Microarchitectural Data Sampling: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 13:29, 10 June 2019 edit Artem S. Tashkinov (talk \| contribs) Extended confirmed users 4,188 edits →See also ← Previous edit		Latest revision as of 09:03, 13 June 2025 edit undo Maxeto0910 (talk \| contribs) Extended confirmed users 117,111 edits no sentence Tags: Mobile edit Mobile web edit Advanced mobile edit
(33 intermediate revisions by 26 users not shown)
Line 1: {{short description\|CPU vulnerabilities}} {{Use dmy dates\|date=May 2019}}▼ {{See also\|Transient execution CPU vulnerability}} ▲{{Use dmy dates\|date=May 2019\|cs1-dates=y}} {{Infobox bug \| name = Microarchitectural Data Sampling \| image = ZombieLoad Attack logo square.svg ~~\| image_size =~~ \| alt = \| caption = Logo designed for the vulnerabilities, featuring a wounded hand holding a broken microprocessor ~~\| caption =~~ \| screenshot = \| screenshot_size = \| screenshot_alt = \| screenshot_caption = \| CVE = ~~[https://cve.mitre.org/cgi-bin/cvename.cgi?name=~~{{CVE~~-2018-12126 CVE-~~\|2018-12126]}} (Fallout),<br />~~[https://cve.mitre.org/cgi-bin/cvename.cgi?name=~~{{CVE-\|2018-12127 ~~CVE-2018-12127]~~\|link=no}} (RIDL),<br />~~[https://cve.mitre.org/cgi-bin/cvename.cgi?name=~~{{CVE-\|2019-11091 ~~CVE-2019-11091]~~\|link=no}} (RIDL, ZombieLoad),<br />~~[https://cve.mitre.org/cgi-bin/cvename.cgi?name=~~{{CVE-\|2018-12130\|link=no}} (RIDL, ZombieLoad),<br />{{CVE\|2019-~~2018-12130]~~11135\|link=no}} (~~RIDL,~~ZombieLoad ~~ZombieLoad~~v2) \| discovered = 2018<ref name="Greenberg" /> \| patched = 14 May 2019 \| discoverer = {{flagicon\|Australia}} [[University of Adelaide]]<br />{{flagicon\|Austria}} [[Graz University of Technology]]<br />{{flagicon\|Belgium}} [[KU Leuven\|Catholic University of Leuven]]<br />{{flagicon\|China}} [[Qihoo 360]]<br />{{flagicon\|Germany}} Cyberus Technology<br />{{flagicon\|Germany}} [[Saarland University]]<br />{{flagicon\|Netherlands}} [[Vrije Universiteit Amsterdam]]<br />{{flagicon\|Romania}} [[Bitdefender]]<br />{{flagicon\|United States}} [[Oracle Corporation]]<br />{{flagicon\|United States}} [[University of Michigan]]<br />{{flagicon\|United States}} [[Worcester Polytechnic Institute]]<ref name="Greenberg" /> \| affected hardware = Pre-April 2019 [[Intel x86]] [[microprocessor]]s \| affected software = \| used by = \| website = {{URL\|https://mdsattacks.com\|mdsattacks.com}} {{URL\|https://zombieloadattack.com\|ZombieLoadAttack.com}} }} The '''Microarchitectural Data Sampling''' ('''MDS''') [[vulnerability (computing)\|vulnerabilities]] are a set of weaknesses in [[Intel CPUs\|Intel x86 microprocessors]] that use [[hyper-threading]], and leak data across protection boundaries that are architecturally supposed to be secure. The attacks exploiting the vulnerabilities have been labeled '''Fallout''', '''RIDL''' (''Rogue In-Flight Data Load''), '''ZombieLoad'''.,<ref name="new"/><ref>[https://www.heise.de/security/meldung/Spectre-NG-Luecken-OpenBSD-schaltet-Hyper-Threading-ab-4087035.html Spectre-NG-Lücken: OpenBSD schaltet Hyper-Threading ab], heise.de, 2018-06, accessed 2019-09-29</ref><ref>[https://www.youtube.com/watch?v=sDrRvrh16ws&t=75 Let's Talk To Linux Kernel Developer Greg Kroah-Hartman \| Open Source Summit, 2019], TFIR, 2019-09-03</ref> and '''ZombieLoad 2'''.