Another Intel Speculative Execution Vulnerability

Remember Spectre and Meltdown? Back in early 2018, I wrote:

Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they -- and the research into the Intel ME vulnerability -- have shown researchers where to look, more is coming -- and what they'll find will be worse than either Spectre or Meltdown. There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.

That has turned out to be true. Here's a new vulnerability:

On Tuesday, two separate academic teams disclosed two new and distinctive exploits that pierce Intel's Software Guard eXtension, by far the most sensitive region of the company's processors.

[...]

The new SGX attacks are known as SGAxe and CrossTalk. Both break into the fortified CPU region using separate side-channel attacks, a class of hack that infers sensitive data by measuring timing differences, power consumption, electromagnetic radiation, sound, or other information from the systems that store it. The assumptions for both attacks are roughly the same. An attacker has already broken the security of the target machine through a software exploit or a malicious virtual machine that compromises the integrity of the system. While that's a tall bar, it's precisely the scenario that SGX is supposed to defend against.

Another news article.

Posted on June 11, 2020 at 6:40 AM • 29 Comments

Comments

metaschimaJune 11, 2020 7:22 AM

I was thinking about this recently also and it totally makes sense. It's only a matter of time before even worse hardware vulnerabilities are discovered. Why? Well because this level of security was not a priority in the past. Performance is the main goal of processors and thus processor design. Only relatively recently in processor development has there been increased focus on security, but it's too late. They have ignored so much over the years that there are likely hundreds of critical vulnerabilities that haven't been discovered yet. I'm thinking a total design overhaul is needed. Design a secure processor from the ground up.

JaimeJune 11, 2020 7:57 AM

... or ...

Don't rely on a processor to defend one thread from another. Build your own cloud or buy dedicated cloud machines if your data matters to you. Don't run anyone else's workload on your systems. Don't mix sensitive and non-sensitive workloads on the same host.

Ulf LorenzJune 11, 2020 8:05 AM

When reading what SGX actually is, one thing that comes to my mind: Given the difficulty of the underlying problem (running things securely on a potentially compromised machine) together with the difficulty of testing the whole thing, I cannot understand how anyone would seriously consider SGX to work as intended?

It might be fine as an additional loop to deter casual attacks, similar to doing code obfuscation, but I would never have trusted this thing to work in the first place.

myliitJune 11, 2020 9:04 AM

Apparently @Clive was correct. In 2021 or 2022, iirc, Apple Macintosh computers might start using Apple microprocessors, perhaps 3 mm ...

DaneJune 11, 2020 9:06 AM

According to Intel themselves: "In general, these research papers do not demonstrate anything new or unexpected about the Intel SGX architecture. Preventing side channel attacks is a matter for the enclave developer."

In the slides they have that go into more detail about SGX, page 115 says: "SGX does not defend against this adversary." in reference to side channel attacks.

In essence: "Regardless of the side channel attack you find, it's not our fault. It's your fault for using SGX wrong."

I think this probably isn't going to be fixed any time soon.

QJune 11, 2020 9:11 AM

Jaime says: "Don't run anyone else's workload on your systems."

That would include JavaScript also.

So, stop allowing random websites to run their evil JavaScript on your system. That is just plain wrong.

Clive RobinsonJune 11, 2020 10:11 AM

@ Bruce, ALL,

Remember Spectre and Meltdown? Back in early 2018

I remember it well, as the information came out about Intel, protecting their Xmas sales figures...

As I said back then,

    "As I noted what feels like a long time ago, "It's the Xmas gift that will just keep giving"..."

And so it has and as Linus Torvalds noted[1],

    "I think somebody inside of Intel needs to really take a long hard look at their CPU's, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed."

But again Intel, or atleast one of the seniors were definitly upto no good. In what many would call "indsider trading" he, knowing about the compleat devestation of these hardware design faults, sold a big traunch of shares prior to the anouncment, knowing full well about the very likely effect on share prices...

[1] https://lkml.org/lkml/2018/1/3/797

Sherman JayJune 11, 2020 12:05 PM

I thank Bruce. These blunders are important to know. However, as a 'consumer' not knowledgeable on the 'substrate' level, I am curious:

Do the RaspPi Broadcom ARM Cortex-A53 processors have the same vulnerabilities?

Did the developers consider securiity a higher priority that Intel?

And are AMD processors any better than Intel?

I would suggest that Bruce could provide some comparative info that would help us 'consumers' make better choices.

I still think that all the 'speculative' work done by CPU's should be abandoned for pure task-at-hand processing efficiency (maybe run cooler, use less electricity, and be just as fast)

JaimeJune 11, 2020 12:25 PM

@Q, yes javascript.

