- ‘Downfall’ Attack Unveiled: Google researchers reveal a new side-channel attack called “Downfall” targeting Intel processors, exposing a memory optimization vulnerability (CVE-2022-40982).
- Cloud Impact: The attack extends into cloud environments, enabling attackers to extract data from shared cloud computers, intensifying data breach risks.
- Memory Optimization Flaw: The vulnerability originates from Intel processors’ memory optimization features, inadvertently revealing internal hardware registers to software.
- Attack Techniques: The attack employs Gather Data Sampling (GDS) and Gather Value Injection (GVI) to steal CPU data and manipulate microarchitectural data injections.
- Mitigations and Implications: Intel responds with firmware updates to address the vulnerability, but performance overhead concerns remain. ‘Downfall’ underlines the vulnerability of modern microprocessors, resonating with industry-wide concerns.
Google researchers have uncovered a new side-channel attack known as “Downfall” targeting Intel processors. This attack, discovered by Google senior research scientist Daniel Moghimi, exposes a vulnerability tracked as CVE-2022-40982, exploiting a memory optimization feature in Intel processors.
Downfall joins the league of attacks that can be exploited by local attackers or malware to access sensitive information, including passwords and encryption keys, of affected device users.
Moghimi’s findings unveil a disconcerting aspect of Intel processors, revealing that transient execution attacks like Downfall extend their reach even into cloud environments. This enables malicious actors to pilfer data from other users sharing the same cloud computer, significantly raising the stakes of data breaches.
The underlying flaw stems from memory optimization features inherent in Intel processors, inadvertently disclosing internal hardware registers to software. This exposure facilitates unauthorized software access to data that should remain shielded from such access.
The pivotal culprit in this scenario is the “Gather” instruction, intended to expedite the retrieval of scattered memory data. However, Moghimi ingeniously demonstrated how this instruction leaks the contents of the internal vector register file during speculative execution, thereby opening up avenues for cybercriminals.
Two specific attack techniques were developed as part of the Downfall (research paper PDF) exploit – Gather Data Sampling (GDS) and Gather Value Injection (GVI). The former method facilitates the theft of data from CPU components, while the latter manipulates the data leaks for microarchitectural data injections. The practicality of GDS is underscored by Moghimi’s creation of a proof-of-concept (PoC) exploit, capable of pilfering encryption keys from OpenSSL.
This clip shows how attacks can steal 128-bit and 256-bit AES keys from another user:
Notably, the Downfall attack doesn’t discriminate between endpoint devices and cloud infrastructure. While cloud environments provide a broader landscape for potential attacks, Moghimi emphasized the significant threat Downfall poses to personal computers. Theoretically, the exploit could even be executed via a web browser, although this possibility necessitates further research and validation.
To counteract the impending threats posed by Downfall, Intel has swiftly responded by publishing a security advisory and releasing firmware updates. These mitigations come as microcode updates designed to address CVE-2022-40982, which Intel has classified as having “medium severity.”
The updates intend to thwart the data leakage intrinsic to the Gather instruction, although they come with a trade-off of potential performance overhead, which could be as high as 50% in some workloads. Despite this drawback, experts unanimously advocate for the implementation of these fixes to safeguard against potential breaches.
Intel’s recent woes are not exclusive, as the Downfall attack highlights the vulnerability of modern microprocessors. Notably, Google researchers also unveiled “Zenbleed,” a vulnerability afflicting AMD Zen 2 processors, reiterating the broader implications of such vulnerabilities across the industry.
The disclosure of Downfall coincides with the revelation of another processor vulnerability named “Inception” by researchers at ETH Zurich. Inception targets devices powered by AMD Zen processors, allowing attackers to manipulate the CPU’s predictive algorithms to access sensitive data.