View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Arm Cortex CPUs Vulnerable to Newly Discovered Side-Channel Attack

A dedicated attacker could access sensitive data from privileged memory, e.g. DRAM or CPU cache

By CBR Staff Writer

Next up on the list of chip makers vulnerable to exotic side-channel attacks: Arm, which says its Cortex-A57, A72, A73 and A75 processors have a bug that would let a malicious actor “improperly gather small bits of sensitive data from privileged memory (DRAM or CPU cache).”

The issue has been allocated CVE-2020-13844.

Side-channel attacks involve exploiting the way CPUs process data before an explicit instruction (to boost speed) then discard the unneeded computations. A dedicated attacker can, in theory, glean a lot from accessing that offloaded data. Remote exploitation for this CVE has not been demonstrated; it would apparently need local user access, but does cast a fresh light on the ongoing challenge of baking effective security into CPU design.

As with the Spectre-style vulnerabilities, first exposed in early January 2018, Arm says that it deems the security risk to be low “as this would be difficult to exploit in practice, and a practical exploit has yet to be demonstrated. However, the possibility cannot be dismissed.”

New Intel CPU Vulnerability: Is “Load Value Injection” a Real Threat?

It has issued patches however, and unlike the Spectre mitigations, it says these do not hit processor performance: “In most cases we expect no direct impact on performance save for a reduction in code density.

“That said, secondary effects may include marginally increased pressures on the instruction caches and branch predictors due to the insertion of speculation barrier sequences and branch instructions.”

Raspberry Pi’s, millions of mobiles and IoT devices are likely to be affected by the issue, which was identified by Google’s Safeside team. (With over 55 percent of IoT devices reportedly using the password “12345”, IT teams may have more basic fish to fry, but the more security-conscious may like to take a closer look at Arm’s whitepaper and extensive Q&A).

Content from our partners
The growing cybersecurity threats facing retailers
Cloud-based solutions will be key to rebuilding supply chains after global stress and disruption
How to integrate security into IT operations

Arm added: “Where threat modelling shows that this vulnerability needs to be mitigated in a particular project, that project will need to be recompiled using tools that are aware of and can mitigate against the vulnerability.”

See also: Xilinx FPGAs are Vulnerable to “Unpatchable” Bug, Say Researchers

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy