Late last year, chip makers and operating-system vendors scrambled to create critical fixes for three vulnerabilities.
However, unlike most typical software flaws that are regularly patched, these vulnerabilities were in the processors created by Intel, AMD and other chip makers and not in the applications and operating systems that run on top of those processors.
Known as Spectre and Meltdown, the security issues led to a massive effort to update and patch processors’ microcode—the base-level software that interprets commands to the chips.
Yet, security researchers were not done. In May, continued research into potential vulnerabilities created by design efficiencies delivered another serious flaw that exposed information.
“CPU manufacturers are in a crunch, trying to squeeze as much performance out of the chips,” Alex Ionescu, chief architect at security-services firm Crowdstrike, told eWEEK. “They are clearly making good technical decisions for performance, but those decisions have side effects for security that they have not always thought about.”
In the past year, a number of serious flaws have been found in the central processing units (CPUs)—nowadays, just referred to as processors—that power the computing potential of everything from internet-of-things devices to desktops, and from mobile phones to cloud-enabled servers. While the flaws discovered in some of these devices may not match the seriousness of the Meltdown and Spectre flaws, but their very existence attracts security researchers much as blood in the water attracts sharks.
“You need special skills and equipment to conduct these hacks, but as these devices become more and more popular, and part of our life, I have no doubt people will increase the focus on the hardware,” Itzik Kotler, chief technology officer and co-founder of SafeBreach, told eWEEK.
Already, chip makers are reacting to the discoveries. As a direct result of the vulnerability reports, Intel launched its “Security First” effort, pledging to issue patches quickly, be transparent in its efforts and create initiatives to spur the discovery of vulnerabilities.
Within three months of being notified of the issues in its processors, for example, Intel released microcode updates for every affected processor model manufactured in the past five years, the company stated. The first issue—one of two issues known as Spectre—will only be addressed by software updates. However, Intel is redesigning parts of its CPUs to address the other Spectre flaw as well as the Meltdown flaw, known as variants 2 and 3, the company said.
“We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3,” Brian Krzanich, Intel’s CEO, stated in a March 15 blog post on the issues. “Think of this partitioning as additional ‘protective walls’ between applications and user privilege levels to create an obstacle for bad actors.”
Yet, researchers’ efforts continue, and there will undoubtedly be more vulnerabilities disclosed. Here are five of the most serious that were reported in the past year.
1. Spectre, Meltdown variants post triple threat
In January, researchers from Google’s Project Zero, Cyberus Technology and four universities announced a trio of flaws that abuse a widely-used technique known as speculative execution to read private data, such as passwords. Speculative execution speeds processing by pre-computing possible execution paths of a program, but differences in the running times of different branches can reveal the contents of memory, the researchers found.
The fix is not easy. Already, patches for both microcode and specific applications, such as browsers, have prevented—or at least, hardened—processors against the attacks, but the final fix will have to be in future designs of the processors to isolate the multiple cores and registers.
Intel is not alone in its efforts. AMD has also had to scramble to secure devices and computers based on their platforms, although only the Spectre flaws affected the platform. Apple released updates for all three issues as well, however, not every chip platform was equally affected by the vulnerabilities.
2. Researchers find flaws related to Speculative Store Bypass
Researchers were not done, however. In May, Microsoft and Google’s Project Zero both released details of another class of flaws related to processor’s speculative execution. Called Speculative Store Bypass, the variant of the Spectre and Meltdown flaws also affect AMD, ARM and Intel CPUs.
“AMD customers will be able to install the microcode by downloading BIOS updates provided by PC and server manufacturers and motherboard providers,” AMD said in a May 21 advisory. “We will provide further updates as appropriate on this site as AMD and the industry continue our collaborative work to develop solutions to protect users from security threats.”
Intel expects that more variants will likely be discovered.
“We know that new categories of security exploits often follow a predictable lifecycle, which can include new derivatives of the original exploit,” Leslie Culbertson, executive vice president and general manager of the company’s newly minted Product Assurance and Security group, said in a statement.
“Expecting that this category of side-channel exploits would be no different, one of the steps we took earlier this year was expanding our bug bounty program to support and accelerate the identification of new methods.”
3. Intel acknowledges flaws in ME, AMT subsystems
While Intel is not alone in being affected by the Spectre and Meltdown vulnerabilities, the company did have to support a major platform update in 2017 to repair flaws in its ubiquitous Intel Management Engine, a subsystem of the motherboard that manages and maintains the overall health of the system while it’s running, but also when a system is asleep or booting up.
In November 2017, the company acknowledged that its systems had several security vulnerabilities that affected all eight generations of the Intel Core processor family, as well as a variety of its server and embedded processors. The vulnerabilities could allow an attacker to gain unauthorized access to the system.
It was not the first time subsystem firmware exposed vulnerabilities. The company had to fix vulnerabilities in a related subsystem, known as the Active Management Technology (AMT) module, that could also allow attackers to take control of systems.
The Electronic Frontier Foundation, a pro-digital rights group, likened the computer-control software to a “tiny homunculus” inside every system. The EFF called on Intel to provide a way to disable the Management Engine. “What would be best for users and for the public’s ability to control machines that they have purchased would be for Intel to provide official support for reducing the attack surface to limit the potential harm of the ME,” the group stated.
4. When 140 years is not long enough: the ROCA flaw
The trusted platform module (TPM) is a cryptographic chip used by an increasing number of computers to provide a secure storage for the digital keys needed to secure content and enable trusted transactions. In January 2017, security researchers at the Centre for Research on Cryptography and Security discovered that TPM chips made by Infineon used firmware that included a known vulnerable library for generating private keys.
The vulnerability could allow the recovery of 512-bit keys in 2 processor-hours—costing about 6 pennies—and enable recovery in up to 142 processor-years for 2,048-bit keys. While the cost of recovering 2,048-bit keys is high, it remains less than $40,000 per key, which could put critical encrypted data at risk from a determined attacker.
“The private key can be misused for impersonation of a legitimate owner, decryption of sensitive messages, forgery of signatures—such as for software releases—and other related attacks,” the researchers stated in their public analysis, which disclosed the vulnerability in October 2017.
The analysis found that at least 760,000 keys—and perhaps as many as three times that number–were affected by the issue. Microsoft’s hard-disk encryption technology, BitLocker, relies on the TPM, so the vulnerability weakened its security as well. To fix the issue, an administrator must update Windows, stop BitLocker protection, clear the trusted computing module, and then restart BitLocker to re-encrypt the data with a non-vulnerable key.
5. Insensitive disclosure of sensitive issues: AMD PSP flaws
In March, a relatively unknown company CTS Labs controversially publicized a set of security issues in AMD Platform Security Processors , which acts like a TPM, after only giving the chip maker a day to respond to their report. The software flaws allowed an attacker that had administrator access to bypass a number of hardware security measures, such as Secure Boot, infect the motherboard firmware, and bypass other defensive features.
While the company may have fueled hyperbole surrounding the security issues—and disclosed them without adequate notification—the vulnerabilities are real, said Dan Guido, co-founder and CEO of security firm Trail of Bits.
“Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public [as far as I know]), and their exploit code works,” Guido stated on Twitter, adding, “Yes, all the flaws require admin [privileges] but all are _flaws_ not expected functionality.”