"Downfall" Vulnerability in Intel Processors and AMD’s "Inception" Vulnerability

[P4-630]

Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers. This vulnerability, identified as CVE-2022-40982, enables a user to access and steal data from other users who share the same computer. For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages. Similarly, in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer.

The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. This allows untrusted software to access data stored by other programs, which should not normally be accessible. I discovered that the Gather instruction, meant to speed up accessing scattered data in memory, leaks the content of the internal vector register file during speculative execution. To exploit this vulnerability, I introduced Gather Data Sampling (GDS) and Gather Value Injection (GVI) techniques.



[Q] Which computing devices are affected?

[A] Computing devices based on Intel Core processors from the 6th Skylake to (including) the 11th Tiger Lake generation are affected. A more comprehensive list of affected processors will be available here.

Downfall

Downfall attacks targets a critical weakness found in billions of modern processors used in personal and cloud computers.

downfall.page

Affected Processors: Transient Execution Attacks & Related Security...

Review the impact of transient execution attacks and select security issues on currently supported Intel products.

www.intel.com

 

[Dr. Dro]

I can't be the only one sick of these trendy marketable names for hardware exploits that are meant to sound scaaaawwwwy and the end of the world, the sole purpose of these is generating clicks... like the one affecting Zen 2 that they're calling "Zenbleed", come on...

 

[TumbleGeorge]

Well, Intel still somehow has to force consumers to spend their money for new processors (after the 11th series). /conspiracy/

 

[P4-630]

Intel itself has released a microcode update that effectively disables the "Gather" instructions, but with a loss of system performance...

 

[freeagent]

Just Intel doing Intel things

When Spectre/Meltdown first arrived on scene I literally watched the GFlops melt away as they implemented their mitigations. Boooo.

 

[P4-630]

Doesn't affect my i7 12700K, I'm ok this time..

 

[Bill_Bright]

[Rant One]

Well, Intel still somehow has to force consumers to spend their money for new processors (after the 11th series). /conspiracy/

Opportunistic, tin foil hat wearing, nonsensical bashings help no one.

Current CPUs can easily have well over 100 million transistors per mm² and over 200 million with the latest state of the art!!!!

Do the math. There are 645.16 mm² in 1 in². At a measly 100 million per mm², that equates to ~645 billion transistors in 1 square inch!

Yet there are still some who expect perfection at that level, then ridicule when a flaw surfaces.

It is ignorant to expect the raw materials to be 100.00% pure at those near sub-atomic levels, let alone to expect the manufacturing processes to be 100% perfect 100% of the time - especially when mere mortal humans are involved.

When Man is capable of creating perfection 100% of the time, then such accusations might be justified.

And of course, Intel is not the only processor manufacturer out there. So before criticizing Intel with unwarranted attacks, one might want to look at Ryzenfall, Masterkey, Fallout, and Chimera or this for AMD processors.

Or this for Motorola processors. Or this for Qualcomm.

Do I need to go on?

[/Rant One]

****

[Rant Two]

What I don't like about these reports (and the fixes), is the vagueness of the information provided by the manufacturers (regardless which maker), including exactly which processors are affected.

I fully understand they cannot go into great detail about the vulnerabilities as that may provide a roadmap for the bad guys to follow, and learn how to exploit that vulnerability. I get that. But, for example, this machine has an i5-6600 Skylake processor. The official list includes several Skylakes, including 6th Gen. But they appear to be various Skylake servers, Skylake Xeons, Skylake D, Skylake W, Skylake X, Skylake H and Skylake S.

Huh? The Intel i5-6600 Ark for my processor does not specify D, W, X, H, or S. What do I have? Is it affected? IDK!

And if I don't know - someone who's been around computers professionally for nearly 50 years - how is anyone with less experience, who is not into computers supposed to know? AMD and the others (including GPU and other chip makers) are just as guilty here.

I would like to see a comprehensive list that either includes my specific CPU, or does not include it. And if not included, that positively indicates it is not affected.

I would also like to see each maker provide a simple "tool", a small app users can download and run that scans the CPU to (1) determine the exact model, (2) identify it as affected, or not affected, and (3) give the user the option to then apply any applicable patch. That is NOT too much to ask.

[/Rant Two]

 

[R0H1T]

Just Intel doing Intel things

When Spectre/Meltdown first arrived on scene I literally watched the GFlops melt away as they implemented their mitigations. Boooo.

Intel's doing this for the bears, the polar bears!

 

[A Computer Guy]

I would also like to see each maker provide a simple "tool", a small app users can download and run that scans the CPU to (1) determine the exact model, (2) identify it as affected, or not affected, and (3) give the user the option to then apply any applicable patch. That is NOT too much to ask.

Also it would be nice it if reported the performance losses (if any) from the patch as well.

