Security researchers have uncovered a new flaw in Intel processors that could allow hackers to steal data from the CPU's cache memory.
Dubbed “Snoop”, the flaw was discovered by Pawel Wieczorkiewicz, a software engineer at Amazon Web Services (AWS). The flaw takes advantage of CPU mechanisms such as multiple cache levels, cache coherence, and bus snooping.
In an advisory, Intel said that malicious adversary may be able to infer the data values of some modified cache lines in the L1 data (L1D) cache using snoop-assisted L1 data sampling.
“On certain processors and under certain conditions, data in a modified cache line that is being returned in response to a snoop may also be forwarded to a faulting, microarchitectural assist, or Intel® Transactional Synchronisation Extensions (Intel TSX) asynchronous aborting load operation to a different address that occurs simultaneously,” Intel said.
“This may potentially allow a malicious adversary to construct a covert channel to infer modified data in the L1D cache that the victim intends to protect from the malicious adversary.”
Intel gave an example of how an attack could take place. A victim process executing on physical core A modifies a cache line containing secret data (for example, by storing secret data to the cache line). A hacker could then execute on physical core A containing the modified sensitive cache line. A victim process on physical core B reads the modified cache line containing secret data, causing a snoop to that modified cache line. During this clock cycle where the snoop reaches physical core A, the adversary on physical core A simultaneously causes a faulting, microarchitectural assist, or Intel TSX asynchronous aborting load.
“This load may transiently receive the victim’s data from the snoop response,” said the advisory. “The adversary executes transient dependent operations that use the results of the faulting load to create a covert channel that may enable the adversary to infer the secret data.”
Intel recommends using a patch to protect against attacks such as L1TF or, in extreme cases, disabling the Intel TSX (Transactional Synchronisation Extensions) function on the processor.
Marco Essomba, founder, iCyber-Security, told SC Media UK the Snoop attack is yet again another flaw from Intel that could allow a skilled attacker to steal sensitive information from the cache, including encryption keys, passwords and other secret data.
“Intel has released a number of guidelines and patches for operating system vendors and equipment manufacturers. Organisations can defend against this type of threats by adopting multi-layers of defence. Essentially, an attacker with unfettered access to a device can execute malware to exploit this flaw. Common practices such as ensuring that your antivirus definitions and patches on client devices and servers are fully up to date is imperative,” he said.
“For organisations to mitigate effectively against this flaw, it's crucial they ensure browsers are patched with the latest recommended patches to make it significantly more difficult for criminals to exploit this vulnerability. A defence-in-depth strategy involving a combination of technological controls, security awareness training and processes will strengthen the organisation's posture to make this vulnerability harder to exploit."
Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that Snoop is an interesting attack because it is technically quite difficult to execute - however, it does open up the possibility of new attack vectors whereby CPU architecture hasn't been targeted much before in the past.
“The good news for customers is that the Foreshadow patch from August 2018 should fix this vulnerability, and so should be applied by any organisations concerned about this attack,” he added.