Billions of computers running on Intel processors are at risk of data leakage due to a class of security vulnerabilities that expose the lack of hardware isolation in chipmakers’ offerings. This vulnerability affects not only Intel CPUs but also CPUs developed by other vendors. In a recent presentation at the Black Hat conference, Daniel Moghimi, a senior research scientist at Google, unveiled “Downfall,” two related methods of attacks against a newly revealed vulnerability known as CVE-2022-40982.
The bug originates from a memory optimization feature in Intel CPUs that unintentionally leaks internal hardware registers. By exploiting the “gather” instruction, a malicious actor in a shared computing environment can access data belonging to other users and applications. This data can include sensitive information such as banking details, encryption keys, and kernel information.
The scope of the Downfall vulnerability is extensive, affecting all devices running Intel processors manufactured between 2014 and 2021. The newly released 12th-gen Intel CPUs are not affected, but they have not yet been widely adopted in the cloud and consumer devices. Estimating the number of affected devices is challenging, given that Intel controls a majority of the global market share for CPUs. Moghimi approximates that there are between 1.5 and 2 billion affected devices, although this might not cover the full extent of the issue.
While Downfall primarily affects Intel CPUs, Moghimi suggests that other CPU vendors may have similar vulnerabilities. Another Google researcher recently discovered “Zenbleed,” a similar finding affecting processors developed by Intel’s competitor, AMD. It is possible that these vulnerabilities are not unique to specific chipmakers but are inherent in the design and lack of hardware isolation.
Downfall exploits a memory optimization feature called the single instruction, multiple data (SIMD) register buffer. This buffer stores data from various applications to enable faster parallel processing. Using the “gather” instruction, Moghimi found that he could access data stored in another user’s or application’s register. He developed two techniques, Gather Data Sampling (GDS) and Gather Value Injection (GVI), to leverage this instruction for unauthorized access.
Moghimi emphasizes that GDS is highly practical, allowing an attacker to steal encryption keys from OpenSSL within two weeks. This technique breaches fundamental security boundaries in most computers and opens up possibilities for various attacks. For instance, a hacker could exploit “gather” to steal data from other users in the same cloud environment, while a malicious application could steal sensitive information from other installed apps on the same machine.
Although the recent patch released by Intel addresses the power afforded by manipulating the “gather” instruction, Moghimi believes it is more of a treatment than a cure for the underlying problem. The fundamental flaw lies in the lack of hardware isolation and the sharing of internal hardware registers and memory units across different security domains. Without better isolation within the hardware, additional vulnerabilities are likely to emerge in the future.
Moghimi predicts that similar issues may be discovered in ARM CPUs, and it’s only a matter of time until someone identifies another instruction that can leak data from Intel and AMD CPUs. While the current microcode fixes modify the behavior of the leaking instruction, the shared buffers inside the CPUs remain vulnerable. More stories of CPU vulnerabilities, similar to Downfall and Zenbleed, are expected unless substantial improvements are made in hardware isolation.
In conclusion, the Downfall vulnerability exposes the lack of hardware isolation in Intel CPUs and potentially other CPU vendors’ products. The exploitation of the “gather” instruction allows unauthorized access to data belonging to other users and applications. Although Intel has released a patch, it only tackles the immediate issue and does not address the fundamental flaw in hardware design. Without significant improvements in hardware isolation, additional vulnerabilities are likely to emerge in the future.