<ref>{{Cite web\|url=https://www.forbes.com/sites/daveywinder/2019/11/13/zombie-inside-intel-confirms-zombieload-2-security-threat/\|title=Intel Confirms 'ZombieLoad 2' Security Threat\|last=Winder\|first=Davey\|date=2019-11-13\|website=[[Forbes]]\|language=en\|url-status=live\|archive-url=https://archive.today/20200114182955/https://www.forbes.com/sites/kateoflahertyuk/2020/01/14/new-citrix-security-alert-us-government-issues-test-tool-for-serious-flaw/%2352628b892865\|archive-date=14 January 2020\|access-date=2020-01-14}}</ref> ==Description== The vulnerabilities are in the implementation of [[speculative execution]], which is where the processor tries to guess what instructions may be needed next. They exploit the possibility of reading [[data buffer]]s found between different parts of the processor.<ref name="Greenberg"/><ref name="new">{{cite web \|url=https://www.bleepingcomputer.com/news/security/new-ridl-and-fallout-attacks-impact-all-modern-intel-cpus/ \|title=New RIDL and Fallout Attacks Impact All Modern Intel CPUs \|author-first=Ionut \|author-last=Ilascu \|publisher=Bleeping Computer \|date=14 May 2019 \|access-date=14 May 2019}}</ref><ref name="zombieloadattack.com" /><ref name="sa-00233"/> * Microarchitectural Store Buffer Data Sampling (MSBDS), {{CVE\|2018-12126}} Fallout ({{CVE\|2018-12126}}) — a leak of data being stored from store buffers<ref name="new" /> Microarchitectural Load Port Data Sampling (MLPDS), {{CVE\|2018-12127\|link=no}} RIDL ({{CVE\|2018-12127}}, {{CVE\|2018-12130}} and {{CVE\|2019-11091}}) — a leak from various internal processor buffers of data being loaded and stored<ref name="new" /> Microarchitectural Fill Buffer Data Sampling (MFBDS), {{CVE\|2018-12130\|link=no}} ZombieLoad ({{CVE\|2018-12130}}) — a leak of already-loaded data from a processor's fill buffer<ref name="new">{{cite web\|url=https://www.bleepingcomputer.com/news/security/new-ridl-and-fallout-attacks-impact-all-modern-intel-cpus/\|title=New RIDL and Fallout Attacks Impact All Modern Intel CPUs\|author=Ionut Ilascu\|publisher=Bleeping Computer\|date=14 May 2019\|accessdate=14 May 2019}}</ref><ref name="zombieloadattack.com" /> Microarchitectural Data Sampling Uncacheable Memory (MDSUM), {{CVE\|2019-11091\|link=no}} Transactional Asynchronous Abort (TAA), [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135 CVE-2019-11135] Not all processors are affected by all variants of MDS.<ref name="linux-mds">{{cite web~~\|ref=harv~~ \|title=Microarchitectural Data Sampling \|url=https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html \|date=2019-05-14 \|work=The Linux kernel ~~user’s~~user's and ~~administrator’s~~administrator's guide}}</ref>▼ ==History== According to Intel in a May 2019 interview with [[Wired.com\|Wired]], Intel's researchers discovered the vulnerabilities in 2018 before anyone else.<ref name="Greenberg" /> Other researchers had agreed to keep the exploit confidential as well since 2018.<ref name="mdsattacks.com">{{cite web \|url=https://mdsattacks.com \|title=MDS attacks \|website=mdsattacks.com \|~~accessdate~~access-date=20 May 2019}}</ref> On 14 May 2019, various groups of security researchers, amongst others from Austria's [[Graz University of Technology]], Belgium's [[KU Leuven\|Catholic University of Leuven]], and ~~Netherland~~Netherlands's [[Vrije Universiteit Amsterdam]], in a [[responsible disclosure\|disclosure coordinated]] with Intel, published the discovery of the MDS vulnerabilities in Intel microprocessors, which they named Fallout, RIDL and ZombieLoad.<ref name="Greenberg" /><ref name="zombieloadattack.com">{{cite web \|url=https://zombieloadattack.com/ \|title=ZombieLoad Attack \|website=zombieloadattack.com \|~~accessdate~~access-date=14 May 2019}}</ref> Three of the TU Graz researchers were from the group who had discovered [[Meltdown (security vulnerability)\|Meltdown]] and [[Spectre (security vulnerability)\|Spectre]] the year before.<ref name="Greenberg" /> On 12 November 2019, a new variant of the ZombieLoad attack, called Transactional Asynchronous Abort, was disclosed.<ref>{{Cite web\|url=https://www.theregister.co.uk/2019/11/12/zombieload_cpu_attack/\|title=True to its name, Intel CPU flaw ZombieLoad comes shuffling back with new variant\|first=Shaun\|last=Nichols\|date=12 November 2019\|website=www.theregister.co.uk\|language=en\|access-date=2019-11-12}}</ref><ref>{{Cite web\|url=https://www.zdnet.com/article/intels-cascade-lake-cpus-impacted-by-new-zombieload-v2-attack/\|title=Intel's Cascade Lake CPUs impacted by new Zombieload v2 attack\|last=Cimpanu\|first=Catalin\|website=ZDNet\|language=en\|access-date=2019-11-12}}</ref> ==Impact== According to varying reports, Intel processors dating back to 2011<ref>{{cite ~~web~~news \|url=~~http~~https://~~social.~~techcrunch.com/2019/05/14/zombieload-flaw-intel-processors/ \|title=New secret-spilling flaw affects almost every Intel chip since 2011 \|author-first=Zach \|author-last=Whittaker \|~~publisher~~work=TechCrunch \|date=14 May 2019 \|~~accessdate~~access-date=14 May 2019}}</ref> or 2008<ref name="Greenberg" /> are affected, and the fixes may be associated with a [[computer performance\|performance]] drop.<ref name="BBC-20190515">{{cite news \|author=<!-- Staff --> \|title=Intel Zombieload bug fix to slow data centre computers \|url=https://www.bbc.com/news/technology-48278400 \|date=15 May 2019 \|work=[[BBC News]] \|~~accessdate~~access-date=15 May 2019 }}</ref><ref name="PH-20190524">{{cite news \|author-last=Larabel \|author-first=Michael \|title=Benchmarking AMD FX vs. Intel Sandy/Ivy Bridge CPUs Following Spectre, Meltdown, L1TF, Zombieload \|url=https://www.phoronix.com/scan.php?page=article&item=sandy-fx-zombieload&num=1 \|date=24 May 2019 \|work=[[Phoronix]] \|~~accessdate~~access-date=25 May 2019 }}</ref> Intel reported that processors manufactured in the month before the disclosure have mitigations against the attacks.<ref name="Greenberg">{{cite news \|~~author1~~author-~~first~~first1=Andy \|~~author1~~author-~~last~~last1=Greenberg \|url=https://www.wired.com/story/intel-mds-attack-speculative-execution-buffer/ \|title=Meltdown Redux: Intel Flaw Lets Hackers Siphon Secrets from Millions of PCs \|newspaper=[[WIRED]] \|date=14 May 2019 \|~~accessdate~~access-date=14 May 2019}}</ref> Intel characterized the vulnerabilities as "low-to-medium" impact, disagreeing with the security researchers who characterized them as major, and disagreeing with their recommendation that operating system software manufacturers should completely disable [[hyperthreading]].<ref name="Greenberg" /><ref name="PCW-20190515">{{cite news \|author-last=Mah Ung \|author-first=Gordan \|title=Intel: You don't need to disable Hyper-Threading to protect against the ZombieLoad CPU exploit - "ZombieLoad" exploit seems to put Intel's Hyper-Threading at risk of being put down \|url=https://www.pcworld.com/article/3395439/intel-hyper-threading-zombieload-cpu-exploit.html \|date=15 May 2019 \|work=[[PC World]] \|~~accessdate~~access-date=15 May 2019 }}</ref> Nevertheless, the ZombieLoad vulnerability can be used by hackers exploiting the vulnerability to steal information recently accessed by the affected microprocessor.