Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Processor Flaws Force Chip Producers to Make Security Top Priority

    By
    Robert Lemos
    -
    June 5, 2018
    Share
    Facebook
    Twitter
    Linkedin
      Processor Flaws

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Late last year, chip makers and operating-system vendors scrambled to create critical fixes for three vulnerabilities. 

      However, unlike most typical software flaws that are regularly patched, these vulnerabilities were in the processors created by Intel, AMD and other chip makers and not in the applications and operating systems that run on top of those processors. 

      Known as Spectre and Meltdown, the security issues led to a massive effort to update and patch processors’ microcode—the base-level software that interprets commands to the chips. 

      Yet, security researchers were not done. In May, continued research into potential vulnerabilities created by design efficiencies delivered another serious flaw that exposed information. 

      “CPU manufacturers are in a crunch, trying to squeeze as much performance out of the chips,” Alex Ionescu, chief architect at security-services firm Crowdstrike, told eWEEK. “They are clearly making good technical decisions for performance, but those decisions have side effects for security that they have not always thought about.” 

      In the past year, a number of serious flaws have been found in the central processing units (CPUs)—nowadays, just referred to as processors—that power the computing potential of everything from internet-of-things devices to desktops, and from mobile phones to cloud-enabled servers. While the flaws discovered in some of these devices may not match the seriousness of the Meltdown and Spectre flaws, but their very existence attracts security researchers much as blood in the water attracts sharks. 

      “You need special skills and equipment to conduct these hacks, but as these devices become more and more popular, and part of our life, I have no doubt people will increase the focus on the hardware,” Itzik Kotler, chief technology officer and co-founder of SafeBreach, told eWEEK. 

      Already, chip makers are reacting to the discoveries. As a direct result of the vulnerability reports, Intel launched its “Security First” effort, pledging to issue patches quickly, be transparent in its efforts and create initiatives to spur the discovery of vulnerabilities. 

      Within three months of being notified of the issues in its processors, for example, Intel released microcode updates for every affected processor model manufactured in the past five years, the company stated. The first issue—one of two issues known as Spectre—will only be addressed by software updates. However, Intel is redesigning parts of its CPUs to address the other Spectre flaw as well as the Meltdown flaw, known as variants 2 and 3, the company said. 

      “We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3,” Brian Krzanich, Intel’s CEO, stated in a March 15 blog post on the issues. “Think of this partitioning as additional ‘protective walls’ between applications and user privilege levels to create an obstacle for bad actors.” 

      Yet, researchers’ efforts continue, and there will undoubtedly be more vulnerabilities disclosed. Here are five of the most serious that were reported in the past year. 

      1. Spectre, Meltdown variants post triple threat 

      In January, researchers from Google’s Project Zero, Cyberus Technology and four universities announced a trio of flaws that abuse a widely-used technique known as speculative execution to read private data, such as passwords. Speculative execution speeds processing by pre-computing possible execution paths of a program, but differences in the running times of different branches can reveal the contents of memory, the researchers found. 

      The fix is not easy. Already, patches for both microcode and specific applications, such as browsers, have prevented—or at least, hardened—processors against the attacks, but the final fix will have to be in future designs of the processors to isolate the multiple cores and registers. 

      Intel is not alone in its efforts. AMD has also had to scramble to secure devices and computers based on their platforms, although only the Spectre flaws affected the platform. Apple released updates for all three issues as well, however, not every chip platform was equally affected by the vulnerabilities. 

      “Analysis of these techniques revealed that, while they are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser,” Apple stated in an advisory. 

      2. Researchers find flaws related to Speculative Store Bypass 

      Researchers were not done, however. In May, Microsoft and Google’s Project Zero both released details of another class of flaws related to processor’s speculative execution. Called Speculative Store Bypass, the variant of the Spectre and Meltdown flaws also affect AMD, ARM and Intel CPUs. 

      “AMD customers will be able to install the microcode by downloading BIOS updates provided by PC and server manufacturers and motherboard providers,” AMD said in a May 21 advisory. “We will provide further updates as appropriate on this site as AMD and the industry continue our collaborative work to develop solutions to protect users from security threats.” 

