Hacks: ZenBleed Breaks AMD CPUs Massive Hosted Data Leaks Coming

grarpamp grarpamp at gmail.com
Wed Aug 9 01:58:04 PDT 2023 

On 7/27/23, grarpamp <grarpamp at gmail.com> wrote:
> Another huge exploit against shared computing platforms.
> Expect another wave of massively embarassing database
> leaks to be dropping all over the news and file sites soon.

Yet more fun, this time with ... DOWNFALL !

https://downfall.page/

Intel sat on this one for at least an entire YEAR...

> ... which was well after to its official TOP-SECRET inclusion
> in the chip masks years ago. As usual, Spooks, Corps, Govts and
> others have been mole'ing, masking, discovering, buying, or running
> black ops to get them, and are freely running exploits with
> them since well before any public release.
> Zerodium and other dark budgets still paying top dollar.
>
> There's plenty of fun ways to fuzz them fuzzy fuzzers...
>
> #OpenFabs , #OpenHW , #OpenAudit , #FormalVerification ,
> #CryptoCrowdFunding , #OpenTrust , #GuerrillaNets ,
> #P2PFiber , #GNURadioRF , #PrivacyCoins , #DropGangs , ...


Downfall Attacks

https://downfall.page/

Attack Demo FAQ Advisories Links

profile

Downfall attacks targets a critical weakness found in billions of
modern processors used in personal and cloud computers. This
vulnerability, identified as CVE-2022-40982, enables a user to access
and steal data from other users who share the same computer. For
instance, a malicious app obtained from an app store could use the
Downfall attack to steal sensitive information like passwords,
encryption keys, and private data such as banking details, personal
emails, and messages. Similarly, in cloud computing environments, a
malicious customer could exploit the Downfall vulnerability to steal
data and credentials from other customers who share the same cloud
computer.

The vulnerability is caused by memory optimization features in Intel
processors that unintentionally reveal internal hardware registers to
software. This allows untrusted software to access data stored by
other programs, which should not be normally be accessible. I
discovered that the Gather instruction, meant to speed up accessing
scattered data in memory, leaks the content of the internal vector
register file during speculative execution. To exploit this
vulnerability, I introduced Gather Data Sampling (GDS) and Gather
Value Injection (GVI) techniques. You can read the paper I wrote about
this for more detail. Please cite as follow:

@inproceedings{moghimi2023downfall,
  title={{Downfall}: Exploiting Speculative Data Gathering},
  author={Moghimi, Daniel},
  booktitle={32th USENIX Security Symposium (USENIX Security 2023)},
  year={2023}
}

By Daniel Moghimi
Demo
Stealing 128-bit and 256-bit AES keys from another user
Your browser does not support the video tag.
Stealing arbitrary data from the Linux Kernel
Your browser does not support the video tag.
Spying on printable characters
Your browser does not support the video tag.
FAQ

[Q] Am I affected by this vulnerability?

[A] Most likely, yes. This depends on whether your computing devices
(laptop, tablet, desktop, cloud, etc.) use the affected Intel
processors. Even if you do not own any physical Intel-based devices,
Intel’s server market share is more than 70%, so most likely, everyone
on the internet is affected.

[Q] Which computing devices are affected?

[A] Computing devices based on Intel Core processors from the 6th
Skylake to (including) the 11th Tiger Lake generation are affected. A
more comprehensive list of affected processors will be available here.

[Q] What can a hacker do with this?

[A] A hacker can target high-value credentials such as passwords and
encryption keys. Recovering such credentials can lead to other attacks
that violate the availability and integrity of computers in addition
to confidentiality.

[Q] How practical are these attacks?

[A] GDS is highly practical. It tooks me 2 weeks to develop an
end-to-end attack stealing encryption keys from OpenSSL. It only
requires the attacker and victim to share the same physical processor
core, which frequently happens on modern-day computers, implementing
preemptive multitasking and simultaneous multithreading.

[Q] Is Intel SGX also affected?

[A] In addition to normal isolation boundaries e.g., virtual machines,
processes, user-kernel isolation, Intel SGX is also affected. Intel
SGX is a hardware security feature available on Intel CPUs to protect
user’s data against all form of malicious software.

[Q] What about web browsers?

[A] In theory, remotely exploiting this vulnerability from the web
browser is possible. In practice, demonstrating successful attacks via
web browsers requires additional research and engineering efforts.

[Q] How long have users been exposed to this vulnerability?

[A] At least nine years. The affected processors have been around since 2014.

[Q] Is there a way to detect Downfall attacks?

[A] It is not easy. Downfall execution looks mostly like benign
applications. Theoretically, one could develop a detection system that
uses hardware performance counters to detect abnormal behaviors like
exessive cache misses. However, off-the-shelf Antivirus software
cannot detect this attack.

[Q] Is there any mitigation for Downfall?

[A] Intel is releasing a microcode update which blocks transient
results of gather instructions and prevent attacker code from
observing speculative data from Gather.

[Q] What is the overhead for the mitigation?

[A] This depends on whether Gather is in the critical execution path
of a program. According to Intel, some workloads may experience up to
50% overhead.

[Q] Can I disable the mitigation if my workload does not use Gather?

[A] This is a bad idea. Even if your workload does not use vector
instructions, modern CPUs rely on vector registers to optimize common
operations, such as copying memory and switching register content,
which leaks data to untrusted code exploiting Gather.

[Q] How long was this vulberability under embargo?

[A] Almost one year. I reported this vulnerability to Intel August 24, 2022.

[Q] Should other processor vendors and designers be concerned?

[A] Other processors have shared SRAM memory inside the core, such as
hardware register files and fill buffers. Manufacturers must design
shared memory units with extra care to prevent data from leaking
across different security domains and invest more in security
validation and testing.

[Q] How can I learn more about Downfall?

[A] In addition to the technical paper, I am presenting Downfall at
the BlackHat USA on August 9th, 2023 and USENIX Security Symposium on
August 11, 2023.

[Q] Can I play with Downfall?

[A] Here is the code: https://github.com/flowyroll/downfall/tree/main/POC

[Q] Why is this called Downfall?

[A] Downfall defeats fundamental security boundaries in most computers
and is a successor to previous data leaking vulnerabilities in CPUs
including Meltdown and Fallout (AKA MDS). In this trilogy, Downfall
defeats all previous mitigations once again.

[Q] How did you create the logo?

[A] I used the DALL·E 2 AI system to create the logo.
Advisories
Vendor 	Link
MITRE 	CVE-2022-40982
Intel 	INTEL-SA-00828
Debian 	CVE-2022-40982
Links

    Meet the Finalists for the 2023 Pwnie Awards Dark Reading

    New Downfall attacks on Intel CPUs steal encryption keys, data
Bleeping Computer

    Episode 56: Interview with Daniel Moghimi about Downfall Chips & Salsa

    Downfall and Zenbleed: Googlers helping secure the ecosystem
Google Security Blog

    Gather Data Sampling Intel

    Google unveils Downfall attacks, vulnerability in Intel chips Tech Target

    New ‘Downfall’ Flaw Exposes Valuable Data in Generations of Intel
Chips Wired

    Gather Data Sampling Technical Paper Intel

    Threat Analysis Assessment for GDS Paper Intel

    ‘Downfall’ vulnerability leaves billions of Intel CPUs at risk Cyberscoop

    Intel DOWNFALL: New Vulnerability Affecting AVX2/AVX-512 With Big
Performance Implications Phoronix

    Another round of speculative-execution vulnerabilities

Copyright @ Daniel Moghimi 2023

More information about the cypherpunks mailing list