If the type of people that collect 0-days are interested in you, consider any computer that has browsed the web compromised.

For the rest of us, that means to stay diligent on patching and have several layers of security protecting your data.

wiredogJune 11, 2020 1:03 PM

@Sherman Jay
My understanding is that any processor that does branch prediction/out of order processing, and/or has multiple cores has issues like this. It may be an unfixable (in practice, if not in theory) side-effect of the complexity of those processors. So pretty much any modern processor is at risk.

Sherman JayJune 11, 2020 1:21 PM

@wiredog and @jaime,
Thanks for the info. That is what I suspected. Not comforting, but being informed, we can be more careful.

Sherman JayJune 11, 2020 1:27 PM

@wiredog, @Q and @jaime, et. al,
I get the problems with javascript. Most in my group runs EFF's privacy badger that reports and blocks a lot of tracking. However, browsing with javascript turned off and privacy badger running
'breaks' a lot of news sites (they either put up an obscuring gripe screen or just won't load). Lynx type browsers are clean, but not usable on most of the complex sites. Does anyone have ways around these problems?

John CochranJune 11, 2020 3:31 PM

@Sherman Jay

Getting rid of speculative execution can improve cooling and reduce power consumption, but the main reason for doing it is to improve speed. Consider:

if A then B else C

If a computer performs A, B, and C at the same time and when A is finally complete, discards the speculative execution of either B or C that wasn't needed and retains the result that is needed, it's most likely to be faster than any non-speculative execution of A, B, and C. And if A, B, and C each take about the same time to perform, the overall execution time can be as little as half the execution time of sequential execution.

Right now, speculative execution is a major technique to decrease the time a computer takes to process a desired task. But it does so by requiring more hardware, hence consuming more power. And by creating side channels, which open security holes to exploit.

UntitledJune 11, 2020 3:34 PM

@Sherman Jay

I get the problems with javascript. Most in my group runs EFF's privacy badger that reports and blocks a lot of tracking. However, browsing with javascript turned off and privacy badger running
'breaks' a lot of news sites (they either put up an obscuring gripe screen or just won't load). Lynx type browsers are clean, but not usable on most of the complex sites. Does anyone have ways around these problems?
Yes. Don't use those news sites. You have a choice: if you really need to use that type of site, then live with the security risks that come with them. Maybe use a separate computer for browsing insecure news sites and for nothing else.
Other news sites are available. Try www.bbc.com/news which on most browsers (except Edge) works tolerably with no javascript at all (and, by the way, is relatively honest, if that's a condideration).

JaimeJune 11, 2020 4:15 PM

@Sherman Jay

I think you are looking at the wrong "additional layers". Malware and tracking protection tools do their jobs just fine, but this is a new threat that's hard to fingerprint.

These types of vulnerabilities allow code to run where it shouldn't run and essentially perform tasks either as you, or as your operating system. An example of another layer would be setting up two-factor authentication on your bank account, full disk encryption, or making sure you need to enter another password to get to your sensitive stuff (e.g. password protect a document).

This category of vulnerability presents different risks for clients and servers. Servers have to worry about what else is sharing the same processor, clients have to worry about what "guest code" is being allowed to execute.

myliitJune 11, 2020 5:11 PM

News Sites

W/javascript off perhaps try (as applicable):

Httpseverywhere

No cookies

And the Washington Post, New York Times, New Yorker, Guardian, ... . Sometimes less may be more ...

Sherman JayJune 11, 2020 5:40 PM

@John Cochran,
Thanks, you described in detail what I alluded to. Straightforward CPU function without a lot of 'guesswork' wasting processing cycles that are just discarded. I wish a CPU manufacturer would recognize that there are people who want a clean efficient machine.

@untitled,
While I know BBC is good and quite accurate and go there, too. I need to get different factual perspectives from different sites so I can come to a more accurate conclusion about issues. This includes Techdirt, Krebs, Counterpunch, Naked Capitalism, some comics like 'shoe' 'non-sequiter' and more. Also, the computer I use for general browsing (and for Bruce's site which I know is clean) is not used for any sensitive banking or similar use. I don't like browsing 'naked' without privacy badger and bleachbit. They at least let me know what's being thrown at the computer. Having to disable and re-enable a couple of tools many times at different sites is not an efficient, or pleasant, way to browse. My use of linux reduces risk some. While I haven't had to, and don't want to do it frequently, it is easier and quicker (5 min) for me to just reinstall Linux on a USB drive than one of my friends who takes 1.5-2 hours to reinstall Win10 when it gets loaded up with crap.

@Jaime,
You are right about layers. But, two-factor authentic. is next to impossible since I don't have a smart phone, So, I don't bank on line at all. And, I do encrypt sensitive data that I send to others.

Bottom line seems that there is not a lot we can do to mitigate the vulnerability built into CPU's.


Sherman JayJune 11, 2020 5:47 PM

@myliit
You are right that I should look in to httpseverywhere. I'll have to see how much adding that slows down the old single core junk yard lenovo I use. As to The news sites you mentioned, I do check them. Many of them gripe at me and won't load correctly when I turn cookies and/or javascript off. And, often their info shows some bias or is incomplete so I try to get all the puzzle pieces by visiting a number of sites (no Fux Snews or Breitbartt, though!)

lurkerJune 11, 2020 6:14 PM

@Sherman Jay

I still think that all the 'speculative' work done by CPU's should be abandoned for pure task-at-hand processing efficiency (maybe run cooler, use less electricity, and be just as fast)
IOW you want it without the go-fast stripes. Good luck with that, remember Sales always trumps Engineering at the Board table.

@myliit

Apple Macintosh computers might start using Apple microprocessors,
Back in the days of the speed wars, when Apple was using Motorola PPC, we (Mac users) delighted in the curves of MIPS per watt, and the TDP numbers versus Pentium. Then came the infamous poster: 'Wanted, Dead or Alive, Motorola Semiconductor, for Violating Moore's Law'

John CochranJune 11, 2020 6:18 PM

@Sherman Jay
People aren't looking for "clean efficient" machines. They're looking for "fast cheap" machines. And since clock frequencies have hit the wall, and more transistors are easy and cheap, speculative execution and multiple cores are pretty much the only available paths for increased speed.

RealFakeNewsJune 11, 2020 6:56 PM

I have not considered any computer "secure".

I browse the web expecting Bad Things(TM) to happen.

I have known since the mid-1990s that the current CPU architecture can not be protected from itself.

Anyone remember the very earliest attempts at read-only memory on x86? Right there and then did the rot set in.

We need a whole new architecture for SECURE computing.

SECURE. FAST. Pick ONE.

RealFakeNewsJune 11, 2020 6:57 PM

I have NOT considered any computer "secure".

@Moderator can you edit my post please? Thank you.

Sherman JayJune 12, 2020 1:39 PM

@all,
In case anyone is interested:
Using firefox I disabled cookies and javascript.

I visited BBC news and found only a slight change in page display (but trackers dropped from 7 with cookies and javascript to 1 without either)

I visited NBC news and the screen presented some bold headlines, no menu at the top and no images at all (amazingly trackers dropped from 27 with cookies and javascript to none without either cookies or javascript!)

A number of other pages, including nation of change wouldn't load with cookies and javascript disabled.

I agree that disabling cookies and javascript is a safer way to browse, but it is not practical with the version of firefox I use.

And EFF's privacy badger (tracker blocker) which works beautifully most times, is detected by many websites and they put up a blocking 'gripe' screen and I can't proceed to the site unless I let them load all their coookies, ads, and tracking 'schmutz'.

SpaceLifeFormJune 12, 2020 3:41 PM

PrivacyBadger, no cookies, no JS, does *NOT* result in all attack angles being blocked.

One can visit a site one day, and it works. Later, it fails.

You changed none of your settings.

You do not control upstream routers.

You cannot trust TLS.

NixJune 13, 2020 4:49 AM

@Sherman Jay, you don't need a smartphone to do two-factor security. There are a huge number of USB security dongles that can do much the same (my SSH keys are kept on a £50 hardware token and no general-purpose computing device ever sees them: if the right software features had been available when I bought it I could have got away with a £10 one that only did U2F instead).

In fact a good hardware token is probably more secure than a smartphone for second-factor stuff simply because it's so simple and the communication channels to/from it are so narrow that there's no way an attacker can get at its contents without literally mugging you and stealing it. And some of them are *tough*: put them through the wash, drop them out of a third-storey window, run them over with a car, they're only scuffed.

myliitJune 13, 2020 6:07 AM

@SpaceLifeForm

Thank you for that. [1]

A straightforward way to browse with Apple’s Safari is with javascript off and no cookies. I also use Firefox Focus and the Brave Browser, too.

I assume, IP address, known or perceived, whatever, might be relevant, too, regarding internet browsing and women in the middle.

[1] “PrivacyBadger, no cookies, no JS, does *NOT* result in all attack angles being blocked.

One can visit a site one day, and it works. Later, it fails.

You changed none of your settings.

You do not control upstream routers.

You cannot trust TLS.”

RealFakeNewsJune 14, 2020 2:34 AM

In FireFox hit F11 to bring up the inspector tool. Delete the offending pop-up element. Continue browsing.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.