Downfall: Another Intel CPU Hardware Vulnerability

From https://www.usenix.org/system/files/usenixsecurity23-moghimi.pdf

Responsible disclosure We reported our findings to Intel
on August 24, 2022. They acknowledged our findings (CVE-
2022-40982) and confirmed that previous hardware fixes and
software mitigation do not mitigate Downfall attacks. Intel
asked for our findings to be under embargo until August 2023.
In ongoing discussions with Intel, they confirmed that they
will mitigate Downfall with a microcode update, which will
be deployed concurrently with the public release of our results.
Click to expand...

INTEL demanded a full year of silence. Did they really need that long time or did they want it for not disclosed reasons.

This vulnerability fits very well for use by some *.gov domains.
 
TBH, I agree with bgavin ... All people have to do is ask themselves why did Intel ask for such a long time.

Cyber security is basically an arms race. And Intel is basically trying to buy time for themselves to make sure that the patches they develop - they actually work. The less people know about a vulnerability, the lower are the chances that within a year, someone will actually try to exploit it. You can only exploit a vulnerability that you know about.

Now, how would one rewrite the underlined statement that considers the opposite scenario (MORE people knowing about a vulnerability), yet makes the exact same point?

The more people know about a vulnerability, the higher are the chances that within a year, someone will actually try to exploit it.

Focusing on technicalities like procedures for microcode update to patch a design flaw is easy. Expecting people to do risk assessment (and thus determine the urgency of the task) in an academically valid manner - that's hard. But needs to be done. That's what statistical analysis and different perspectives/expertise are for.
 
getopt said:
And 12 months are an eternity under race conditions. Vendors do have intelligence about their share in the Zeroday-Market. They know their customers parasits.

Also see:

Zero-day vulnerability - Wikipedia

en.wikipedia.org en.wikipedia.org
Click to expand...
Intel does have a pretty big market share. 12 months is probably a pretty long time. But wouldn't you rather ask for enough time to make sure that a fix actually works, rather than release something quick-and-dirty, and then be red-faced when it's defeated almost as quickly?

Which of the following would you rather gamble on:
  1. Less people knowing about the exploit (due to your gag order, which you actually have the economic clout to issue)
  2. Do nothing, and then try to react to damage that is blamed on your product, but nobody can positively and accurately trace it to a design flaw (due to having to connect some far-flung dots)
?‍♂️
 
astyle said:
But wouldn't you rather ask for enough time to make sure that a fix actually works
Click to expand...
This is the the narrative to the public. When scientists approach vendors with a notice, an exploited zeroday on this may already have existed for a long time. If that zeroday is an asset to the "good guys", there is an interest for an prolonged existence. I think it is reasonable that such a potent vendor like Intel is capable of fixing their products within some few weeks, while the "good guys" need time to fix their ass(et).
 
getopt said:
This is the the narrative to the public. When scientists approach vendors with a notice, an exploited zeroday on this may already have existed for a long time. If that zeroday is an asset to the "good guys", there is an interest for an prolonged existence. I think it is reasonable that such a potent vendor like Intel is capable of fixing their products within some few weeks, while the "good guys" need time to fix their ass(et).
Click to expand...
Notices from security researchers are valuable, indeed. But being aware of the vulnerability (and how to exploit it) is only the first step in the direction of fixing it properly. A quick-and-dirty patch is like bug hunting - If not done right, it can mess up things elsewhere. As an example, Spectre/Meltdown was notoriously difficult to fix without a huge performance hit.

As a tangent to this: (quote from that same Wikipedia page about Spectre that I linked to:
Colin Percival had a working attack on the OpenSSL RSA key using the Intel processor's cache.
Click to expand...

Yep, the same guy working on FreeBSD's dev team.
 
I suppose I am fortunate, living on the Trailing Edge of Technology™ as none of my processors are on the list.
I wonder if this 25% performance reduction will mean the new, expensive hot-rod processors won't be any faster than my old i7s and Xeons...
?
 
I have a herd of Xeons donated to me, which will keep me in hardware for the rest of my limited number of days.
I did spring for a new 4060-ti GPU so I can do AV1 transcoding... yikes that was expensive enough.
I just shake my head at the incredible depth the Bad Guys use to break into systems.
When I was an engineer at IBM all those years ago, we never dreamed of this at the microcode level.
 
You must log in or register to reply here.
Back
Top