The vulnerabilities present in Intel, AMD processors and even ARM have become commonplace, so much so that it is no longer surprising to see when researchers discover and publish new security flaws that are often impossible to solve, so all that remains is to pile up patches in microcodes, kernels, drivers and applications to minimize the attack surface.
If this entry has been published, it is because, once again, new vulnerabilities have been found that affect processors, Intel and AMD this time. However, the security flaws are different, so the vulnerability affecting Intel only affects Intel and the security flaw affecting AMD only affects AMD.
ÆPIC, the new vulnerability capable of revealing confidential data that affects Intel
We start with the security flaw discovered in Intel processors, which has received the name of ÆPIC. According to the researchers, it is the first CPU-level bug capable of architecturally revealing sensitive data. It resides in the Advanced Configuration and Power Interface (ACPI) and is exploited through memory mapped input/output (MMIO). In case it wasn’t clear, this is not a Specter variant exploited via a side channel type attack.
In the event that a malicious actor manages to successfully exploit ÆPIC, which requires administrator privileges, they will have the possibility of obtaining encryption keys and other sensitive data that are supposedly protected with Software Guard Extensions (SGX)the technology that Intel has introduced in its modern processors in order to limit the possible paths of success of cyberattacks.
Researchers have managed to break SGX security on most Intel 10th, 11th and 12th generation processors. In the document that one has published, a table can be found in which it can be seen that processors based on Sunny Cove are especially affected.
Although it is a novelty what it is capable of doing seeing its origin, the reality is that ÆPIC it is not a new type of vulnerability, rather it is an error known as uninitialized memory read, which occurs when memory space is not cleared after the CPU has finished processing it. This opens the door to leakage of old data whose processing is no longer necessary.
On paper, both desktops and servers are affected, but researchers seem to be more concerned about the server situation, seeing that services like Signal rely on SGX to ensure that the process it runs is anonymous. ÆPIC compromises SGX to the point of being able to leak AES secret keys, RSA private keys, and extract the sealing key from SGX itself for remote attestation.
As we are facing a vulnerability that affects the processor, the operating system used does not matter here, and apparently virtual machines are not a lifesaver either. ÆPIC, which is identified as CVE-2022-21233, has a severity rating of 6 out of 10 and Intel expects to start distributing patches to mitigate it from Tuesday next week, while otherwise hoping to root it out. in the design of its future generations of processors.
SQUIP, a vulnerability that requires disabling SMT in AMD processors
SQUIP It is a vulnerability affects AMD’s SMT implementation, the technology that allows you to have multiple threads running on a physical core (sometimes crudely called logical cores). For x86 processors, the use of SMT (HyperThreading on Intel) is currently limited to two threads per core, but other architectures are capable of supporting more.
SQUIP consists in a side-channel type attack that opens the door to quickly revealing a 4,096-bit RSA key. The reason why it affects AMD and not Intel is because processors based on the Zen architecture have separate scheduling queues for each execution unit, while Intel CPUs use a single scheduler for the entire architecture. Separate planning queues for each execution unit are also present in the Apple M1 SoCs, but for now there is no evidence that the Cupertino giant’s chips have been affected by the security flaw.
AMD’s scheduler with SMT enabled introduces interference into workloads, allowing it to be observed scheduler queue contention via performance counters and non-serialized timer reads in sibling threads on the same core. A person with the necessary skills and knowledge can probe the interference to carry out a side channel attack on the scheduler’s own queue and then access sensitive data.
SQUIP, which is tracked as CVE-2021-46778, has affected a lot of AMD processors: Desktop Ryzen 2000 and newer, Threadripper 2nd and 3rd generation, Threadripper PRO processors, Ryzen 2000 and later mobile models, Epyc first 3 generations, and Athlon 3000 models with Radeon graphics and Athlon Mobile with Radeon graphics. In short, most processors that are based on one of the first three generations of the Zen architecture.
AMD has rated the vulnerability as medium in severity and “recommends software developers to employ existing best practices, including constant-time algorithms, and to avoid secret-dependent control flows where appropriate to help mitigate this potential vulnerability.” ”.
A drastic solution to avoid the dangers of SQUIP is to disable SMT via motherboard settings. Although it may not seem like it, in reality many processes do not see their performance especially affected and there are even applications that can improve their performance, including specific video games.
Are processors the new big challenge in cybersecurity?
Processor vulnerabilities have become something we’ve normalized because of how prevalent they’re starting to be. The interesting thing is that many of these problems can be solved by disabling SMT, but that is a measure that cannot be taken in all contexts.
What is the origin of so many problems? Linus Torvalds, creator of the Linux kernel, mentioned a few years ago the “shortcuts” that were taken at the time when implementing features such as speculative execution, which suggests that processor manufacturers did not take into account the consequences of some of their decisions in terms of security.