8 Big Processor Vulnerabilities in 2018
Security researchers have been working in overdrive examining processors for issues — and they haven't come up empty-handed.
July 13, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt143b388109721ca1/64f0d59fbafd243d240e4a37/01-cpu.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Since the Spectre and Meltdown vulnerabilities knocked the glow off of the new year, 2018 has been the year of the CPU bug. Security researchers have been working in overdrive examining processors for design flaws, firmware bugs, and other vulnerabilities that put an entire computing architecture at risk.
They haven't come up empty-handed.
Here's what we've had to contend with this year on the CPU vulnerability front — and what we can expect in a couple of weeks when new research hits the stage at Black Hat.
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.
Before the haze from New Year's Eve fireworks even had a chance to dissipate, the security world was rocked by the disclosure of Spectre and Meltdown, two similar side-channel flaws in CPUs from Intel, AMD, and ARM. Affecting nearly all modern microprocessors, the vulnerabilities were found in how they carry out the functions of caching and speculative execution. The latter is particularly depended on to optimize CPU performance by predicting a command before it is even requested. These vulnerabilities can be exploited to force the operating system and applications to expose system memory data, which could include any nature of protected information, such as passwords and encryption keys.
The initial announcement of Spectre and Meltdown captured the imagination of security researchers and sparked a long line of related examinations. One of the first related discoveries to bear fruit was BranchScope, which was announced in March. Discovered by researchers from the College of William and Mary, Carnegie Mellon, the University of California Riverside, and Binghamton University, this one was also discovered in the speculative execution feature. In BranchScope's case, researchers found a flaw in what is called a Branch Target Buffer within Intel processors. They showed how this feature leaks information based on previous command-execution decisions made by the processor's branch predictor.
The next wrinkle in the Spectre disclosure chain came in May from the team with Google Project Zero, who led a lot of the initial Spectre discovery work, and an independent researcher from BiZone. The Spectre Variants 3a and 4 flaws are speculative store bypass bugs that can be used to force a processor to share memory and access information from one application to another. The worry here is that it can be used to essentially erase the application lines drawn between cloud instances run on the same CPU.
While not as flashy as the side-channel speculative execution flaws found this year, a flaw discovered in April within Intel chip firmware should still be on enterprise radars. The vulnerability makes it possible to change the way the chip's SPI Flash memory works, giving attackers the power to block BIOS/UEFI updates and corrupt the chip's firmware.
Intel has been absorbing a lot of the heat from CPU vulnerability discoveries this year, but AMD chips have been found to be just as vulnerable to many of them. In addition, a group of researchers from CTS-Labs announced this spring that AMD Ryzen chips have their own unique set of problems. These researchers rolled out four new vulnerability types found in these chips: Ryzenfall, Masterkey, Fallout, and Chimera. In total, they discovered 13 critical vulnerabilities and manufacturer backdoors in the AMD Secure Processor firmware, as well as the AMD Promontory chipsets.
Yet another speculative execution side-channel flaw, this one was found last month in Intel Core-based processors' use of the Lazy FP state restore feature, which governs how the system saves and restores floating point unit data. The flaw can be exploited by malicious software to leak data used by other processes running in the CPU. While similar to Spectre, it's a less severe vulnerability, with a moderate impact rating.
In a couple of weeks at Black Hat, researcher Ben Gras will go into details about a new side channel he just announced called TLBleed, which leaks information out Translation Lookaside Buffers (TLBs) in Intel CPUs with hyperthreading enabled. This attack can be carried out without relying on CPU data or instruction caches, which means it bypasses existing CPU cache side-channel protections.
The latest Spectre variant splash was made earlier this week by researchers Vladimir Kiriansky of MIT and Carl Waldspurger of Carl Waldspurger Consulting, who won a $100,000 bug bounty for the discovery of two new variants of the flaw. The first, Spectre 1.1, can be used to execute speculative buffer overflows against processors; the second, Spectre 1.2, bypasses Read/Write PTE flags so that attackers can get out of sandboxes established to create system security boundaries.
The latest Spectre variant splash was made earlier this week by researchers Vladimir Kiriansky of MIT and Carl Waldspurger of Carl Waldspurger Consulting, who won a $100,000 bug bounty for the discovery of two new variants of the flaw. The first, Spectre 1.1, can be used to execute speculative buffer overflows against processors; the second, Spectre 1.2, bypasses Read/Write PTE flags so that attackers can get out of sandboxes established to create system security boundaries.
Since the Spectre and Meltdown vulnerabilities knocked the glow off of the new year, 2018 has been the year of the CPU bug. Security researchers have been working in overdrive examining processors for design flaws, firmware bugs, and other vulnerabilities that put an entire computing architecture at risk.
They haven't come up empty-handed.
Here's what we've had to contend with this year on the CPU vulnerability front — and what we can expect in a couple of weeks when new research hits the stage at Black Hat.
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.
Read more about:
Black Hat NewsAbout the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024