A year after Meltdown and Spectre, security researchers are still announcing new serious risks from low-level chip operations
Spectre and Meltdown are a pair of chip-level security bugs that exploit something called "speculative execution," through which chips boost performance by making shrewd guesses about which computer operations are performed together.
Spectre and Meltdown represented a new class of never-seen-before attacks, and as news of their existence percolated through security circles, it sparked a scavenger hunt for more errors of their sort, with many more coming to light.
Intel calls these "Microarchitectural Data Sampling" (MDS) attacks, and now a team of industry and academic researchers (some of whom worked on the original Spectre/Meltdown papers) have gone public with a new set of MDS bugs that Intel was given advance notice of (some of these bugs were discovered more than a year ago). All but the most recent Intel chips are vulnerable to these attacks (you can check your system here).
The researchers have dubbed the new defects CPU Fail, and they have disclosed three CPU Fail attacks: Zombieload, RIDL, and Fallout, which they class as "less serious than Meltdown but worse than Spectre."
The specifics vary for each defect, but the most significant fact about them is that they can force CPUs to reveal data that's private to another process running on the same system. That means that an attacker can run code on a cloud computer that gives them access to other virtual machines running on the same hardware -- or they can run Javascript in your browser window and steel secrets from your password manager.
Intel and the researchers disagree about the seriousness of this defect. Intel says it's not a very big deal, while the researchers say it's pretty urgent.
There's likely a lot more of this to come, too: researchers are just getting to grips with the possibilities of MDS attacks.
"It's kind of like we treat the CPU as a network of components, and we basically eavesdrop on the traffic between them," says Cristiano Giuffrida, one of the researchers in the VUSec group at Vrije Universiteit Amsterdam who discovered the MDS attack. "We hear anything that these components exchange."
That means any attacker who can run a program on a target chip-whether in the form of a malicious application, a virtual machine hosted on the same server as the target in Amazon's cloud, or even a rogue website running Javascript in the target's browser-could trick the CPU into revealing data that should be protected from untrusted code running on that machine. That data can include information like what website the user is browsing, their passwords, or the secret keys to decrypt their encrypted hard drive.
"In essence, [MDS] puts a glass to the wall that separates security domains, allowing attackers to listen to the babbling of CPU components," reads one line of a VUSec paper on the flaws, which will be presented next week at the IEEE Security and Privacy conference.
Meltdown Redux: Intel Flaw Lets Hackers Siphon Secrets from Millions of PCs [Andy Greenberg/Wired]