New CPU vulnerabilities found: Intel's DOWNFALL and AMD's INCEPTION

[igormp]

Summary

In a similar fashion to the recent Zenbleed, researchers at Google also found an even worse vulnerability on the SIMD units of Intel CPUs. The new DOWNFALL vulnerability allows one to read leftover data from the GATHER instruction after a failed speculative execution (AMD's one was a similar case with the zeroupper instruction).

 

CPUs from Skylake (6th gen) all the way to Rocket Lake (11th gen) are affected, with newer ones being safe. The performance impact could be up to 50% on applications that make heavy use of that kind of SIMD instructions (so video transcoding is going to hurt).

 

AMD also has a new vulnerability on Zen 3 and Zen 4 CPUs, but this one should only have a minor impact overall and not be that worrisome.

 

Quotes

Quote

Downfall is characterized as a vulnerability due to a memory optimization feature that unintentionally reveals internal hardware registers to software. With Downfall, untrusted software can access data stored by other programs that typically should be off-limits: the AVX GATHER instruction can leak the contents of the internal vector register file during speculative execution. Downfall was discovered by security researcher Daniel Moghimi of Google. Moghimi has written demo code for Downfall to show 128-bit and 256-bit AES keys being stolen from other users on the local system as well as the ability to steal arbitrary data from the Linux kernel.

Skylake processors are confirmed to be affected through Tiger Lake on the client side or Xeon Scalable Ice Lake on the server side. At least the latest Intel Alder Lake / Raptor Lake and Intel Xeon Scalable Sapphire Rapids are not vulnerable to Downfall. But for all the affected generations, CPU microcode is being released today to address this issue

 

...

 

AMD has received an external report titled ‘INCEPTION’, describing a new speculative side channel attack. AMD believes ‘Inception’ is only potentially exploitable locally, such as via downloaded malware, and recommends customers employ security best practices, including running up-to-date software and malware detection tools. AMD is not aware of any exploit of ‘Inception’ outside the research environment, at this time.

 

My thoughts

Wew, yet another one. Hopefully the mitigation for DOWNFALL shouldn't impact most users, but it'll surely hurt the few that deal with tons of AVX stuff, specially people that deal with media (en|trans)coding.

 

AMD's vuln seems to be minor, at least compared to Zenbleed, and shouldn't have any noticeable impact in performance nor security for most (if not all) users.

 

Sources

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00828.html

https://security.googleblog.com/2023/08/downfall-and-zenbleed-googlers-helping.html

https://www.phoronix.com/review/downfall

https://www.servethehome.com/intel-downfall-ultra-scary-avx2-and-avx-512-side-channel-attack-discovered/

 

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html

https://www.phoronix.com/news/AMD-INCEPTION

Edited August 8, 2023 by igormp
less clickbaity title

[WolframaticAlpha]

Were there ever viruses that exploited the much vaunted spectre and meltdown?

 

Also, the people who name these vulnerabilities are smart. Naming it Intel DOWNFALL was sure to grab eyeballs like those of mine(I thought it was a forum post from a fanboy, and then you being the poster confused me more hehe)

[igormp]

8 minutes ago, WolframaticAlpha said:

Were there ever viruses that exploited the much vaunted spectre and meltdown?

 

Some hacking tools did add support for it, but no known wide-spread exploit seems to exist, likely due to the efficiency that all involved parties took to mitigate the issue.

9 minutes ago, WolframaticAlpha said:

Also, the people who name these vulnerabilities are smart. Naming it Intel DOWNFALL was sure to grab eyeballs like those of mine(I thought it was a forum post from a fanboy, and then you being the poster confused me more hehe)

Yeah, I found it funny and left the title this way for this exact reason lol

 

If people find it to be too much of a clickbait, just say here and I will gladly change the title (please offer suggestions too if possible!)

[porina]

Watching with interest. Will have to flag it on some other forums where AVX heavy software is often used, although I don't know if they make heavy use of GATHER instructions. The do use a ton of FMAs though, but how does the data get picked up?

[igormp]

24 minutes ago, porina said:

Watching with interest. Will have to flag it on some other forums where AVX heavy software is often used, although I don't know if they make heavy use of GATHER instructions. The do use a ton of FMAs though, but how does the data get picked up?

You could do some profiling to see how many gather-like instructions are used, and what % of this represents for your workload.

[porina]

31 minutes ago, igormp said:

You could do some profiling to see how many gather-like instructions are used, and what % of this represents for your workload.

