Academic Researcher Believes Chip Vulnerabilities Could Have Been Resolved Sooner
Daniel Gruss, a researcher at Graz University of Technology, has expressed his frustration with chip makers for not taking reports from academic researchers more seriously, which may have led to the delayed resolution of the Spectre and Meltdown chip vulnerabilities. Gruss, who played a key role in uncovering the hardware bug, believes that if the chip makers had paid closer attention to reports from researchers like himself, these vulnerabilities could have been addressed much earlier.
In a recent interview, Gruss highlighted the ongoing challenges in dealing with chip vulnerabilities, especially with the increasing complexity of chip designs and the introduction of new technologies such as GPUs and confidential computing. He emphasized that the number of bugs in our systems is not likely to decrease over time and that there is a continuous need for collaboration between researchers and chip makers to address these security issues.
Gruss, along with Intel fellow Anders Fogh, will be discussing past chip vulnerabilities and exploring emerging threats at the upcoming Black Hat USA 2024 conference. Their presentation, titled “Microarchitecture Vulnerabilities: Past, Present, and Future,” will delve into recent side-channel attack techniques, such as Hertzbleed, Platypus, and Zenbleed. They will also explore how academic researchers and chip makers are working together to mitigate vulnerabilities and implement patching strategies.
Reflecting on his experience, Gruss recalled reporting the prefetch side-channel at the core of Spectre to Intel in 2016, only to have the chip maker delay its response. He believes that Intel could have identified Spectre two years earlier if they had taken a closer look at their report and conducted thorough testing on different machines. However, Gruss acknowledged that Intel has since become more responsive to security flaws and now takes all reported vulnerabilities seriously.
Intel’s vice president for Product Assurance and Security Group, Suzy Greenberg, emphasized the importance of communication between chip makers and researchers. She noted that Intel maintains open lines of communication not only with researchers but also with competitors like AMD and Nvidia, as hardware bugs could impact multiple vendors. Greenberg also highlighted the use of side-channel attacks in leaking sensitive data, such as usernames and passwords, and the need for continued vigilance in addressing these vulnerabilities.
Researchers, including Gruss, are also shifting their focus to exploring security issues in GPUs, which are increasingly used in AI applications. A recent study by a team of researchers highlighted a side-channel attack on Nvidia’s GPUs, prompting Nvidia to issue security alerts related to its GPU drivers and virtualization software. Gruss emphasized the need to understand the microarchitecture of GPUs better as they become more complex and susceptible to sophisticated attacks.
Looking ahead, Gruss warned that side-channel attacks may also pose a greater threat in the realm of confidential computing, where secure enclaves are created within hardware for running protected applications. The growing use of confidential computing chips by top manufacturers like Intel and AMD for AI applications has expanded the attack surface, making it vital for researchers to explore potential exploits and vulnerabilities in this area.
In conclusion, Gruss and other researchers are advocating for increased collaboration between academia and industry to address chip vulnerabilities and enhance security measures in the face of evolving threats. As the technology landscape continues to evolve, it is essential for chip makers to heed the warnings of researchers like Gruss to prevent future security breaches.