An international team of security researchers has discovered a novel new way to make Intel CPUs leak data to a remote attacker across supposedly secure protection boundaries – with existing mitigations for side channel vulnerabilities failing to protect against exploitation.
The vulnerability could be used by a sophisticated attacker to steal data from systems running in multi-tenant environments, leaving barely a trace, one security firm told Computer Business Review, although Intel claimed today that such an approach was “not a practical method”.
The so-called Load Value Injection (LVI) attack is the latest to break protections baked into Intel’s SGX (Software Guard Extensions): sets of new CPU instructions designed to protect code and data. It was first reported to Intel in April 2019 by Jo Van Bulck, from Belgium’s KU Leuven university.
LVI involves turning Meltdown-type data leakage at the CPU level on its head, through direct injection of attacker code that forces the targeted processor to compute on “poisoned” data and spill its secrets.
The attack technique was separately reported by Romanian security firm Bitdefender on February 10, 2020. Bitdefender has demonstrated a proof of concept and told Computer Business Review that the attack, although complex to execute, was credible – and nigh impossible to spot if exploited.
In a sign of how seriously the chip firm is taking the vulnerability (which has the CVE-2020-0551, with a medium CVSS rating of 5.6), it is releasing a swathe of updates to the SGX software platform and its SDK, starting today.
What’s the Attack?
The researchers who initially identified the flaw (a multinational team of 11)* say that under certain conditions, “unintended microarchitectural leakage can be inverted to inject incorrect data into the victim’s transient execution” in what they describe as a “reverse Meltdown”-type attack.
An Intel paper on the issue describes the vulnerability as follows: “On some processors, faulting or assisting load operations may transiently receive data from a microarchitectural buffer. If an adversary can cause a specified victim load to fault, assist, or abort, the adversary may be able to select the data to have forwarded to dependent operations by the faulting/assisting/aborting load.
“… those dependent operations may create a covert channel with data of interest to the adversary. The adversary may then be able to infer the data’s value through analyzing the covert channel. This transient execution attack is called load value injection and is an example of a cross-domain transient execution attack.
The company added: “Because LVI methods requires several complex steps to be chained together when the victim is executing, it is primarily applicable to synthetic victim code developed by researchers or attacks against SGX by a malicious operating systems (OSes) or virtual machine managers (VMMs).”
Bitdefender’s director of threat research, Bogdan Botezatu, told Computer Business Review that this type of attack could be particularly damaging in multi-tenant environments such as enterprise workstations or servers in the data centre, where one less-privileged tenant would be able to leak sensitive information from a more privileged user or from a different virtualised environment on top of the hypervisor.
He said: “Imagine that you have a worker virtual machine in a multi-tenant environment. One belongs to you, one to me, the attacker. And I’m trying to spray some portions of the line field buffer with a value I control. Eventually your application will encounter a decision branch in your software and fetch an instruction from the line-field buffer… that is mine and from there I can hijack the code.
“In the consumer space, this is literally no threat; in a business environment, in these public, multi-tenant clouds, it’s an issue.
“The most important safeguard in separating user data sits at the processor level; they are burned into the silicon and mitigate eavesdropping. But there’s no guarantee that these security measures baked into the processors work. Every time one is patched, the security research community finds another.
“It is a VERY sophisticated attack. It’s not a go-to malware toolkit.
“It requires a lot of patience and expertise. But if you are up against a sophisticated adversary, this is your best option. This doesn’t leak info through keylogging. It does it in transit through the processor. If I was a nation state, this is exactly the kind of tool I would use: it doesn’t leave any trace, there’s plausible deniability…”
To completely remove the new vulnerability, the millions likely affected would need to either disable functionalities that provide rich performance gains, like Hyper-threading, or replace their hardware, the Bitdefender said.
Intel said: “Due to the numerous complex requirements that must be satisfied to successfully carry out, Intel does not believe LVI is a practical method in real world environments where the OS and VMM are trusted.
The company added: “New mitigation guidance and tools for LVI are available now and work in conjunction with previously released mitigations to substantively reduce the overall attack surface. We thank the researchers who worked with us, and our industry partners for their contributions on coordinated disclosure of this issue.”
Intel added: “Intel has… worked with our industry partners to make application compiler options available and will conduct an SGX TCB Recovery. Refer to the Intel SGX Attestation Technical Details for more information.”
AMD and Arm processors are not affected, Bitdefender confirmed.
*The security team who worked on the LVI, includes: