Researchers at both the University of Maryland in the U.S. and Tsinghua University in China have published a scientific paper documenting a new side-channel attack method that exploits a previously unknown hardware vulnerability in Intel processors. Although the vulnerability seems to affect the chipmaker’s latest processors, it’s most effective in attacking older models that are also exposed to the Meltdown vulnerability. The paper would likely be purely of scientific interest were it not for one aspect: attackers steal sensitive information by changing flag register data.
In English, please
Hardware processor vulnerabilities linked to speculative execution of instructions have been the subject of much research for more than five years. To simplify as much as possible, all the proposed attacks can be summed up as follows: the CPU is somehow forced to read data that user should not have access to. Imagine this theoretical scenario: the attackers’ program doesn’t have access to the encryption key used to protect sensitive data. If we instruct the CPU to “read the encryption key at a certain address”, the instruction simply won’t be followed. Help arrives (to the attacker) in the form of speculative execution of instructions – an important feature of modern CPUs, which has been around for almost three decades: to speed things up, instead of waiting for one instruction to finish, the processor executes the next in parallel.
If the first instruction checks access rights to sensitive information, it should in theory not allow execution of the following instruction to read this information. But it’s too late: the following instruction is being executed speculatively. Note that we don’t yet have access to this data – but the CPU does. In the case of known vulnerabilities such as Spectre, data is temporarily loaded into the CPU’s cache, but it can’t be read just like that. However, it can be read through side channels; for example, by repeatedly executing an instruction – the processing time of which varies depending on the data in the cache. Repeating such an operation many (thousands of!) times allows attackers to recover data just by watching how quickly or slowly some seemingly harmless command is executed.
We realize that this “simple” description still sounds complicated. The new paper is even more perplexing, especially since the authors decided not to spend time on a detailed description of the attack. The diagram below outlines it in full:
Let’s try to figure it out. EFLAGS is a flag register in the Intel processor that keeps track of the CPU’s operating status. It can store the result of calculations, in particular if this is equal to zero (the so-called zero flag or ZF). Next comes the magic: imagine a colleague of yours thinks of a number from 1 to 10 and is told to keep it to themselves. You keep calling out the numbers 1 through 10 (looking for whatever signs could give your colleague away), but they don’t want to share the correct answer with you, and respond each time with the word “chrysanthemum”. However, when you utter the correct number, they take a little longer to say “chrysanthemum” compared with other times.
Something similar happens in this new attack: we perform numerous calculations with sensitive data. All these calculations are done speculatively. The result is written to the ZF flag (equal or not equal to zero). We can’t directly know the status of this flag. But then we execute a rather useless JCC instruction (specifically the JZ instruction – “jump if zero”), which runs a little slower if we guessed right! And it’s this measurable delay in the response that constitutes the vulnerability.
Not yet a problem
The most interesting aspect of this attack is that it doesn’t work by itself. To ensure that speculative execution of the required instructions is possible, the bad guys need to exploit one more vulnerability. The paper we’re discussing uses the Meltdown vulnerability, discovered in 2018, which happily provides access to information that’s off-limits to outsiders. As a result, sensitive data was read with 100% reliability on all old CPUs affected by this vulnerability (the study used sixth and seventh-generation Intel Core i7). Although the experiment failed on tenth-generation CPUs, they too experience some delay when executing a certain instruction from the JCC set.
In reality, even more versatile types of attacks like Spectre, which steal information from the CPU’s cache, have a rather narrow application. But at least in their case it was obvious that something had to be done with them: the likelihood of an advanced attack targeting critical data was non-zero. As for the new paper, we’re dealing more with an idea that, if it works at all, it applies to older Intel processors.
But the news itself is significant: there’s now a new side-channel mechanism for extracting data using the flag status register. It can’t be ruled out that in the future this approach, combined with some other vulnerability, will impact new CPUs as well. Or maybe it will all be resolved before we see a new attack: after all, dependence of the instruction execution time on the data is quite a serious issue. There’s an entire subdiscipline of cryptography that deals with protection of encryption algorithms from timing attacks.
In any case, research into the specifics of modern CPUs is ongoing. Fortunately, executing attacks on hardware vulnerabilities is just as difficult as understanding them. And although we’ve yet to see anything that could be applied on a massive scale, infosec officers in companies that handle highly sensitive data would be wise to factor in such threats and, at a minimum, monitor their evolution.