 

[Bill_Bright]

Also it would be nice it if reported the performance losses (if any) from the patch as well.

Well, then it stops being a "simple" tool and becomes a much more complex tool as it would have to perform a series of benchmarks before the patch is applied, and again after it is applied.

And too that, even if the benchmark tests revealed a change in performance, what really matters is if the user perceives one. There's a good chance any changes will go unnoticed - unless and until the user it told one exists.

It needs to be "simple". Those more advanced users can do their own benchmarking.

 

[A Computer Guy]

Well, then it stops being a "simple" tool and becomes a much more complex tool as it would have to perform a series of benchmarks before the patch is applied, and again after it is applied.

You failed to scope simple. Simple for the Vendor to create or simple for the end user to click a button or two or both.

And too that, even if the benchmark tests revealed a change in performance, what really matters is if the user perceives one. There's a good chance any changes will go unnoticed - unless and until the user it told one exists.

I do wonder how these things effect benchmarks. Rarely if ever do reviewer mention if specific security patches are in place during the tests. Perhaps in some cases they might not even know.

It needs to be "simple". Those more advanced users can do their own benchmarking.

 

[Bill_Bright]

Gee whiz. Nit pick much? I defined exactly what it needs to do.

I said,

a small app users can download and run that scans the CPU to (1) determine the exact model, (2) identify it as affected, or not affected, and (3) give the user the option to then apply any applicable patch. That is NOT too much to ask.

Then I went further to say how advanced users can determine if any performance chances occurred.

As far as whether or not it is simple for the manufacturer, I don't really care. This is about making it simple for us consumers. But surely the manufacturer knows which processors it affects and therefore can easily use Boolean logic to install, or not install the patch.

I do wonder how these things effect benchmarks.

And that's fine. I am not suggesting no one needs, or might be curious to know that. I am just saying saying there needs to be a "simple" tool for the user that will install the necessary patches, if needed.

Rarely if ever do reviewer mention if specific security patches are in place during the tests.

Umm, most (at least the better reviewers) will say Windows and drivers are current.

 

[A Computer Guy]

Gee whiz. Nit pick much? I defined exactly what it needs to do.

Perhaps. Sometimes it happens. No worries.

 

[Solaris17]

I do wonder how these things effect benchmarks.

not a ton and mostly scientific. From a user perception perspective it likely doesnt exist.

Initial Benchmarks Of The Intel Downfall Mitigation Performance Impact - Phoronix

www.phoronix.com

AMD got hit at the same time

AMD "INCEPTION" CPU Vulnerability Disclosed - Phoronix

www.phoronix.com

They also released a patch.

Given how late it is 14th gen will probably be affected (I think it will have AVX512?) but I imagine in the case of both AMD and Intel it will be mitigated in silicon by next gen.

Its also worth mentioning that these performance hit percentages on both camps are generally not so "permanent". While the performance will suffer historically patches after the initial mitigation slowly improve performance over time as work arounds are made to bypass the silicon limitations. Application specific performance always being a metric of its own since these mitigations arent always "X% across the board system performance is down".

 

[P4-630]

AMD’s Inception​

If Downfall is a descendant of Meltdown, then Inception, also known as CVE-2023-20569, is a side-channel vulnerability descended from the Spectre bug. It's actually a combination of attacks, one that makes the CPU think that it performed a misprediction, and a second that uses the "phantom speculation" trigger to "manipulate future mispredictions." More detail is available in the white paper (PDF).

The end result, according to security researchers in ETH Zürich's COMSEC group, is a vulnerability that "leaks arbitrary data" on affected Ryzen, Threadripper, and EPYC CPUs. The group published a proof-of-concept video in which they cause a CPU using AMD's latest Zen 4 architecture to leak a system's root password.

Mitigating the risk somewhat, AMD "believes this vulnerability is only potentially exploitable locally, such as via downloaded malware."

COMSEC says that the bug affects "all AMD Zen CPUs," but AMD itself says that Inception fixes are only necessary for processors using Zen 3 or Zen 4-based CPU cores. This includes Ryzen 5000- and 7000-series desktop CPUs, some Ryzen 5000 and 7000-series laptop CPUs, all Ryzen 6000-series laptop GPUs, Threadripper Pro 5000WX workstation CPUs, and 3rd- and 4th-gen EPYC server CPUs. Some AGESA firmware updates for these chips are available now, and others should be available sometime between now and December of 2023, and OS-level microcode updates are available in the meantime.

“Downfall” bug affects years of Intel CPUs, can leak encryption keys and more

Researchers also disclosed a separate bug called “Inception” for newer AMD CPUs.

arstechnica.com

 

[mb194dc]

So run dedicated machines and problem solved. In fact except for shared servers not even an issue.

