Microarchitectural Data Sampling: Difference between revisions

{{Use dmy dates|date=May 2019|cs1-dates=y}}

| CVE = [https://cve.mitre.org/cgi-bin/cvename.cgi?name={{CVE-2018-12126 CVE-|2018-12126]}} (Fallout),<br>[https://cve.mitre.org/cgi-bin/cvename.cgi?name={{CVE-2018-12127 |CVE-2018-12127]|link=no}} (RIDL),<br>[https://cve.mitre.org/cgi-bin/cvename.cgi?name={{CVE-|2019-11091 CVE-2019-11091]|link=no}} (RIDL),<br>[https://cve.mitre.org/cgi-bin/cvename.cgi?name={{CVE-|2018-12130 CVE-2018-12130]|link=no}} (RIDL, ZombieLoad)

| discovered = 2018<ref name="Greenberg" />

| discoverer = {{flagicon|Australia}} [[University of Adelaide]]<br />{{flagicon|Austria}} [[Graz University of Technology]]<br />{{flagicon|Belgium}} [[KU Leuven|Catholic University of Leuven]]<br />{{flagicon|China}} [[Qihoo 360]]<br />{{flagicon|Germany}} Cyberus Technology<br />{{flagicon|Germany}} [[Saarland University]]<br />{{flagicon|Netherlands}} [[Vrije Universiteit Amsterdam]]<br />{{flagicon|Romania}} [[Bitdefender]]<br />{{flagicon|United States}} [[Oracle Corporation]]<br />{{flagicon|United States}} [[University of Michigan]]<br />{{flagicon|United States}} [[Worcester Polytechnic Institute]]<ref name="Greenberg" />

The '''Microarchitectural Data Sampling''' ('''MDS''') [[vulnerability (computing)|vulnerabilities]] are a set of weaknesses in [[Intel CPUs|Intel x86 microprocessors]] that leak data across protection boundaries that are architecturally supposed to be secure. The attacks exploiting the vulnerabilities have been labeled '''Fallout''', '''RIDL''' (''Rogue In-Flight Data Load'') and '''ZombieLoad'''.<ref name="new" />

The vulnerabilities are in the implementation of [[speculative execution]], which is where the processor tries to guess what instructions may be needed next. They exploit the possibility of reading [[data buffer]]s found between different parts of the processor.<ref name="Greenberg" /><ref name="new">{{cite web |url=https://www.bleepingcomputer.com/news/security/new-ridl-and-fallout-attacks-impact-all-modern-intel-cpus/ |title=New RIDL and Fallout Attacks Impact All Modern Intel CPUs |author-first=Ionut |author-last=Ilascu |publisher=Bleeping Computer |date=14 May 2019 |accessdateaccess-date=14 May 2019}}</ref><ref name="zombieloadattack.com" /><ref name="sa-00233" />

* Microarchitectural Load Port Data Sampling (MLPDS) ({{CVE|2018-12127|link=no}}

* Microarchitectural Fill Buffer Data Sampling (MFBDS) {{CVE|2018-12130|link=no}}

* Microarchitectural Data Sampling Uncacheable Memory (MDSUM) {{CVE|2019-11091|link=no}})

Not all processors are affected by all variants of MDS.<ref name="linux-mds">{{cite web|ref=harv |title=Microarchitectural Data Sampling |url=https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html |date=2019-05-14 |work=The Linux kernel user’s and administrator’s guide}}</ref>

According to Intel in a May 2019 interview with [[Wired.com|Wired]], Intel's researchers discovered the vulnerabilities in 2018 before anyone else.<ref name="Greenberg" /> Other researchers had agreed to keep the exploit confidential as well since 2018.<ref name="mdsattacks.com">{{cite web |url=https://mdsattacks.com |title=MDS attacks |website=mdsattacks.com |accessdateaccess-date=20 May 2019}}</ref>

On 14 May 2019, various groups of security researchers, amongst others from Austria's [[Graz University of Technology]], Belgium's [[KU Leuven|Catholic University of Leuven]], and Netherland's [[Vrije Universiteit Amsterdam]], in a [[responsible disclosure|disclosure coordinated]] with Intel, published the discovery of the MDS vulnerabilities in Intel microprocessors, which they named Fallout, RIDL and ZombieLoad.<ref name="Greenberg" /><ref name="zombieloadattack.com">{{cite web |url=https://zombieloadattack.com/ |title=ZombieLoad Attack |website=zombieloadattack.com |accessdateaccess-date=14 May 2019}}</ref> Three of the TU Graz researchers were from the group who had discovered [[Meltdown (security vulnerability)|Meltdown]] and [[Spectre (security vulnerability)|Spectre]] the year before.<ref name="Greenberg" />

According to varying reports, Intel processors dating back to 2011<ref>{{cite web |url=http://social.techcrunch.com/2019/05/14/zombieload-flaw-intel-processors/ |title=New secret-spilling flaw affects almost every Intel chip since 2011 |author-first=Zach |author-last=Whittaker |publisher=TechCrunch |date=14 May 2019 |accessdateaccess-date=14 May 2019}}</ref> or 2008<ref name="Greenberg" /> are affected, and the fixes may be associated with a [[computer performance|performance]] drop.<ref name="BBC-20190515">{{cite news |author=<!-- Staff --> |title=Intel Zombieload bug fix to slow data centre computers |url=https://www.bbc.com/news/technology-48278400 |date=15 May 2019 |work=[[BBC News]] |accessdateaccess-date=15 May 2019 }}</ref><ref name="PH-20190524">{{cite news |author-last=Larabel |author-first=Michael |title=Benchmarking AMD FX vs. Intel Sandy/Ivy Bridge CPUs Following Spectre, Meltdown, L1TF, Zombieload |url=https://www.phoronix.com/scan.php?page=article&item=sandy-fx-zombieload&num=1 |date=24 May 2019 |work=[[Phoronix]] |accessdateaccess-date=25 May 2019 }}</ref> Intel reported that processors manufactured in the month before the disclosure have mitigations against the attacks.<ref name="Greenberg">{{cite news |author1author-firstfirst1=Andy |author1author-lastlast1=Greenberg |url=https://www.wired.com/story/intel-mds-attack-speculative-execution-buffer/ |title=Meltdown Redux: Intel Flaw Lets Hackers Siphon Secrets from Millions of PCs |newspaper=[[WIRED]] |date=14 May 2019 |accessdateaccess-date=14 May 2019}}</ref>

Intel characterized the vulnerabilities as "low-to-medium" impact, disagreeing with the security researchers who characterized them as major, and disagreeing with their recommendation that operating system software manufacturers should completely disable [[hyperthreading]].<ref name="Greenberg" /><ref name="PCW-20190515">{{cite news |author-last=Mah Ung |author-first=Gordan |title=Intel: You don't need to disable Hyper-Threading to protect against the ZombieLoad CPU exploit - "ZombieLoad" exploit seems to put Intel's Hyper-Threading at risk of being put down |url=https://www.pcworld.com/article/3395439/intel-hyper-threading-zombieload-cpu-exploit.html |date=15 May 2019 |work=[[PC World]] |accessdateaccess-date=15 May 2019 }}</ref> Nevertheless, the ZombieLoad vulnerability can be used by hackers exploiting the vulnerability to steal information recently accessed by the affected microprocessor.<ref name="steal data">{{cite web |url=https://www.theverge.com/2019/5/14/18623708/zombieload-attack-intel-processors-speculative-execution |title=ZombieLoad attack lets hackers steal data from Intel chips |author-first=Jacob |author-last=Kastrenakes |publisher=[[The Verge]] |date=14 May 2019 |accessdateaccess-date=15 May 2019}}</ref>

Fixes to [[operating systems]], [[virtualization]] mechanisms, [[web browsers]] and [[microcode]] are necessary.<ref name="Greenberg" /> Microcode is the implementation of processor instructions on the processor itself, and updates require a firmware patch,<ref name="Greenberg" /> also known as [[BIOS]] or [[UEFI]], to the motherboard. {{As of|2019|05|14}}, applying available updates on an affected PC system was the most that could be done to mitigate the issues.<ref name="GZM-20190514">{{cite news |author-last=O'Neill |author-first=Patrick Howell |title=What To Do About the Nasty New Intel Chip Flaw |url=https://gizmodo.com/what-to-do-about-the-new-intel-chip-flaw-1834759126 |date=14 May 2019 |work=[[Gizmodo]] |accessdateaccess-date=15 May 2019 }}</ref>

*Intel incorporated fixes in its processors starting shortly before the public announcement of the vulnerabilities.<ref name="Greenberg" />

