Side-Chanel Attacks Continue to Haunt Intel
Andrew Wheeler posted on July 01, 2019 |

(Image courtesy of Intel.)
(Image courtesy of Intel.)

Hardware specific attacks received a good deal of attention early last year thanks to the discovery of Meltdown and Spectre. The publicity surrounding Meltdown and Spectre underscored fundamental vulnerabilities of hardware in the CPU and alarming weaknesses in the relationship between hardware engineering, software and cybersecurity. Discovered by Google's Project Zero, the hardware vulnerabilities allowed malicious actors to inject code to access data that should inaccessible and inflict damage using what's known as a side-channel attack. And it wasn't just your local hardware that could be affected. For example, if you have an application that is running on a cloud server and accessed by one user, the malicious code allowed hackers to see, access and manipulate data that belongs to a different user on the server. The types of high-value data ranged from credit card information to passwords and other security credentials. 

Meltdown and Spectre are two kernel side-channel attacks that are affecting an unprecedented range of computing devices and systems running AMD, ARM and Intel processors. The vulnerabilities allow attackers to steal sensitive data from the system memory by taking advantage of the way processors are designed to work.  (Image courtesy of
Meltdown and Spectre are two kernel side-channel attacks that are affecting an unprecedented range of computing devices and systems running AMD, ARM and Intel processors. The vulnerabilities allow attackers to steal sensitive data from the system memory by taking advantage of the way processors are designed to work. (Image courtesy of Natascha Eibl.)

Meltdown and Spectre are two kernel side-channel attacks that are affecting an unprecedented range of computing devices and systems running AMD, ARM and Intel processors. The vulnerabilities allow attackers to steal sensitive data from the system memory by taking advantage of the way processors are designed to work. 

What is a side-channel attack?

A side channel is an accidental pathway that leaks information from one software program to another via a common component like memory or a hard drive. Common resources found in microprocessors can be leveraged as a side-channel, like the CPU’s cache. This tiny fast-access memory stores data most frequently needed by a program. The CPU checks the cache for data after a program accesses memory. If the processor doesn’t find the data in the cache, the processor waits for a few hundred clock cycles until the data is retrieved from main memory. The new data is added to the cache after the main memory, and sometimes this displaces other data because the cache is limited in size.

Why is this CPU hardware from Intel so vulnerable to these types of attacks?  

To improve efficiency, processors are designed to use speculative execution, which means that they queue up a few probable operations to execute given input from the user. Basically, the processors speculate and use probability to guess which decision the user will make next to save time and improve performance. 

Improving CPU performance relies on engineering wizardry to maximize the output of a specific number of transistors available at any given time, with the number doubling every 18 months or so vis-a-vis Moore's Law. Historically, CPU performance improved at over 50 percent annually until around 2005 and then dropped off to an average rate of about 20 percent per year. Most of the easier techniques to engineer increased CPU performance were used up first in the years following the decline in performance improvement circa 2005. The pressure to increase the rate of improvement continued, and engineers had to become even more inventive. Because of this continued exhaustion of micro-architecture, engineering designs and techniques became increasingly complicated.

Within a CPU, adding complexity to boost system performance increases the likelihood of accidentally creating exploitable vulnerabilities. Since CPU architects essentially stack multiple techniques on top of one another, new things like branch prediction and speculative execution (which acts like prefetch does on a search engine) were added. These performance-enhancing additions complicated the relationship between cache and processor, accidentally making room for the Spectre and Meltdown vulnerabilities to operate effectively.

Subsequent implementations of speculative execution continued increasing in complexity to better anticipate a user's next move and increase overall CPU performance. Personal data was pulled into cache and unanticipated indirect reading of the data as it moved between cache and branch prediction.
Subsequent implementations of speculative execution continued increasing in complexity to better anticipate a user's next move and increase overall CPU performance. Personal data was pulled into cache and unanticipated indirect reading of the data as it moved between cache and branch prediction. (Image courtesy of Trail of Bits.)