 

[chrcoluk]

Looks like downfall mitigation will be disabled for anyone who is already disabling spectre and meltdown. Remains to be seen what the windows default will be as Microsoft have chosen to not enable all mitigations by default.

 

[R-T-B]

I can't be the only one sick of these trendy marketable names for hardware exploits that are meant to sound scaaaawwwwy and the end of the world, the sole purpose of these is generating clicks... like the one affecting Zen 2 that they're calling "Zenbleed", come on...

I mean yeah, the whole point is attention to an otherwise boring techncial issue, you hit the nail on the head there.

So run dedicated machines and problem solved. In fact except for shared servers not even an issue.

And trust all your javascript.

 

[Wirko]

Huh? The Intel i5-6600 Ark for my processor does not specify D, W, X, H, or S. What do I have? Is it affected? IDK!

I'm sure you're very much able to find that information but I agree that many users aren't, and Intel is not at all helpful.

"S" means desktop processors at least since Skylake. Here's a solid source: Wikichip. Shall I point you (or some confused user) to Intel? Rather not. And the same Intel used "S" as a suffix to the model number until Haswell.

After some checking, I found some logic (undocumented) in that list on Intel's page:

Spoiler

It's a list of CPUs and chipsets that haven't yet been discontinued.

 

[caroline!]

Remember the 15% single-core perf cripple "patch" for 7th and 8th gen chips when spectre was found lol, same again

mobos with unpatched BIOS were sold at scalper prices back then, lovely

 

[R-T-B]

same again

Not really no. This is not in the same class performance wise. We seem to be talking a fraction of a percent.

mobos with unpatched BIOS were sold at scalper prices back then, lovely

Ironic considering modern windows will just patch your microcode at boot anyways.

 

[Bill_Bright]

I'm sure you're very much able to find that information but I agree that many users aren't, and Intel is not at all helpful.

Thanks for that WikiChip link and you are right, I was able to find that same page and information with the help of my friend, Bing Google. But it wasn't exactly straight forward. If I wasn't fairly practiced at figuring out what to enter in search engines, and then how to weed through search results, I might have ended up more confused than when I started.

For example, I came upon this Intel link, Intel Processor Names and Numbers, but it says "S" stands for "Special edition". So does this. My processor is nothing special - unless they mean it is similar to how some kids ride the "special" bus! How about How to Identify My Intel Processor - no luck there. So even the processor itself is not reporting to the OS that it is a "S".

If you look at your WikiChip source which you call a "solid source", and follow the link for this processor, the Core i5-6600, the information provided is indeed, very extensive. And it does show on the right side, "Skylake S" for its "Core Name".

However, where did WikiChip get its information? Every link on that page takes you right back to another WikiChip page. They keep citing themselves. I am not criticizing WikiChip, I just think it sad there apparently is no Intel source to cite.

So I believe my point is still valid. Why do we users/consumers have to rely on 3rd party sources instead of Intel itself, whether or not our specific CPU is affected by some bug or vulnerability? We shouldn't have too. That's why I would like to see a "simple" little tool users can run that fully identifies their processors, and whether or not there are any firmware updates/patches for it.

 

[Frag_Maniac]

CVE-2022-40982, enables a user to access and steal data from other users who share the same computer.

I'm a bit confused by this sentence. Does it mean only someone whom has physical access to your PC can access this data?

 

[Ware]

For example, I came upon this Intel link, Intel Processor Names and Numbers, but it says "S" stands for "Special edition"....So even the processor itself is not reporting to the OS that it is a "S".

You're mixing "model" names and "line" names.
Processor lines are the first thing explained in every intel cpu's datasheet.
i5-6600S would be special chip. i5-6600 is a not so special chip from the Skylake - S line.

I'm a bit confused by this sentence. Does it mean only someone whom has physical access to your PC can access this data?

Check the link to the downfall page from the OP.
"In theory, remotely exploiting this vulnerability from the web browser is possible. In practice, demonstrating successful attacks via web browsers requires additional research and engineering efforts."

 

[Bill_Bright]

You're mixing "model" names and "line" names.

Yep. I know I did. That's why I said I my CPU was not "special". I was illustrating the point about how confusing the "lack" of information is.

As you correctly noted, the "i5-6600 is a not so special chip from the Skylake - S line."

Or as Intel says in your screen shot, "S-Processor Line". But note they also refer to it as "processor family S-Processors". Which is it? Model? Line? Processor Line? Processor family?

Yet in the link above to Affected Processors, it just says "Skylake S". ???

It is as bad as Outlook, Outlook Express, Office Outlook, and Outlook.com. Or Windows Defender, the anti-spyware program for W7, or Windows Defender, the antimalware program for W8/10/11. Or don't get me started on all the Explorer iterations.

Oh, well. My apologies for this clearly off-topic rant.