*On 14 May 2019, a mitigation was released for the [[Linux kernel]],<ref>{{Cite web |url=https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.1.2 |title=ChangeLog-5.1.2 |author-last= |author-first= |date=14 May 2019 |website=The Linux Kernel Archives |archive-url=https://web.archive.org/web/20190515071751/https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.1.2 |archive-date=15 May 2019 |dead-url=no |access-date=15 May 2019}}</ref> and [[Apple Inc.|Apple]], [[Google]], [[Microsoft]], and [[Amazon (company)|Amazon]] released emergency patches for their products to mitigate ZombieLoad.<ref>{{cite web |url=http://social.techcrunch.com/2019/05/14/intel-chip-flaws-patches-released/ |title=Apple, Amazon, Google, Microsoft and Mozilla release patches for ZombieLoad chip flaws |author-first=Zach |author-last=Whittaker |publisher=TechCrunch ||accessdateaccess-date=14 May 2019}}</ref>

*On 14 May 2019, [[Intel]] published a security advisory on its website detailing its plans to mitigate ZombieLoad.<ref name="sa-00233">{{cite web |url=https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html |title=INTEL-SA-00233 |website=Intel |accessdateaccess-date=14 May 2019}}</ref>

{{Reflist|colwidth=30em}}

* {{cite paper|ref=harv |title=ZombieLoad: Cross-Privilege-Boundary Data Sampling |author1author-firstfirst1=Michael |author1author-lastlast1=Schwarz |author2author-firstfirst2=Moritz |author2author-lastlast2=Lipp |author3author-firstfirst3=Daniel |author3author-lastlast3=Moghimi |author4author-firstfirst4=Jo |author4author-lastlast4=Van Bulck |author5author-firstfirst5=Julian |author5author-lastlast5=Stecklina |author6author-firstfirst6=Thomas |author6author-lastlast6=Prescher |author7author-firstfirst7=Daniel |author7author-lastlast7=Gruss |format=[[PDF]] |url=https://zombieloadattack.com/zombieload.pdf |date=2019-05-14}}

* {{cite paper|ref=harv |title=RIDL: Rogue In-Flight Data Load |author1author-firstfirst1=Stephan |author1author-lastlast1=van Schaik |author2author-firstfirst2=Alyssa |author2author-lastlast2=Milburn |author3author-firstfirst3=Sebastian |author3author-lastlast3=Österlund |author4author-firstfirst4=Pietro |author4author-lastlast4=Frigo |author5author-firstfirst5=Giorgi |author5author-lastlast5=Maisuradze |author6author-firstfirst6=Kaveh |author6author-lastlast6=Razavi |author7author-firstfirst7=Herbert |author7author-lastlast7=Bos |author8author-firstfirst8=Cristiano |author8author-lastlast8=Giuffrida |format=[[PDF]] |url=https://mdsattacks.com/files/ridl.pdf |date=2019-05-14}}

* {{cite paper|ref=harv |title=Fallout: Reading Kernel Writes From User Space |author1author-firstfirst1=Marina |author1author-lastlast1=Minkin |author2author-firstfirst2=Daniel |author2author-lastlast2=Moghimi |author3author-firstfirst3=Moritz |author3author-lastlast3=Lipp |author4author-firstfirst4=Michael |author4author-lastlast4=Schwarz |author5author-firstfirst5=Jo |author5author-lastlast5=Van Bulck |author6author-firstfirst6=Daniel |author6author-lastlast6=Genkin |author7author-firstfirst7=Daniel |author7author-lastlast7=Gruss |author8author-firstfirst8=Frank |author8author-lastlast8=Piessens |author9author-firstfirst9=Berk |author9author-lastlast9=Sunar |author10author-firstfirst10=Yuval |author10author-lastlast10=Yarom| |format=[[PDF]] |url=https://mdsattacks.com/files/fallout.pdf |date=2019-05-14}}

* {{cite paper|ref=harv |title=ZombieLoad: Cross Privilege-Boundary Data Leakage |author1author-firstfirst1=Jacek |author1author-lastlast1=Galowicz |author2author-firstfirst2=Thomas |author2author-lastlast2=Prescher |author3author-firstfirst3=Julian |author3author-lastlast3=Stecklina |url=https://www.cyberus-technology.de/posts/2019-05-14-zombieload.html |publisher=Cyberus Technology GmbH |date=2019-05-14}}

* {{cite web |url=https://cpu.fail/ |title=cpu.fail |date=2019-05-14 |publisher=[[Graz University of Technology]]}}

* {{cite web|ref=harv |publisher=Intel |title=Side Channel Vulnerability Microarchitectural Data Sampling |url=https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html |date=2019-05-14}}

* {{cite web|ref=harv |publisher=Intel |title=Deep Dive: Intel Analysis of Microarchitectural Data Sampling |url=https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-microarchitectural-data-sampling |date=2019-05-14}}