I'll let those who write the software do the heavy lifting. Best I can do is benchmark before/after the update. While the updated microcode seems to have just been released from Intel, it could take some time to get to Windows. I don't see the CVE listed on a quick search of today's Windows Update.

[igormp]

7 minutes ago, porina said:

I'll let those who write the software do the heavy lifting. Best I can do is benchmark before/after the update. While the updated microcode seems to have just been released from Intel, it could take some time to get to Windows. I don't see the CVE listed on a quick search of today's Windows Update.

Ah, right, yeah, I believe that Michael should come with benchmarks this week for linux, let's see how it goes.

[Zodiark1593]

Bugger, both my systems appear to be affected. 
 

Will probably pass on this fix for the desktop, as the CPU is pretty much at its limit in some games anyway. Can’t afford to lose any performance here. 
 

As for the laptop (Tiger Lake), not sure. I do a fair but of encoding on it, as it’s faster and more efficient than the desktop, so I’d loathe to lose performance, even for security. Will wait to see what impact mitigations would yield here. 

[williamcll]

These names are awfully clickbait

[Zodiark1593]

42 minutes ago, williamcll said:

These names are awfully clickbait

I’d love to be paid to make names. 
 

Intel SodaCation - A play on soda lakes, and suffocation, and Intel’s propensity to use names of lakes. 
 

AND Icarus - Icarus has “Risen” too close to the sun. 
 

Apple SnowWhite - because you know very well why. 

[SorryBella]

6 hours ago, igormp said:

AMD has received an external report titled ‘INCEPTION’

someone just binged Nolan films.

[porina]

A comment from the writer of y-cruncher: "Intel is somewhat saved here by gather/scatter's overall crappiness. Very few applications actually use them since they're already so bad that everyone avoids them." https://www.mersenneforum.org/showpost.php?p=635919&postcount=3

 

Presumably that may apply if you're writing low level code, not just running through a compiler. Intel suggests using compiler options to avoid gather instructions if software is significantly impacted.

[porina]

https://www.phoronix.com/review/intel-downfall-benchmarks

Some benchmark results have been posted with the mitigation in place, compared to without. Some take a small hit, some a bigger hit. I recognise none of the benchmarks used.

[Brooksie359]

On 8/8/2023 at 3:58 PM, igormp said:

Some hacking tools did add support for it, but no known wide-spread exploit seems to exist, likely due to the efficiency that all involved parties took to mitigate the issue.

Yeah, I found it funny and left the title this way for this exact reason lol

 

If people find it to be too much of a clickbait, just say here and I will gladly change the title (please offer suggestions too if possible!)

My question is even if someone makes use of this vulnerability what is the type of damage you could expect? I mean how easy is it to exploit this remotely and what type of information can they realistically get from this that they couldn't possibly get from other means much less complicated than this. I mean would you need to get a virus for this to be exploited and at that point aren't you already screwed because there are plenty of viruses that could easily get your information without using this exploit? Sometimes I feel like these cpu level vulnerabilities don't seem practical to exploit vs your average Joe and I wouldn't expect your average person to realistically be concerned about this. I could be totally wrong though as my knowledge on this subject is limited. 

[Kisai]

1 hour ago, Brooksie359 said:

My question is even if someone makes use of this vulnerability what is the type of damage you could expect?

Side channel attacks can slowly retrieve information from the CPU. So things like encryption keys would be the targets. The thing is, you need to know what you're trying to get.

If you just log into a shared amazon web server, and use the attacks, you can probably get into other instances and eventually take over the server, and then you wait for that customer to spin up more instances and login to those, wash-rinse-repeat. 

 

Like it needs to be stated that most of the exploits, are not really going be much of anything on consumer desktops unless you are explicitly doing stuff with virtual machines or running untrusted code (eg pirated software/games.) Like the worst possible scenario for an end user I can envision is trying to grab data to get into accounts that don't use 2FA, but you have to know what you're looking for still.

 

On the flip side of that, exploits like this can be used to undermine DRM on purpose. Like say there wasn't an easier way to rip netflix/disney+/youtube, you could probably use the side channel attack to grab the keys and capture the entire network activity of watching the video, and then just decrypt the entire thing again to get the data. Not terribly useful when it's usually just easier to go buy the BD and rip that instead.

 

[Brooksie359]

47 minutes ago, Kisai said:

Side channel attacks can slowly retrieve information from the CPU. So thinks like encryption keys would be the targets. The thing is, you need to know what you're trying to get.

If you just log into a shared amazon web server, and use the attacks, you can probably get into other instances and eventually take over the server, and then you wait for that customer to spin up more instances and login to those, wash-rinse-repeat. 