Intel is Rethinking Hardware Design

Hackers using Spectre and Meltdown can read and take information like encryption keys and passwords to breach a system, then follow up the assault with other attacks on the compromised system. Meltdown and Spectre may not even require the user to run a malicious executable file. JavaScript-based proof-of-concept demonstrations have shown that the vulnerabilities can be exploited through a web browser using a browser’s high-resolution timer. In the realm of cloud computing, Spectre and Meltdown can be used by hackers to outmaneuver software containers and virtual machines. 

If you look at the data, Spectre and Meltdown are not efficient enough to exfiltrate huge swaths of data. Spectre accesses data at 1.5 to 2 KB per second and needs about 10-30 minutes to initialize. Meltdown accesses information at a faster rate (120 KB/s) relative to Spectre, but this is still way too slow for attackers to make off with a huge trove of sensitive data. Attackers exploiting Spectre and Meltdown leave no trace in system logs. Though malware signatures can still be determined by traditional means when Spectre and Meltdown are used in targeted malware attacks, but detection is more difficult.

Part of the reason hardware engineers struggle to secure increasingly complex systems is to keep up with computing workloads becoming more processor intensive. The iron-clad predictability of Moore's Law is increasingly in jeopardy, which causes external pressure from shareholders. Meltdown, Spectre and other hardware exploits are a symptom of this engineering trade-off. Hardware security needs to be rethought not just from the micro-architectural level of building the CPU, but at the architectural level of the system itself.

How is Intel handling the security-first approach to prevent side-channel attacks and other hardware exploits?

According to Intel, they've taken several key steps towards preventing attacks like Meltdown and Spectre from taking place again. They've established the Intel Product Assurance and Security (IPAS) Group, which is a "holistic product assurance and security effort that spans all of Intel, developing policy and best practices, and driving critical decisions" across all of their businesses. Intel has also completed microcode updates for more than nine years of products. advance security at the silicon level to help protect against side channel exploits. On the client side at the silicon level, Intel has introduced hardware-based protections with Intel Xeon Scalable processors (Cascade Lake), the 8th Generation Intel Core U-series processor (Whiskey Lake), and the 9th Gen Intel Core desktop processor (Coffee Lake). Intel's next-generation Intel Xeon Scalable processor (Cascade Lake) is the first x86 processor on the market that has hardware-based protections against Spectre V2.

Intel's not out of the woods yet: “ZombieLoad” is the name of a side-channel attack targeting Intel chips. It consists of four bugs. Every computer with Intel chips made from 2011 to the present is vulnerable to this attack. The name comes from the method of attack: A zombie load is a large amount of data that the computer can’t process correctly. This forces the CPU’s hand, where it queries microcode from the processor to prevent a crash from trying to process the “zombie load.” This action allows the attacker to stretch the boundaries that quarantine an application and from data accessed by the processor. In response, Intel built patches to their microcode to help clear processor buffers to prevent data from being exposed and read. (Image courtesy of zombieloadattack.com.)
Intel's not out of the woods yet: “ZombieLoad” is the name of a new side-channel attack targeting Intel chips. It consists of four bugs. Every computer with Intel chips made from 2011 to the present is vulnerable to this attack. The name comes from the method of attack: A zombie load is a large amount of data that the computer can’t process correctly. This forces the CPU’s hand, where it queries microcode from the processor to prevent a crash from trying to process the “zombie load.” This action allows the attacker to stretch the boundaries that quarantine an application and from data accessed by the processor. In response, Intel built patches to their microcode to help clear processor buffers to prevent data from being exposed and read. (Image courtesy of zombieloadattack.com.) 

Bottom Line

Security vulnerabilities are ongoing challenges in the world of computing and its growing reach. What makes Meltdown and Spectre so difficult is that they attacks based on the hardware design, not the software. Software attacks are far more common exploits for hackers to deploy. Vulnerabilities in software can easily be patched up once they are detected and stopped cold with a hot-fix. With Meltdown and Spectre, software patches provided a degree of protection but at the cost of performance, frustrating many users. No major CPU vendor can just patch the hardware of millions of machines. This is why hardware-based side channel attacks are a far more brutal prospect for OEMs versus software-based attacks. But Intel's taken all the right steps to try to prevent further damage. Whether or not they'll be successful in warding off more side-channel attacks with their new approaches is anyone's guess.

Recommended For You