Intel is releasing fixes for a processor vulnerability that affects many models of its chips going back to 2015, including some that are currently sold, the company revealed today. The flaw does not impact Intel’s latest processor generations. The vulnerability could be exploited to circumvent barriers meant to keep data isolated, and therefore private, on a system. This could allow attackers to grab valuable and sensitive data from victims, including financial details, emails, and messages, but also passwords and encryption keys.
It’s been more than five years since the Spectre and Meltdown processor vulnerabilities sparked a wave of revisions to computer chip designs across the industry. The flaws represented specific bugs but also conceptual data protection vulnerabilities in the schemes chips were using to make data available for processing more quickly and speed that processing. Intel has invested heavily in the years since these so-called speculative execution issues surfaced to identify similar types of design issues that could be leaking data. But the need for speed remains a business imperative, and both researchers and chip companies still find flaws in efficiency measures.
This latest vulnerability, dubbed Downfall by Daniel Moghimi, the Google researcher who discovered it, occurs in chip code that can use an instruction known as Gather to access scattered data more quickly in memory. Intel refers to the flaw as Gather Data Sampling after one of the techniques Moghimi developed to exploit the vulnerability. Moghimi will present his findings at the Black Hat security conference in Las Vegas on Wednesday.
“Memory operations to access data that is scattered in memory are very useful and make things faster, but whenever things are faster there’s some type of optimization—something the designers do to make it faster,” Moghimi says. “Based on my past experience working on these types of vulnerabilities, I had an intuition that there could be some kind of information leak with this instruction.”
The vulnerability affects the Skylake chip family, which Intel produced from 2015 to 2019; the Tiger Lake family, which debuted in 2020 and will discontinue early next year; and the Ice Lake family, which debuted in 2019 and was largely discontinued in 2021. Intel’s current generation chips—including those in the Alder Lake, Raptor Lake, and Sapphire Rapids families—are not affected, because attempts to exploit the vulnerability would be blocked by defenses Intel has added recently.
The fixes are being released with an option to disable them because of the potential that they could have an intolerable impact on performance for certain enterprise users. “For most workloads, Intel has not observed reduced performance due to this mitigation. However, certain vectorization-heavy workloads may see some impact,” Intel said in a statement.
Releasing fixes for vulnerabilities like Downfall is always complicated, because in most cases, they must funnel through each manufacturer who makes devices that incorporate the affected chips, before actually reaching computers. These device-makers take code provided by Intel and create tailored patches that can then be downloaded by users. After years of releasing fixes in this complex ecosystem, Intel is practiced at coordinating the process, but it still takes time. Moghimi first disclosed Downfall to Intel a year ago.
“Over the past few years, the process with Intel has improved, but broadly in the hardware industry we need agility in how we address and respond to these kinds of issues,” Moghimi says. “Companies need to be able to respond faster and speed up the process of issuing firmware fixes, microcode fixes, because waiting one year is a big window when anyone else could find and exploit this.”
Moghimi also notes that it is difficult to detect Downfall attacks, because they mostly manifest as benign software activity. He adds, though, that it might be possible to develop a detection system that monitors hardware behavior for signs of abuse like unusual cache activity.
Intel says that it would be “complex” and difficult to carry out Downfall attacks in real-world conditions, but Moghimi emphasizes that it took him only a few weeks to develop proofs of concept for the attack. And he says that relative to other speculative execution vulnerabilities and related bugs, Downfall would be one of the more doable flaws for a motivated and well-resourced attacker to exploit.
“This vulnerability enables an attacker to essentially spy on other processes and steal data by analyzing the data leak over time for a combination of patterns that indicates the information the attacker is looking for, like login credentials or encryption keys,” Moghimi says. He adds that it would likely take time, on the scale of hours or even weeks, for an attacker to develop the pattern or fingerprint of the data they’re looking for, but the payoff would be significant.
“I probably could have sold my findings to one of these exploit brokers—you could develop it into an exploit—but I’m not in that business. I’m a researcher,” Moghimi says.
He adds that Downfall seems to only impact Intel chips, but that it’s possible similar types of flaws are lurking on processors made by other manufacturers. “Even though this particular release is not affecting other manufacturers directly,” Moghimi says, “they need to learn from it and invest a lot more in verification.”
