Over the last two years, security researchers have dug up one technique after another that lets a hacker trick Intel’s microprocessors into spilling a computer’s deepest secrets. As those flaws have been exposed, chipmakers have scrambled to patch them. But for one serious form of those attacks it turns out that Intel still hasn’t successfully patched the underlying problem despite 18 months of warnings—and not one but two failed attempts to do so.
On Monday, Intel announced that it will issue yet another update to its processors designed to solve a problem it calls “microarchitectural data sampling,” or MDS. Different teams of researchers who independently discovered the issue call it RIDL or Zombieload, and warned Intel about the problem as early as June of 2018. The new update, which Intel says will be made available “in the coming weeks,” is intended to fix two methods to exploit Intel chips via MDS, which have remained possible even after Intel released MDS patches in May of 2019 and then again last November. Some of the researchers first warned Intel about the more serious of the two flaws that it’s trying to fix now in a paper shared with Intel fully a year ago. Other researchers even shared proof-of-concept code with the company last May.
“Security engineering at Intel (or rather lack thereof) is still business as usual,” writes Cristiano Giuffrida, one of the researchers at Vrije Universiteit in Amsterdam who first discovered the MDS attacks, in an email to WIRED. “These issues aren’t trivial to fix. But after eighteen months, they’re still waiting for researchers to put together proofs-of-concept of every small variation of the attack for them? It’s amazing. We don’t know the inner workings of Intel’s team. But it’s not a good look from the outside.”
A supergroup of researchers from nearly a dozen universities and security firms brought the MDS attack to light last May after warning Intel nearly a year earlier and holding their findings in secret at Intel’s request. Like the notorious Spectre and Meltdown attacks that surfaced in early 2018, it takes advantage of a feature of Intel’s processors known as speculative execution.
As a time-saving measure, Intel processors sometimes execute a command or access a part of a computer’s memory “speculatively,” guessing at what a program will want before it even asks. When that speculative execution accesses an invalid location in memory, the process aborts. In that event, the processor is designed to access arbitrary data from buffers, parts of the chip that serve as the “pipes” between different components, such as its processor and cache. The researchers who discovered MDS showed last year that a hacker could use that trick to obtain information that should be protected—anything from sensitive user data and passwords to decryption keys.
Intel first attempted to patch the MDS flaw by adding a safeguard to the chips’ microcode that wipes all sensitive data from the chip’s buffers when it switches from one process to another that has different security privileges. But despite that May 2019 update—and then another one for a variant of the attack not covered in Intel’s initial patch, despite the researchers’ warning about it a year earlier—two other variations on MDS attacks remain possible even now. “When the processor goes from one security context to another, it wipes the buffer, overwriting it, so the buffer is ‘clean’ with nothing in it,” says University of Michigan researcher Stephan van Schaik, a member of the team that worked on the new MDS attack variants as well as the original discovery of the vulnerability. “The only challenge is to get something interesting in it. There are ways to put information back in the buffer despite the overwriting.”
The most practical still-viable trick targets a component called the L1 cache, using what the researchers call “L1 data eviction sampling,” or L1DES. (The Michigan researchers gave the technique a catchier name: CacheOut.) The researchers found—and the team at TU Graz in Austria first demonstrated in code sent to Intel last year—that with certain techniques, they could cause a processor to write information to that L1 cache, filling it up so certain data is “evicted” into a buffer called the line-fill buffer to make space, leaving it vulnerable. In a separate technique, they could cause the processor to read certain sensitive information that’s missing from the L1 cache, which also loads it into the leaky line-fill buffer. In either instance, the researchers can then use the same MDS techniques they previously exposed to steal the data.