Intel Processors Hit with LVI Security Vulnerabilities, Mitigation Hits Performance Hard

[btarunr]

A new class of security vulnerabilities affect Intel processors, which can cause them to leak out sensitive information if probed in a certain way, but that's not the worst news for Intel and its users. The software- or firmware-level mitigation for this vulnerability can inflict performance reductions "ranging from 2x to 19x," according to a report by The Register. A full mitigation for the new Load Value Injection (LVI) class of vulnerabilities requires Intel to redesign software compilers. The vulnerability is chronicled under CVE-2020-0551 and Intel-SA-00334. It is not a remote code execution threat, however, it puts multi-tenant machines, such as physical servers handling multiple tenants via virtual servers.

"LVI turns previous data extraction attacks around, like Meltdown, Foreshadow, ZombieLoad, RIDL and Fallout, and defeats all existing mitigations. Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: we smuggle — "inject" — the attacker's data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim's fingerprints or passwords," the reasearchers write in the abstract of their paper describing the vulnerability. Anti-virus manufacturer BitDefender independently discovered LVI and shared its study with Intel. The company could publish its findings in February. Additional technical details are found in the group's website here.



Many Thanks to biffzinker for the tip.

View at TechPowerUp Main Site

 

[btarunr]

At this point I think the only way Intel can fight these vulnerability discoveries is by killing the bug bounty program, or significantly reducing the bounty. The program has clearly sprung up a cottage industry of security researchers (uni professors and their college grad minions) bruteforcing Intel processors for vulnerabilities that they can write papers on (earn citations), report back to Intel, and claim the cash bounties. The BBP has become a fountainhead of headache for CTOs and CIOs.

AMD is safer only because its market footprint is too small in the datacenter space, most of these side-channel attacks affect datacenters, and you can't hack AMD processors for rich bounties (it's similar to the "Macs don't get viruses" fallacy of the 1990s and 2000s).

 

[Yukikaze]

Err, but the whole point of the bug bounty program is for people to actively research and report vulnerabilities. You can't fix what you don't know. The cottage industry is an important part of what drives security research, both in CPUs and in other areas.

Hiding the issues won't help the computing world, because determined attackers will find (a subset of) them.

 

[R0H1T]

At this point I think the only way Intel can fight these vulnerability discoveries is by killing the bug bounty program, or significantly reducing the bounty. The program has clearly sprung up a cottage industry of security researchers (uni professors and their college grad minions) bruteforcing Intel processors for vulnerabilities that they can write papers on (earn citations), report back to Intel, and claim the cash bounties. The BBP has become a fountainhead of headache for CTOs and CIOs.

That's ridiculous ~ you want your creditability down in the gutter, much like what many of us forum dwellers complain about, that's the one point plan that'll instantly teleport you over there. Killing BBP will spook more potential buyers especially in the enterprise segment!

 

[lexluthermiester]

At this point I think the only way Intel can fight these vulnerability discoveries is by killing the bug bounty program, or significantly reducing the bounty.

I disagree. This is a difficult learning process for both Intel and AMD, but the fruits of the bounty programs are clear, software and hardware are getting more secure and less prone to being hacked by criminals, malintent entities and even governments.

The program has clearly sprung up a cottage industry of security researchers (uni professors and college grads) bruteforcing Intel processors for vulnerabilities that they can write papers on (earn citations), report back to Intel, and claim the cash bounties.

Nothing wrong with that. Been happening for decades, now they are just getting reward for their efforts, and rightly so.

 

[Ferrum Master]

This is sad.

Bta should indeed tame down. Jesus(the living one) might see it.

No progress and development should be ceased because of hiding things down.

Black market will live further, now it is just more profitable to report it officially, before those things were sold to whoever did the offer...

If one cannot comprehend it, it is sad. The can of worms is open.

 

[thesmokingman]

Poor Intel right?

 

[lexluthermiester]

This is sad.

Bta should indeed tame down. Jesus(the living one) might see it.

No progress and development should be ceased because of hiding things down.

Black market will live further, now it is just more profitable to report it officially, before those things were sold to whoever did the offer...

If one cannot comprehend it, it is sad. The can of worms is open.

I think you're over-reacting just a little bit.

 

[biffzinker]

Intel is unable to fix their current CPU's with a microcode update this time to flush the buffers.

microcode updates to flush affected buffers are no longer sufficient. Instead, complementary to existing Spectre software mitigations, LVI necessitates compiler patches to insert explicit lfence speculation barriers which serialize the processor pipeline after potentially every vulnerable load instruction. Additionally and even worse, due to implicit loads, certain instructions have to be blacklisted, including the ubiquitous x86 ret instruction.

