Tech giants including Intel, Apple and Microsoft have banded together to offer a fix for a processor security vulnerability identified by researchers that could enable hackers to steal data from computers, smartphones and other devices.
Early leaks on the so-called security bug focused on Intel, but it’s now clear that the security vulnerabilities announced Wednesday have a much broader impact on many contemporary, high-performance processors and, not just Intel.
There are actually three different side-channel attacks that security researchers at Google Project Zero and other firms have identified. These attacks use a combination of knowledge of the internal operation of modern CPU and some level of brute force testing.
It’s important to note that, to date, these vulnerabilities have not been seen exploited in the wild. But with this disclosure, attacks can be crafted by knowledgeable hackers — which is why there has been a race to patch these vulnerabilities throughout the software ecosystem.
Part of the team that was needed to fix the vulnerabilities were CPU designers AMD, ARM and Intel. Key system software vendors included Apple, Citrix, Linux, Microsoft and VMWare.
These vendors were contacted back in June about these vulnerabilities and given time to prepare fixes. Because the vulnerabilities were set in chip designs already shipping, the only solution was to patch system software (operating systems and virtualization software/hypervisors) to work around the issues.
I’m using the word “vulnerability” and not “bug” because the circuits are doing exactly what they were designed to do. The side channel attack uses knowledge of those correct operations to infer data that should be protected.
The impact on performance varies with each processor design and with each piece of software. The impact seems to be felt most by software that requires a lot of system calls, like databases. Average user software like games and browsers should see minimal impact.
Specifically designed malware (malicious software) can force CPUs to perform speculative execution and then can discern information from protected regions with higher privileges. The fix requires changes in system software and firmware changes. The malware does not corrupt memory, but locally run software could expose sensitive data such as passwords and encryption keys.
Intel has confirmed these attacks can work on its processors, while AMD has a more limited exposure.
There were three vulnerabilities revealed Wednesday (Common Vulnerabilities and Exposures number):
- Bounds Check Bypass (CVE-2017-5753)
- Branch Target Injection (CVE-2017-5715)
- Rogue Data Load (CVE-2017-5754)
The bounds check bypass (threat No. 1) has a software fix because its difficult to change the CPU design to eliminate the speculative execution. During a rare briefing with AMD, ARM and Intel, all three companies said this was a shared threat and was being address through system software changes. It appears the performance impact is negligible.
The impact of threats No. 2 and No. 3 do vary depending on CPU vendor. Intel has confirmed both threats, but AMD has said that it cannot observe No. 2 and that, by design, it is not vulnerable to No. 3. This may be because Intel has used more aggressive techniques in its speculative operations. Each vendor has a different branch target design and this can impact the vulnerability. These are also the threats with the most performance impacts.
Intel said threat No. 2 may slow performance on benchmarks by 0-5 percent. Threat No. 3 may see an impact on typical workloads of between 3-5 percent, software that accesses kernel services a lot will bear the brunt of the slow down.
The case for ARM is more complicated. Many ARM cores have limited or no speculative execution, even mainstream Cortex-A cores. But higher performing cores do offer speculative operations for performance. In addition, ARM architectural licensees such as Apple, Cavium, and Qualcomm, design their own cores which vary in the amount of speculative execution and branch target designs. As the information unfolds, each vendor will have to list susceptible CPUs. ARM will implement changes to its core in development and may patch existing cores as needed.
While the early reports put a lot of the focus on Intel, this was a really unique industry collaboration between competitors and both software and chip companies. There are more companies that will be affected by this vulnerability. My hope is that this is the start of a broader industry collaboration on security, as this revelation shows there’s a changing threat landscape for security flaws. Working together, all these companies can do a better job securing our PCs, phones and data centers.
— Kevin Krewell is a principal analyst at Tirias Research