A security researcher has discovered a new flaw in Intel processors that might require a lot of work by Intel to fix. Termed TLBleed by the researchers, the side-channel vulnerability may allow attackers to extract cryptographic keys from apps. However, Intel does not consider this TLBleed vulnerability important enough to be discussed.
TLBleed Vulnerability – Another Side-Channel Flaw In Intel Processors
Researchers from the Systems & Network Security Group, Vrije Universiteit Amsterdam, have discovered a hardware vulnerability in Intel processors. They managed to extract the encryption 256-bit signing keys with a 99.8% success rate through TLBleed vulnerability. They call it ‘TLBleed’ as it makes use of TLB (Translation Lookaside Buffer) of the CPUs.
Long story short, it is a cache-based attack through which the attacker can extract the secret cryptographic keys and other private details from applications. The extraction process, however, does not rely on speculative execution. Instead, it exploits Hyper-threading technology along with CPU caches. This makes it different from Meltdown and Spectre.
The Register, in a blog post, explained the technical aspects of this flaw. They also stated that no hackers presently exploit the flaw as they have easy alternates.
“We should stress that this isn’t the end of the world because, first, you need malware running on, or a malicious user logged into, your system to exploit it. Second, no one right now is leveraging the weaknesses in the wild. There are easier ways for hackers to extract data from a computer or other device, via security bugs in browsers, PDF readers, email clients, and so on. And, third, exploiting this TLB side channel is nontrivial.”
Intel Presently Pays No Heed To This Flaw
As stated by The Register, Intel has presently no plans to work out on this bug. In fact, Intel deems it unnecessary even to have a CVE for it. Moreover, it refuses to pay the HackerOne bug bounty to the researchers, as one of the researchers told The Register.
“The HackerOne bug bounty program run by Intel has side channels in scope. However, Intel has dismissed our report as it does not demonstrate a side-channel attack against its ‘constant time’ – its side-channel hardened – cryptographic primitives.”
This is because Intel trusts that data leaking through TLBleed flaw can easily be avoided by cache-snooping countermeasures. Moreover, their developers think creating TLBleed-resistant codes would also suffice.
Jake Williams, a former NSA hacker and the founder of Rendition InfoSec, seems upset about the situation as revealed from his trails of tweets.
First, it's ridiculous that this isn't eligible for a bug bounty. It's insane that Intel thinks it doesn't deserve a CVE. Second, it's hard to imagine that Intel won't make changes to their processors to fix this. TLB management has subtle nuances depending on the architecture 2/
— Jake Williams (@MalwareJake) June 24, 2018
This is likely going to be easier to exploit than Spectre variants. But from where I sit it's more evidence that we need to rethink our secure architecture design patterns. How we provision applications, VDI, and multi-tenant hypervisors needs to change. 6/n
— Jake Williams (@MalwareJake) June 24, 2018
He further comments about the recurrent side-channel vulnerabilities in Intel processors.
Watching the progression of Intel hardware side channel attacks, it seems that Intel achieved much of their benchmark speed by sacrificing security. I'm interested to know how many cache based side channel attacks Intel knew about already. My bet is "most of them." 1/n
— Jake Williams (@MalwareJake) June 24, 2018
Nonetheless, an Intel spokesperson made a somewhat neutral statement to the matter, as stated by The Register.
“Protecting our customers and their data continues to be a critical priority for us. We’re looking into this feedback and thank the community for their ongoing efforts.”
The researcher also believes the AMD processors are also at risk as they employ a similar hardware threading technology as that of Intel. So far, AMD has not commented about the matter yet.