      Intel expects that more variants will likely be discovered. 

      “We know that new categories of security exploits often follow a predictable lifecycle, which can include new derivatives of the original exploit,” Leslie Culbertson, executive vice president and general manager of the company’s newly minted Product Assurance and Security group, said in a statement. 

      “Expecting that this category of side-channel exploits would be no different, one of the steps we took earlier this year was expanding our bug bounty program to support and accelerate the identification of new methods.” 

      3. Intel acknowledges flaws in ME, AMT subsystems 

      While Intel is not alone in being affected by the Spectre and Meltdown vulnerabilities, the company did have to support a major platform update in 2017 to repair flaws in its ubiquitous Intel Management Engine, a subsystem of the motherboard that manages and maintains the overall health of the system while it’s running, but also when a system is asleep or booting up. 

      In November 2017, the company acknowledged that its systems had several security vulnerabilities that affected all eight generations of the Intel Core processor family, as well as a variety of its server and embedded processors. The vulnerabilities could allow an attacker to gain unauthorized access to the system. 

      It was not the first time subsystem firmware exposed vulnerabilities. The company had to fix vulnerabilities in a related subsystem, known as the Active Management Technology (AMT) module, that could also allow attackers to take control of systems. 

      The Electronic Frontier Foundation, a pro-digital rights group, likened the computer-control software to a “tiny homunculus” inside every system. The EFF called on Intel to provide a way to disable the Management Engine. “What would be best for users and for the public’s ability to control machines that they have purchased would be for Intel to provide official support for reducing the attack surface to limit the potential harm of the ME,” the group stated. 

      4. When 140 years is not long enough: the ROCA flaw 

      The trusted platform module (TPM) is a cryptographic chip used by an increasing number of computers to provide a secure storage for the digital keys needed to secure content and enable trusted transactions. In January 2017, security researchers at the Centre for Research on Cryptography and Security discovered that TPM chips made by Infineon used firmware that included a known vulnerable library for generating private keys. 

      The vulnerability could allow the recovery of 512-bit keys in 2 processor-hours—costing about 6 pennies—and enable recovery in up to 142 processor-years for 2,048-bit keys. While the cost of recovering 2,048-bit keys is high, it remains less than $40,000 per key, which could put critical encrypted data at risk from a determined attacker. 

      “The private key can be misused for impersonation of a legitimate owner, decryption of sensitive messages, forgery of signatures—such as for software releases—and other related attacks,” the researchers stated in their public analysis, which disclosed the vulnerability in October 2017. 

      The analysis found that at least 760,000 keys—and perhaps as many as three times that number–were affected by the issue. Microsoft’s hard-disk encryption technology, BitLocker, relies on the TPM, so the vulnerability weakened its security as well. To fix the issue, an administrator must update Windows, stop BitLocker protection, clear the trusted computing module, and then restart BitLocker to re-encrypt the data with a non-vulnerable key. 

      5. Insensitive disclosure of sensitive issues: AMD PSP flaws 

      In March, a relatively unknown company CTS Labs controversially publicized a set of security issues in AMD Platform Security Processors , which acts like a TPM, after only giving the chip maker a day to respond to their report. The software flaws allowed an attacker that had administrator access to bypass a number of hardware security measures, such as Secure Boot, infect the motherboard firmware, and bypass other defensive features. 

      While the company may have fueled hyperbole surrounding the security issues—and disclosed them without adequate notification—the vulnerabilities are real, said Dan Guido, co-founder and CEO of security firm Trail of Bits. 

      “Regardless of the hype around the release, the bugs are real, accurately described in their technical report (which is not public [as far as I know]), and their exploit code works,” Guido stated on Twitter, adding, “Yes, all the flaws require admin [privileges] but all are _flaws_ not expected functionality.”

      Robert Lemos
      Robert Lemos
      Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      10 Best Artificial Intelligence (AI) 3D Generators

      Aminu Abdullahi - November 17, 2023 0
      AI 3D Generators are powerful tools for creating 3D models and animations. Discover the 10 best AI 3D Generators for 2023 and explore their features.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×