques used in chips to improve performance.
If mishandled, stale data from the physical hardware registers can “expose the data from other users who share the same CPU core and its internal physical registers,” the Google researchers wrote.
AMD released a microcode update and Cloudflare said it updated its servers with the microcode.
Downfall (CVE-2022-40982) has a similar problem with exposing stale data, with the vulnerability exploiting the speculative forwarding of data from the SIMD Gather instruction, which helps software quickly access data scattered in memory, which is important for HPC workloads running data encoding and processing workloads.
Google notified Intel of the flaw in August 2022 and worked with the chip maker to mitigate the threat before Intel disclosed Downfall this month. The vulnerability affects most Intel Core chips from the “Skylake” 6th-gen processors through the “Tiger Lake” 11th-gen products.
Intel also created microcode to fix the issue, but it comes with a catch. A Phoronix researcher found that applying the patch could affect the performance of some chips by as much as 40%. Intel also noted this, writing that “most server and client applications are expected to show minimal performance impact from the Gather Data Sampling mitigation, but some high performance computing applications may see significant performance impact.”
Disclosure of the AMD Inception flaw (CVE-2023-20569) followed close on the heels of Downfall. Discovered by ETH Zurich researchers, it’s a transient execution attack that also can leak privileged data in all Zen chips, including those based on the latest Zen architecture.
The bug exploits the speculative execution technique, which essentially predicts the next step to be executed before the previous operation is completed in order to improve the chip’s performance. Right or wrong, the process can keep rolling along.
The ETH Zurich researchers combined an older flaw called Phantom (CVE-2022-23825) with a new transient execution technique called Training in Transient Execution (TTE). The latter injects new predictions into the process, creating speculative executions that can be exploited. However, such actions are not easy to pull off. Bringing Phantom into the equation makes it easier to create a transient window for training.
“With Phantom, we can thus enable TTE by turning the CPU into a confused deputy that trains itself while running the victim,” they wrote. “The result of this insight is Inception, an attack that leaks arbitrary data from an unprivileged process on all AMD Zen CPUs. … As in the movie of the same name, Inception plants an ‘idea’ in the CPU while it is in a sense ‘dreaming’ to make it take wrong actions based on supposedly self conceived experiences.”
AMD said in a bulletin it didn’t know of Inception being abused in the wild, adding that the vulnerability can only be exploited local, such as through downloaded malware.
Hardware Security is a Challenge
The Google researchers wrote that more vulnerability research needs to be done on CPUs, adding that there are gaps in the automated testing and verification of flaws in hardware. In addition, they wrote that with processors, “optimization features that are supposed to make computation faster are closely related to security and can introduce new vulnerabilities, if not implemented properly.”
Others agreed.
“In software engineering, you can either do things fast or do things secure,” John Bambenek, principal threat hunter at Netenrich, told Security Boulevard. “In modern processors, the clear incentive is doing things fast. The gather instruction and speculative execution are shortcuts to help processors move faster. However, implementing the isolation thoroughly to protect data would require more steps that slows things down.”
In addition, Bambenek said that “as the harm is more abstract than say remote code execution or privilege escalation, it’ll be hard to convince organizations, at least those outside the national security space, why fixing the problem is even important.”
Duncan Miller, endpoint security director at Tanium, noted that hardware vulnerabilities are difficult to find and often difficult to exploit. However, “the impact of such vulnerabilities is very large.”
“When fixable, it generally necessitates a microcode patch which requires a BIOS/EFI update to apply,” Miller told Security Boulevard. “These updates are often not applied as they are outside the operating system, often not scanned for due to difficulty in determining versions from outside the operating system, and come from vendors where the patches do not have a method of being automatically applied.”
Flaws like Downfall and Zenbleed reinforce the need to understand what firmware and hardware versions are deployed in an IT environment and to apply a patching policy to the firmware, he said.
