Intel processors: More holes than Swiss cheese?

Things had just begun to quieten down at Intel after Spectre and Meltdown, as the next dramatically named processor security vulnerabilities were announced. The ZombieLoad and Store-to-Leak Forwarding vulnerabilities already have their own website and logos, as has become fashionable recently. The vulnerabilities concern both older and current Core i and Xeon CPUs. Once again, the vulnerabilities were found by researchers from the universities of Graz and Leuven, who were the first to discover Spectre. Intel has classified the vulnerabilities as Low to Medium (CVE 3.8 to 6.5).

Spectre and Meltdown drew a great deal of publicity, but in the end little happened afterwards. Intel has released microcode updates for some processors and otherwise pointed out that the vulnerability is difficult to exploit. The fact that similar vulnerabilities are now emerging is not good news for the manufacturer or for users. At least the researchers disclosed their research responsibly, enabling Intel to publish microcode fixes at the same time the research results were published. Details of these fixes and were distributed with patches to operating system and hypervisor vendors such as Microsoft and VMware. Current processors (Whiskey Lake and Coffee Lake) should no longer be affected by the vulnerabilities. An Intel website contains details of the affected and already immune CPUs.

The latest vulnerabilities are side channel attacks, just like Spectre and Meltdown. Intel calls this form of attack "Microarchitectural Data Sampling" (MDS). With malware written for ZombieLoad, an attacker can read data from other processes, even if they are running in another virtual machine. Malicious code and target applications must be running on the same processor core for the attack to succeed. This works particularly well when Hyper-Threading is enabled because the target application and malware share more resources. As with the older vulnerabilities, problems are caused by executing speculative commands. The attack relies on a process reading data and discarding it because an event requires a different command path. As long as the data still exists in the fill buffers, malicious code can access it under certain circumstances, including from another process running on the same CPU core.

The attack is not deterministic: Attackers cannot search for specific data, they can only randomly tap everything that is stored in CPU fill buffers. However, given enough time this could have catastrophic implications. Possible spoils include passwords and browser histories as well as the keys of crypto applications. Security experts have produced a video to show how ZombieLoad can eavesdrop on a Tor browser running on the Tails Linux distribution that is actually considered as very secure. According to the researchers, only Intel processors are affected; the attack could not be reproduced on AMD hardware.

Although Intel has officially stated that the affected processors are already being either manufactured without a vulnerability or have been immunized via a microcode fix, doubts remain about the effectiveness of these fixes. The security researchers believe that that the fixes are not sufficient and that kernel and user space must be isolated by software. This is possible, but, as with Spectre and Meltdown, it leads to performance losses that will only become more apparent over the coming weeks.

The current research results can be interpreted in two ways. On the positive side, they show that vulnerabilities can be resolved quickly through responsible cooperation between security researchers and manufacturers. However, the latest incident shows the dangerous consequences of Intel's near-monopoly position. In the server market, Intel's current market share is 93 percent. Pretty much anyone operating a server is using a processor with vulnerabilities. Monocultures are vulnerable - the same is true for data centers as in natural environments. If other processor architectures could win a larger slice of the market share as a result of the increasing shift to edge computing and IoT, this would be bearable for Intel and a boost in security for users.