Further progress in the fight against Meltdown, Spectre, and Co.
CPU attacks have been a hotly debated topic in IT security research for about three years. In 2018, it became known that vulnerabilities in widely used Intel and AMD processors allow attackers to read data, some of it sensitive, from memory. "Most of the attack variants, which have sounding names like Spectre, Meltdown, or Zombieload, are complicated to execute and require some know-how," explains CISPA faculty member Dr. Michael Schwarz. Fortunately, such attacks have hardly been suitable for mass use to date; however, the complexity of the attacks also makes it difficult for cybersecurity researchers and IT security experts in companies to find possible attack variants and develop effective countermeasures. Until now, this has often required lengthy research and analysis efforts.
This work will be made much easier in the future by libtea and SCFirefox. Michael Schwarz, who was also involved in the discovery of Spectre and Meltdown, co-developed the frameworks. "The frameworks make it easier for us to test which attacks are feasible. They allow us to quickly prototype attacks that help us understand how attacks work. This allows us to better assess risks and take appropriate countermeasures more quickly."
So much for the good news. The bad news is that in testing the SCFirefox framework, the researchers were able to model the first so-called zombieload attack using the browser. Zombieload attacks exploit a vulnerability that exists when checking permissions on data access, and can still be exploited via what is known as hyperthreading. Hyperthreading is a feature that allows computers to process multiple processes in parallel, for example, tasks of different programs open on the computer. The programs share resources on the individual CPU cores, which allows them to be better utilized and the computer to work faster. Zombieload attacks break the barriers that actually exist between processes and programs can gain access to the secrets of other programs. This data can be read by attackers using malware.
Browser-based attacks are particularly dangerous because they do not require malware to be installed on the computer. In addition, browser-based attacks save the attackers from having to go via infected websites that smuggle malicious code onto the victim computers via errors in the browsers.
Browser-based attacks of a similar nature have been described in the past, but until now they required certain security mechanisms to be disabled and the browser to be modified. "This was time-consuming and represented an additional hurdle for attackers. We were now able to exploit a completely unmodified browser and steal data via a zombie load attack," says Schwarz. "So far, the only solution to this problem is to run secrets of different applications on different cores. But that leads to performance degradation."
The search for countermeasures that balance security and performance continues for the researchers. Michael Schwarz is convinced that the two frameworks will be of great help in the future.
translated by Oliver Schedler