The SGX enclaves are affected by LVI. The expected performance impact 2x-19x is for accessing a SGX enclave. If I understood it correctly.

 

[Ferrum Master]

Intel is unable to fix their current CPU's with a microcode update this time to flush the buffers.



The SGX enclaves are affected by LVI. The expected performance impact 2x-19x is for accessing a SGX enclave. If I understood it correctly.

Hard to tell.

"In our current assessment, we believe that LVI is mainly only relevant to Intel SGX enclaves. However, in the academic paper we showed that none of the ingredients for LVI are unique to Intel SGX and LVI attacks can in principle apply to non-SGX traditional cross-process, cross-virtual-machine, or user-to-kernel environments."

 

[r.h.p]

At this point I think the only way Intel can fight these vulnerability discoveries is by killing the bug bounty program, or significantly reducing the bounty. The program has clearly sprung up a cottage industry of security researchers (uni professors and their college grad minions) bruteforcing Intel processors for vulnerabilities that they can write papers on (earn citations), report back to Intel, and claim the cash bounties. The BBP has become a fountainhead of headache for CTOs and CIOs.

AMD is safer only because its market footprint is too small in the datacenter space, most of these side-channel attacks affect datacenters, and you can't hack AMD processors for rich bounties (it's similar to the "Macs don't get viruses" fallacy of the 1990s and 2000s).

If any , does this affect the regular Intel gamer or home user ?

 

[john_]

At this point I think the only way Intel can fight these vulnerability discoveries is by killing the bug bounty program, or significantly reducing the bounty. The program has clearly sprung up a cottage industry of security researchers (uni professors and their college grad minions) bruteforcing Intel processors for vulnerabilities that they can write papers on (earn citations), report back to Intel, and claim the cash bounties. The BBP has become a fountainhead of headache for CTOs and CIOs.

AMD is safer only because its market footprint is too small in the datacenter space, most of these side-channel attacks affect datacenters, and you can't hack AMD processors for rich bounties (it's similar to the "Macs don't get viruses" fallacy of the 1990s and 2000s).

Putting the head in the sand doesn't make the CPUs more secure. And the latest example with those two AMD vulnerabilities prove that Intel is paying for ANY security bug, not just for those in Intel CPUs. And if we consider that we have a dozen or even dozens of vulnerabilities of Intel CPUs already exposed, I guess most of those researchers will turn to AMD CPUs hoping to prove your point, that AMD CPUs are not as secured as people think or say. That means that it's not in Intel's best interest to stop financing those researchers now, now that almost all Intel CPUs vulnerabilities are exposed and researchers might turn to AMD CPUs. Except if of course AMD CPUs ARE in fact much more secure and even now a researcher will have more chances with an Intel CPU than an AMD CPU.

 

[btarunr]

If any , does this affect the regular Intel gamer or home user ?

No, but if Intel decides to shove a mitigation down our throats via Windows 10 Cumulative Update or BIOS updates, it will cost performance all the same.

As I mentioned in many older threads, the problem is not the CVE discoveries, but the forced mitigations chipping away at performance. Even if by tiny bits.

 

[thevoiceofreason]

At this point I think the only way Intel can fight these vulnerability discoveries is by killing the bug bounty program, or significantly reducing the bounty.

Ah yes, security through obscurity, because that has ever worked before.

Everybody gangsta until a new wave of bitcoin ransomware.

 

[btarunr]

Everybody gangsta until a new wave of bitcoin ransomware.

Name a ransomware that leverages a CPU-level vulnerability. Bonus points for one that leverages a side-channel attack vector.

 

[thevoiceofreason]

It is now in the toolkit of malware writers so why wouldn't they use it.

And trying to shift the blame on researchers is ridiculous, all of these attacks stem from a single decision Intel made about deferring access checks in speculation to chase cheap performance gains and now they are getting punished for it.

 

[Dredi]

As I mentioned in many older threads, the problem is not the CVE discoveries, but the forced mitigations chipping away at performance. Even if by tiny bits.

How insane can you get? If no bug bounties are present, the findings could be sold on the black market instead. Now the work is effectively incentivized making the black marked angle a lot more difficult to pursue.

The mitigations are important in this scheme, as otherwise we will end up with machines that have publicly known vunerlabilities. You don’t find malware using these exploits, as the vunerlabilities are typically fixed at the time the research papers are released.

