Tema: Rasprava i komentari o "Spectre" i "Meltdown" pošastima
View Single Post
Staro 10.03.2020., 20:11   #359
The Exiled
McG
Moj komp
 
The Exiled's Avatar
 
Datum registracije: Feb 2014
Lokacija: Varaždin
Postovi: 6,775
New LVI Intel CPU data theft vulnerability requires hardware fix
Citiraj:
The vulnerability dubbed LVI (short for Load Value Injection) and tracked as CVE-2020-0551 was discovered and reported to Intel on April 4, 2019, by researchers at the Worcester Polytechnic Institute, imec-DistriNet/KU Leuven, Graz University of Technology, University of Michigan, University of Adelaide and Data61, in no particular order. Bitdefender researchers also independently discovered one variant of attack in the LVI class (LVI-LFB) and reported it to Intel in February 2020. LVI attacks let attackers change the normal execution of programs to steal data that is normally meant to be kept private within SGX enclaves. Sensitive information that can be stolen this way includes passwords, private keys of certificates, and more. Even though the Intel Software Guard eXtensions (SGX) feature in modern Intel processors that enables apps to run within secure and isolated enclaves is not necessary to launch an LVI attack, its presence makes the attack a lot easier.

In short, LVI attacks allow injecting arbitrary data (much like Spectre attacks) within the memory loaded by a targeted application under certain conditions, making it possible for an attacker to hijack the control and data flow until the app rolls back all operations after detecting the mistake. The new vulnerability bypasses all transient-execution attack mitigations developed for Intel's processors so far, like Meltdown, Spectre, Foreshadow, ZombieLoad, RIDL, and Fallout. Also, LVI is a lot harder to mitigate than previous Meltdown-type attacks because it needs expensive software patches that could potentially make Intel SGX enclave computations between two and 19 times slower. LVI affects Intel Core-family processors from Skylake onwards with SGX support and a list with all affected CPUs is provided by Intel here. Icelake Core-family processors aren't affected by LVI, while Meltdown-resistant processors are "only potentially vulnerable to LVI-zero-data (aka loads exhibiting zero injection behavior only)."

Even though software workarounds can be implemented, the root cause behind LVI cannot be fixed with software changes which means that new CPUs from affected processor families will need to come with hardware fixes.
Izvor: BleepingComputer
The Exiled je online   Reply With Quote