Researchers have devised a new attack against Intel CPUs that can leak sensitive secrets stored in SGX secure enclaves and, at least in theory, from privileged processes across security boundaries such as kernel space, virtual machines and hypervisors. Dubbed Load Value Injection (LVI), the new attack is based on techniques used in other CPU vulnerabilities such as Spectre, Meltdown and Microarchitectural Data Sampling (MDS), but is different, more importantly, in that it bypasses the mitigations put in place for those flaws.

“Crucially, LVI is much harder to mitigate than previous attacks, as it can affect virtually any access to memory,” a team of researchers from KU Leuven, Worcester Polytechnic Institute, Graz University of Technology and the University of Michigan, said on a website dedicated to the new exploit. “Unlike all previous Meltdown-type attacks, LVI cannot be transparently mitigated in existing processors and necessitates expensive software patches, which may slow down Intel SGX enclave computations up to 19 times.”

The team of academic researchers reported the attack to Intel in April 2019, almost a year ago. The issue has been under embargo at Intel’s request since then, so the company could develop mitigations. In February, researchers from security firm Bitdefender also independently discovered and reported to Intel one of the LVI variants known as Load Value Injection in the Line Fill Buffers (LVI-LFB).

How does the LVI vulnerability work?

Like Meltdown and Spectre, LVI exploits transient or speculative execution in modern CPUs. This is a performance-enhancing feature where the CPU computes instructions in advance of finishing the current one by predicting its possible results. The goal is to save time and, if the prediction is wrong, the results of the instructions executed in advance are discarded.

However, these speculative executions might leave traces in the CPU’s internal caches or buffers, which can then be used as side channels by attackers to reconstruct sensitive data. Having remnants of speculative execution in caches and buffers wouldn’t be too bad if attackers had no control over what’s being executed, but vulnerabilities like Spectre and Meltdown can be used to influence the branch prediction in a way that would generate data of interest to the attackers. LVI turns that attack on its head.

“Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: We smuggle — ‘inject’ — the attacker’s data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim’s fingerprints or passwords,” the researchers said.

Copyright © 2020 IDG Communications, Inc.

Source link

You must be logged in to post a comment.