Also, no-one is forcing you to use the mitigations, so stop complaining! Just install linux and disable them, problem solved. Most of the windows mitigations can also be disabled if you like living on the edge.

 

[Vayra86]

I figured it out. CVE actually stands for Corona Virus for Electronics.

It gets the elderly architectures first.

 

[lexluthermiester]

Name a ransomware that leverages a CPU-level vulnerability. Bonus points for one that leverages a side-channel attack vector.

None. And there aren't likely to be any.

 

[Ferrum Master]

Also, no-one is forcing you to use the mitigations, so stop complaining! Just install linux and disable them, problem solved. Most of the windows mitigations can also be disabled if you like living on the edge.

No the cannot be disabled already for a year+. Those are baked permanently in the kernel.

Your provided solution doesn't make sense much either.

 

[Octopuss]

At this point I think the only way Intel can fight these vulnerability discoveries is by killing the bug bounty program, or significantly reducing the bounty. The program has clearly sprung up a cottage industry of security researchers (uni professors and their college grad minions) bruteforcing Intel processors for vulnerabilities that they can write papers on (earn citations), report back to Intel, and claim the cash bounties. The BBP has become a fountainhead of headache for CTOs and CIOs.

AMD is safer only because its market footprint is too small in the datacenter space, most of these side-channel attacks affect datacenters, and you can't hack AMD processors for rich bounties (it's similar to the "Macs don't get viruses" fallacy of the 1990s and 2000s).

You forgot to take the brain pill today or what?

 

[btarunr]

How insane can you get? If no bug bounties are present, the findings could be sold on the black market instead. Now the work is effectively incentivized making the black marked angle a lot more difficult to pursue.

Bug Bounty Program provides a legitimate way of making money and paying taxes. Selling exploits on the dark web isn't something you can write in your income-tax filing, resume, or PhD application (not sure about its legality). I doubt there would be half as many cybersec researchers without the program (legit means of making money and earning academic citations).

A different kind of cyber-sec researchers are funded by Wall Street (hedge fund managers or those holding shorting positions against tech companies, remember CTSFlaws?).

The mitigations are important in this scheme, as otherwise we will end up with machines that have publicly known vunerlabilities. You don’t find malware using these exploits, as the vunerlabilities are typically fixed at the time the research papers are released.

All that BBPs without permanent non-disclosure clauses end up achieving is giving malware writers ideas so they can go after the vast majority of computers that stay unpatched or rarely patched.

Also, no-one is forcing you to use the mitigations, so stop complaining! Just install linux and disable them, problem solved. Most of the windows mitigations can also be disabled if you like living on the edge.

These mitigations are made part of cumulative updates that include other fixes or feature updates, and eventually become part of Windows codebase with each version. The manner in which they're distributed makes them a ramthroat.

 

[Dredi]

No the cannot be disabled already for a year+. Those are baked permanently in the kernel.

Your provided solution doesn't make sense much either.

Well then use the old kernel until the new one is faster with mitigations than the old one without mitigations. Gentoo works as well, if you wish to have better control over what security patches you wish to have in your computer. As for windows you can use inSpectre tool to make your computer less safe. Easy.

Bug Bounty Program provides a legitimate way of making money and paying taxes. Selling exploits on the dark web isn't something you can write in your income-tax filing, resume, or PhD application. I doubt there would be half as many cybersec researchers without the program (legit means of making money).

You are absolutely correct! Without this the same easy exploits could be achievable to black hats, who now have much harder time than before due to having to beat a bunch a researchers to the party.

also, please refrain from the ”security through obscurity” -fallacy.

Exposing the Fallacies of Security by Obscurity: Full Disclosure

It is unlikely that anyone is ignorant of the concept of full disclosure. While today we often see it applied to cyber security and the like.

www.isaca.org

 

[Ferrum Master]

Well then use the old kernel until the new one is faster with mitigations than the old one without mitigations. Gentoo works as well, if you wish to have better control over what security patches you wish to have in your computer. As for windows you can use inSpectre tool to make your computer less safe. Easy.

Refrain from commenting if you do not have a clue about windows ecosystem.

Linux is not a magic bullet either way regarding to CPU flaw exposure.

 

[Dredi]

Refrain from commenting if you do not have a clue about windows ecosystem.

Linux is not a magic bullet either way regarding to CPU flaw exposure.

Do you imply that the inspectre tool does not work? You can also make hardware changes to limit the number of mitigations that are loaded when the OS starts.