"We couldn't believe what we discovered at first," says Dr. Michael Schwarz. The CISPA faculty member and an international research team have once again found a processor security vulnerability that forces the manufacturer Intel to act quickly. "If we previously suspected the biggest security problems in the internal, barely documented implementation (microarchitecture) of the processors, it now turns out that very similar sources of error can also be found at the well-documented architecture level of the processors."
The new vulnerability has been christened ÆPIC because it can be exploited via a function of the so-called APIC (Advanced Programmable Interrupt Controller). APIC is a control element in processors that has been in use for decades. APIC's main task in processors with several cores is to regulate which core must interrupt its computing processes if a new request - for example, by user input - comes in. The processor can communicate with the APIC to configure it and request information. The communication between the processor and the APIC takes place via the so-called superqueue. The superqueue is a buffer also used for transferring data from the main memory (RAM) via certain data caches to the processor. However, unlike transferring data from RAM, only a small portion of the superqueue is used when communicating with APIC.
"We discovered that when APIC puts information into the superqueue, it doesn't delete all the older data in the superqueue as we thought. However, the information only overwrites a small portion of the data. Older data remains, and the CPU can access it even without the appropriate authorization," explains Schwarz. Particularly problematic is that this also applies to highly sensitive data stored in specially protected memory areas. "We were also able to obtain Intel's cryptographic keys, which are needed to access these protected areas, in this way," explains the researcher.
All current Sunny Cove-based Intel CPUs, such as Ice Lake and Alder Lake, launched from 2019 to 2021, are proven to be affected. "But this gap may exist in other processors as well, but we have not been able to test all of them." Processor manufacturer Intel has responded to the recent data leak by releasing important updates, which users should install as soon as possible.
Dr. Michael Schwarz has been involved in the discovery of the Meltdown, Spectre, LVI, and Zombieload processor vulnerabilities in the past, among others. While Meltdown could be fixed on the hardware side, Spectre vulnerabilities still keep researchers and manufacturers on their toes. "Exploiting these vulnerabilities, however, usually requires some know-how and is complex because data can only be stolen via so-called side channels. Side channels refer to information the processor involuntarily reveals during processing, such as electromagnetic radiation, heat generation, or processing times. This information then allows conclusions to be drawn about data. Exploiting ÆPIC is far less complex. We are very surprised that no one has noticed this before," Michael Schwarz says. In addition to Pietro Borrello from the Sapienza University of Rome, Andreas Kogler, Daniel Gruss and Martin Schwarzl from the Graz University of Technology, and Moritz Lipp from Amazon Web Services were involved in the discovery of ÆPIC.
The researchers cannot say whether and to what extent the vulnerability has been exploited so far. Together with his colleagues, Schwarz wants to continue systematically examining the architecture of processors in the future for vulnerabilities that show parallels to already known software-side gaps.
translated by Oliver Schedler
