What are security gaps in Intel CPU MDS

MDS attacks - an overview of the new CPU vulnerabilities & dash; Page 1/2

Under the cryptic abbreviations MFBDS, MSBDS, MLPDS and MDSUM, Intel has documented four new security gaps in its processor architecture, which require revised microcode updates and adaptations to the operating systems. It is also advised not to use Hyper-Threading. At the same time, new terms such as ZombieLoad, RIDL, Fallout and YAM (Yet Another Meltdown) are floating around the net, suggesting further weaknesses. We explain what it is about and what to do now.

So much in advance: According to previous knowledge, the four new MDS attacks are similar to the original Meltdown. You can give the guest system of a virtual machine access to the host's data and override Intel's "Software Guard eXtensions" (SGX) and address cubing (ASLR). Sometimes the attacks on new CPUs, which Intel has already provided with initial protective measures, work better than on older processors. The good news: AMD, ARM and IBM are not affected this time.

Side Channel Attacks: Known for 23 years

We have known since January 2018 that the CPU manufacturers, above all Intel, had neglected the issue of security for a long time. The US encryption expert Paul C. Kocher had already documented the possibility of side-channel attacks in 1996 at the "International Cryptology Conference". At the time, Kocher showed that encryption such as Diffie-Hellman, RSA and DSS does not have to be cracked directly. Instead, you attack the specific implementation by observing its behavior over a longer period of time and drawing conclusions about the processed data from the processing time, energy consumption or electromagnetic radiation. For an attacker who usually acts remotely, the processing time is the most attractive measured value, especially since it could be determined very precisely via Javascript and thus from the web browser before Meltdown and Specter became known.

Speculated at the expense of security

For a long time, processors and operating systems had limited themselves to packing sensitive data in specially protected memory areas and keeping the addresses used secret. At the same time, the CPU performance was increased through increasingly sophisticated cache constructs and forward-looking work. Modern processors try to predict the next work steps and execute chains of command purely speculatively. If the CPU guessed correctly, the result is already available and does not require any further computing time. If, on the other hand, the processor was on the wrong track, the speculative calculation is rejected again. The problem with this: Even particularly protected data is processed speculatively and ends up in the cache, where they can be reached all at once as a target for side-channel attacks. If the attacker still succeeds in provoking the speculative processing of the protected data, such a side-channel attack can be greatly accelerated and becomes practical.

Meltdown and Specter create chaos

The CPU manufacturers, first and foremost the market leader Intel, knew of the danger, but ignored it for years in the interest of the highest possible computing power. This worked great, as side-channel attacks on processors were only a theoretical problem for a long time. In mid-2017, the processor forges were caught up in reality and informed about the attack variants Meltdown and Specter. Hardware errors cannot be repaired, but they can be at least partially mitigated with so-called microcode updates. The new microcode arrives on the computer with new BIOS or UEFI versions or is loaded by the operating system when it starts. In addition, adjustments to the software, especially the operating systems, are required. And so six months in advance was not enough to prevent the chaos when the security gaps were announced.

Always new variants

While the CPU manufacturers and the developers of the operating systems were still busy eliminating the original weaknesses, new variants of Meltdown and Specter kept appearing. Sometimes it was difficult to assign them, especially since new code names such as Foreshadow or Lazy FP kept appearing. In November 2018, Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin and Daniel Gruss then presented a systematically developed naming scheme that brought order for the first time. The new names consist of the original attack (Specter or Meltdown) followed by a hyphen and the misused element of the CPU architecture:

  • Specter-PHT (Bounds Check Bypass) - formerly variant 1 and 1.1 (CVE-2017-5753, CVE-2018-3693)
  • Specter-BTB (Branch Target Injection) - formerly variant 2 (CVE-2017-5715)
  • Specter-RSB (Return Stack Buffer) - formerly ret2spec and Specter-RSB (CVE-2018-15572)
  • Specter-STL (Speculative Store Bypass) - formerly variant 4 (CVE-2018-3639)
  • Meltdown-US (Supervisor-only Bypass) - formerly variant 3 (CVE-2017-5754)
  • Meltdown-P (Virtual Translation Bypass) - formerly L1TF, Foreshadow, Foreshadow-NG, Foreshadow-VMM (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646)
  • Meltdown-GP (System Register Bypass) - formerly variant 3a (CVE-2018-3640)
  • Meltdown-NM (FPU Register Bypass) - formerly Lazy FP (CVE-2018-3665)
  • Meltdown-RW (Read-only Bypass) - formerly variant 1.2
  • Meltdown-PK (Protection Key Bypass) - new variant, affects Intel Skylake-SP
  • Meltdown-BR (Bounds Check Bypass) - new variant, affects Intel and AMD