 

Like it needs to be stated that most of the exploits, are not really going be much of anything on consumer desktops unless you are explicitly doing stuff with virtual machines or running untrusted code (eg pirated software/games.) Like the worst possible scenario for an end user I can envision is trying to grab data to get into accounts that don't use 2FA, but you have to know what you're looking for still.

 

On the flip side of that, exploits like this can be used to undermine DRM on purpose. Like say there wasn't an easier way to rip netflix/disney+/youtube, you could probably use the side channel attack to grab the keys and capture the entire network activity of watching the video, and then just decrypt the entire thing again to get the data. Not terribly useful when it's usually just easier to go buy the BD and rip that instead.

 

Yeah so unless you are running VMs it's really a problem especially because if you are running untrustworthy programs on your computer you can easily get all sorts of viruses that could probably get that information without that exploit. I mean for normal desktop users. Obviously if you are running servers then you are going to want much better security regardless. 

[StDragon]

6 hours ago, Brooksie359 said:

Yeah so unless you are running VMs it's really a problem especially because if you are running untrustworthy programs on your computer you can easily get all sorts of viruses that could probably get that information without that exploit. I mean for normal desktop users. Obviously if you are running servers then you are going to want much better security regardless. 

It's because of these CPU vulnerabilities that VBS is now a thing to aid in mitigation. For example in Windows, VBS is known as Core Isolation. Under Core Isolation, you have LSA Protection. If you have an Intel 11th gen or AMD Zen 3 based CPU, then there's a replacement for LSA protection that supersedes it called "Kernel-mode Hardware-enforced Stack Protection". 

[leadeater]

19 minutes ago, _StrikE_ said:

its a known fact that especially intel hasn't been happy with sales lately so this is just the "right" ploy to get some more people on upgrading, targeting especially the ones with CPU's from the latest 6 generations since they are more likely to upgrade then people that have stucked with older hardware (4th gen or earlier) all this time.

Would be the worst plan ever, 99.99% people in the world would have no idea about these and would also never hear about them. Would be like yelling "free cake" in the middle of a forest hoping to get rid of your extra cake, someone might hear, maybe haha

[StDragon]

58 minutes ago, _StrikE_ said:

In all honesty, call me crazy, but i'm starting to suspect something foul and a pattern here, Spectre & Meltdown did the same attacking from...

Exploiting the function of speculative execution was really a flaw in the paradigm of computing science; the philosophy if you will. This exploit transcended all sorts of CPU make/models that it required a complete re-evaluation of how to better secure data on the CPU being processed in-flight. Yes, even ARM architecture was effected.

 

This was so bad that Theo de Raadt said to just out-right disable Hyper-Treading. He was spot-on. It was like taking a sledge-hammer to the CPU functionality, but it was a safe catch-all in mitigation at the time (in 2018, not sure now). Even VMWare and other vendors recommended to disable HT for their hypervisors too.

[leadeater]

5 minutes ago, StDragon said:

Yes, even ARM architecture was effected.

And PowerPC

[porina]

1 hour ago, _StrikE_ said:

Also i keep hearing about switches to turn of this mitigation microcode update and what not, can this patch be in any way avoided ? What exactly do they mean by switches ? How can you exactly avoid it ?

If you look back to what happened with Spectre and Meltdown, a combination of microcode and software updates were used in combination to mitigate it. Some of those mitigations were implemented at OS level. With the appropriate registry keys entered you can "turn off" the mitigations if so desired. If the question is, can malicious software turn it off to evade it? Maybe. The attacker would have to have the ability to alter the registry and reboot the system for it to take effect. If an attacker has that level of access already, the system owner has a bigger problem regardless of that vulnerability.

[Radium_Angel]

Smiles in Ivy Bridge

[StDragon]

38 minutes ago, Radium_Angel said:

Smiles in Ivy Bridge

 

11 minutes ago, _StrikE_ said:

In all honesty i'm starting to wish i went with a Haswell K Refresh CPU myself, rather then going for an i7 Skylake non K (it was the cheaper option at the time and TSX looked appealing for RPCS3, it didn't even take 3 months i think till spectre hit).

https://www.techarp.com/guides/complete-meltdown-spectre-cpu-list/

[Sil3nt1]

https://www.tomshardware.com/news/tesla-mcu-amd-asp-flaw-jailbreak

[Radium_Angel]

52 minutes ago, StDragon said:

 

https://www.techarp.com/guides/complete-meltdown-spectre-cpu-list/

Oh I'm aware I was "affected" by Spectre, just not by the latest batch of mess because I run an old CPU (or pair, to be accurate)