Year of vulnerability hunting uncovers potential attacks on Intel Chips, RAM

All three of these attacks put users’ privacy at risk, exploiting new routes to sensitive data.
Image Enlarge

Over the past year, Profs. Daniel Genkin, Tom Wenisch, and their students have worked on a series of projects and research teams that have exposed multiple vulnerabilities on computer components, including two potential attacks on Intel-based processors and another on DRAM chips. All three of these attacks put users’ privacy at risk, exploiting new routes to sensitive data.

Foreshadow
This project centered around a finding in the growing field of speculative execution attacks. The exploit affected users who rely on a digital lockbox feature known as Intel Software Guard Extensions, or SGX, as well as those who utilize common cloud-based services. The research team including Genkin identified the SGX security hole, called Foreshadow, in January 2018 and informed Intel. That led Intel to discover its broader potential in the cloud. This second variant, Foreshadow-NG, targets Intel-based virtualization environments that cloud computing providers like Amazon and Microsoft use to create thousands of virtual PCs on a single large server.

Both variants of the vulnerability gain access to the victim machine using what’s known as a side channel attack. These attacks infer information about a system’s inner workings by observing patterns in seemingly innocuous information—how long it takes the processor to access the machine’s memory, for example. This can be used to gain access to the inner workings of the machine.

The attack then confuses the system’s processor by exploiting a feature called speculative execution. Used in all modern CPUs, speculative execution speeds processing by enabling the processor to essentially guess what it will be asked to do next and plan accordingly. The attack feeds in false information that leads speculative execution into a series of wrong guesses.

In addition to Genkin, this research was done by Prof. Tom Wenisch and researchers at the Belgian research group imec-DistriNet, Technion Israel Institute of Technology, the University of Adelaide, and Data61.

MDS
Named Microarchitectural Data Sampling by Intel, this speculative execution attack leaks values from various buffers within an Intel processor. The processor has a number of specialized buffers that it uses for moving data around internally. When the processor reads from main memory, it first checks a certain data cache to see if it already knows the value. If it doesn’t, it sends a request to main memory to retrieve the value. That value is placed into a buffer before being written to the cache. Similarly, when writing values to main memory, they’re placed temporarily in store buffers.

All three buffers can hold stale data: a line fill buffer will hold data from a previous fetch from main memory while waiting for the new fetch to finish. These attacks perform speculation based on a stale value from one of these buffers. That value can be sensitive and of value to the attacker.

In addition to Genkin, this research was done by CSE PhD student Marina Minkin and researchers from the Graz University of Technology, Worcester Polytechnic Institute, and KU Leuven.

RAMBleed
Led by CSE PhD student Andrew Kwong, researchers uncovered this new data-pilfering side-channel attack that exploits the ever-shrinking dimensions of DRAM chips that store data a computer needs to carry out various tasks. The attack lets unprivileged attackers corrupt or change data stored in vulnerable memory chips and can be used to extract cryptographic keys or other secrets. RAMBleed is similar to previously reported Rowhammer attacks, which work by rapidly accessing—or hammering—physical rows inside vulnerable chips in ways that cause bits in neighboring rows to flip, meaning 1s turn to 0s and vice versa. RAMBleed takes Rowhammer in a new direction. Rather than using bit flips to alter sensitive data, the new technique exploits the hardware bug to extract sensitive data stored in memory regions that are off-limits to attackers.

In addition to Kwong and Genkin, this research was done by researchers from the Graz University of Technology, the University of Adelaide, and Data61.