Default Banner

After Spectre and Meltdown…. ZombieLoad

09/07/2019
After Spectre and Meltdown…. ZombieLoad

In 2018, we had the CPU exploits and bugs called Spectre and Meltdown, about which I have also written an article. Security researchers have found a new class of vulnerabilities in Intel chips which can be used to steal sensitive information if exploited, just like Spectre and Meltdown did.

Speculative execution is a very important part of how a modern processor works. This technology helps the processor to predict what the software might need next, effectively running it faster and more efficiently. Both Spectre and Meltdown were exploits to weaknesses in speculative execution, and ZombieLoad is no different.

Why ZombieLoad?

The name ZombieLoad comes from a term used in data processing in CPUs called “zombie load”. Zombie load is any amount of data that a processor cannot understand or process properly, which forces the CPU to ask for help from the microcode to prevent a crash. Because of this bug, data can bleed across different applications’ boundary walls. Researchers say that it will leak any data loaded in the processor’s core. Patches to the microcode will help clear the CPU’s buffers, preventing the data from being read.

Intel

Different to Spectre and Meltdown, ZombieLoad works only on Intel chips. AMD chips are not affected by this bug, because their processors do not use this prediction technology to speed it up. Almost every Intel processor dating back to 2011 is vulnerable to this exploit, which means that if you own an Intel processor computer, you are likely to be vulnerable.

However, not only PCs and laptops are vulnerable. Since ZombieLoad can be triggered in virtual machines, the cloud is also vulnerable. Virtual machines are meant to be logically-isolated entities within themselves and their host server. However, with ZombieLoad this might not be the case, as data can bleed between a virtual machine and another. In cloud environments, virtual machines often belong to different customers, potentially running on the same host, with confidentiality implications.

Is there need to panic?

Although these exploits are quite serious, they require a specific set of skills and effort to be used in an attack. There are definitely easier ways to hack into a computer and steal data. But as more findings into speculative execution and side-channel attacks come to light, these attacks may have the potential to become easier to exploit.

Intel has released specific microcode updates to patch all their processors, and giant software companies like Apple and Microsoft are also releasing software patches to aid with this mitigation.

There will be a performance hit when these patches are installed, just like what happened when Spectre and Meltdown was mitigated with patches. However, this should be unlikely to be noticeable unless the application relies solely on CPU performance, which is rare.

Conclusion

More and more critical vulnerabilities are being discovered in modern processors. Although the skill set for these exploits to be used required is extensive, more research into this can make exploiting these vulnerabilities far easier than thought.

In fact, ZombieLoad is one of three variants of an exploit technique identified by Intel and a supergroup of microarchitecture security researchers. The group, made up of universities and security firms around the world, say that Fallout, RIDL, or Rogue In-Flight Data Load and ZombieLoad are a new class of speculative execution attack that all use a similar technique, and are capable of siphoning a stream of potentially sensitive data from a computer's CPU to an attacker. Intel itself has more tamely labelled the new set of attacks Microarchitectural Data Sampling, or MDS.

AMD and ARM chips do not appear to be vulnerable to the attacks, and Intel says that some models of chip it's released recently include a fix for the problem. Otherwise, all of Intel's chips that were tested, going back as early as 2008, were affected. You can test if your system is affected with a tool the researchers published here. https://mdsattacks.com/ 

As already suggested, one can expect operating systems to begin rolling out patches through automated operating system updates when they become available.

Vincent Farrugia is a network and systems manager at Deloitte Malta. For more information, please visit www.deloitte.com/mt