<ref name="steal data">{{cite web \|url=https://www.theverge.com/2019/5/14/18623708/zombieload-attack-intel-processors-speculative-execution \|title=ZombieLoad attack lets hackers steal data from Intel chips \|author-first=Jacob \|author-last=Kastrenakes \|~~publisher~~website=[[The Verge]] \|date=14 May 2019 \|~~accessdate~~access-date=15 May 2019}}</ref> ==Mitigation== Fixes to [[operating systems]], [[virtualization]] mechanisms, [[web browsers]] and [[microcode]] are necessary.<ref name="Greenberg" /> ~~Microcode is the implementation of processor instructions on the processor itself, and updates require a firmware patch,<ref name="Greenberg" /> also known as [[BIOS]] or [[UEFI]], to the motherboard.~~ {{As of\|2019\|05\|14}}, applying available updates on an affected PC system was the most that could be done to mitigate the issues.<ref name="GZM-20190514">{{cite news \|author-last=O'Neill \|author-first=Patrick Howell \|title=What To Do About the Nasty New Intel Chip Flaw \|url=https://gizmodo.com/what-to-do-about-the-new-intel-chip-flaw-1834759126 \|date=14 May 2019 \|work=[[Gizmodo]] \|~~accessdate~~access-date=15 May 2019 }}</ref> Intel incorporated fixes in its processors starting shortly before the public announcement of the vulnerabilities.<ref name="Greenberg" /> On 14 May 2019, a mitigation was released for the [[Linux kernel]],<ref>{{Cite web \|url=https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.1.2 \|title=ChangeLog-5.1.2~~\|last=\|first=~~ \|date=14 May 2019 \|website=The Linux Kernel Archives \|archive-url=https://web.archive.org/web/20190515071751/https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.1.2 \|archive-date=15 May 2019 \|~~dead-~~url-status=nolive \|access-date=15 May 2019}}</ref> and [[Apple Inc.\|Apple]], [[Google]], [[Microsoft]], and [[Amazon (company)\|Amazon]] released emergency patches for their products to mitigate ZombieLoad.<ref>{{cite ~~web~~news \|url=~~http~~https://~~social.~~techcrunch.com/2019/05/14/intel-chip-flaws-patches-released/ \|title=Apple, Amazon, Google, Microsoft and Mozilla release patches for ZombieLoad chip flaws \|author-first=Zach \|author-last=Whittaker \|~~publisher~~work=TechCrunch \|~~\|accessdate~~access-date=14 May 2019}}</ref> On 14 May 2019, [[Intel]] published a security advisory on its website detailing its plans to mitigate ZombieLoad.<ref name="sa-00233">{{cite web \|url=https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html \|title=INTEL-SA-00233 \|website=Intel \|~~accessdate~~access-date=14 May 2019}}</ref> == See also == [[Hardware security bug]]▼ * [[Transient execution CPU vulnerabilities]] ▲* [[Hardware security bug]] == References == {{Reflist~~\|colwidth=30em~~}} == Further reading == === Original papers by the researchers === * {{cite ~~paper\|ref=harv~~web \|title=ZombieLoad: Cross-Privilege-Boundary Data Sampling \|~~author1~~author-~~first~~first1=Michael \|~~author1~~author-~~last~~last1=Schwarz \|~~author2~~author-~~first~~first2=Moritz \|~~author2~~author-~~last~~last2=Lipp \|~~author3~~author-~~first~~first3=Daniel \|~~author3~~author-~~last~~last3=Moghimi \|~~author4~~author-~~first~~first4=Jo \|~~author4~~author-~~last~~last4=Van Bulck \|~~author5~~author-~~first~~first5=Julian \|~~author5~~author-~~last~~last5=Stecklina \|~~author6~~author-~~first~~first6=Thomas \|~~author6~~author-~~last~~last6=Prescher \|~~author7~~author-~~first~~first7=Daniel \|~~author7~~author-~~last~~last7=Gruss~~\|format=[[PDF]]~~ \|url=https://zombieloadattack.com/zombieload.pdf \|date=2019-05-14}} * {{cite ~~paper\|ref=harv~~web \|title=RIDL: Rogue In-Flight Data Load \|~~author1~~author-~~first~~first1=Stephan \|~~author1~~author-~~last~~last1=van Schaik \|~~author2~~author-~~first~~first2=Alyssa \|~~author2~~author-~~last~~last2=Milburn \|~~author3~~author-~~first~~first3=Sebastian \|~~author3~~author-~~last~~last3=Österlund \|~~author4~~author-~~first~~first4=Pietro \|~~author4~~author-~~last~~last4=Frigo \|~~author5~~author-~~first~~first5=Giorgi \|~~author5~~author-~~last~~last5=Maisuradze \|~~author6~~author-~~first~~first6=Kaveh \|~~author6~~author-~~last~~last6=Razavi \|~~author7~~author-~~first~~first7=Herbert \|~~author7~~author-~~last~~last7=Bos \|~~author8~~author-~~first~~first8=Cristiano \|~~author8~~author-~~last~~last8=Giuffrida~~\|format=[[PDF]]~~ \|url=https://mdsattacks.com/files/ridl.pdf \|date=2019-05-14}} * {{cite ~~paper\|ref=harv~~web \|title=Fallout: Reading Kernel Writes From User Space \|~~author1~~author-~~first~~first1=Marina \|~~author1~~author-~~last~~last1=Minkin \|~~author2~~author-~~first~~first2=Daniel \|~~author2~~author-~~last~~last2=Moghimi \|~~author3~~author-~~first~~first3=Moritz \|~~author3~~author-~~last~~last3=Lipp \|~~author4~~author-~~first~~first4=Michael \|~~author4~~author-~~last~~last4=Schwarz \|~~author5~~author-~~first~~first5=Jo \|~~author5~~author-~~last~~last5=Van Bulck \|~~author6~~author-~~first~~first6=Daniel \|~~author6~~author-~~last~~last6=Genkin \|~~author7~~author-~~first~~first7=Daniel \|~~author7~~author-~~last~~last7=Gruss \|~~author8~~author-~~first~~first8=Frank \|~~author8~~author-~~last~~last8=Piessens \|~~author9~~author-~~first~~first9=Berk \|~~author9~~author-~~last~~last9=Sunar \|~~author10~~author-~~first~~first10=Yuval \|~~author10~~author-~~last~~last10=Yarom~~\|\|format=[[PDF]]~~ \|url=https://mdsattacks.com/files/fallout.pdf \|date=2019-05-14}} * {{cite ~~paper\|ref=harv~~web \|title=ZombieLoad: Cross Privilege-Boundary Data Leakage \|~~author1~~author-~~first~~first1=Jacek \|~~author1~~author-~~last~~last1=Galowicz \|~~author2~~author-~~first~~first2=Thomas \|~~author2~~author-~~last~~last2=Prescher \|~~author3~~author-~~first~~first3=Julian \|~~author3~~author-~~last~~last3=Stecklina \|url=https://www.cyberus-technology.de/posts/2019-05-14-zombieload.html \|publisher=Cyberus Technology GmbH \|date=2019-05-14}} * {{cite web \|url=https://cpu.fail/ \|title=cpu.fail \|date=2019-05-14 \|publisher=[[Graz University of Technology]]}} === Information from processor manufacturers === * {{cite web~~\|ref=harv~~ \|publisher=Intel \|title=Side Channel Vulnerability Microarchitectural Data Sampling \|url=https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html \|date=2019-05-14}} * {{cite web~~\|ref=harv~~ \|publisher=Intel \|title=Deep Dive: Intel Analysis of Microarchitectural Data Sampling \|url=https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-microarchitectural-data-sampling \|date=2019-05-14}} ~~=== Others ===~~ ▲* {{cite web\|ref=harv\|title=Microarchitectural Data Sampling\|url=https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html\|date=2019-05-14\|work=The Linux kernel user’s and administrator’s guide}} == External links == Line 72 ⟶ 78: {{Speculative execution exploits}} {{Hacking in the 2010s}} {{Portal bar\|Business and economics~~\|Computer science\|Microsoft\|Software~~}} ~~[[Category:Speculative execution security vulnerabilities]]~~ [[Category:~~Computer~~Transient ~~security~~execution ~~exploits~~CPU vulnerabilities]] ~~[[Category:Hardware bugs]]~~ [[Category:Intel x86 microprocessors]] [[Category:~~Side-channel~~2019 ~~attacks~~in computing]] ~~[[Category:2019 in computer science]]~~ ~~[[Category:X86 architecture]]~~ [[Category:X86 memory management]]