The names Downfall, Inception, Meltdown and Spectre might evoke the names of Bond villains, but they describe something almost as insidious: They are all central processing unit-based security vulnerabilities that have been uncovered in the past several years.

Each of them — the first two most recently and the last two harking back to 2018 — involves very specific attacks on hardware-level commands of various chips made or designed by Intel Corp., Arm Ltd. and Advanced Micro Devices Inc. All have required or will require patching with operating system updates and chip firmware updates.

Let’s take the two new ones first. Both Intel and AMD have already issued operating system-level updates and neither is aware of any active exploits happening in the wild, which is good news. The firmware updates will take time to be developed by the chip manufacturers and then make their way to motherboard providers.

Downfall was discovered by Daniel Moghimi, a senior researcher at Google. He presented how the attack works last week at the annual Black Hat Vegas conference, showing how the bug can be used to steal encryption keys from other users running on a specific server, or steal random data from the Linux kernel. Both of these exploits are documented on his attack website.

He disclosed the problem about a year ago, and Intel claims it affects a wide collection of Core-based CPUs, covering PCs sold for the past nine years. That link also has a comprehensive summaries of previous CPU attack scenarios.

Moghimi stated that “Intel’s server market share is more than 70%, so most likely, everyone on the internet is affected.” He also said that it is possible a remote attack could be launched from a web browser.

Inception is a combination of attacks that were discovered by a group of Zurich-based researchers. “As in the movie of the same name, Inception plants an idea in the CPU while it is in a sense dreaming,” the researchers said in their report, and that forces the processor to take wrong actions and allowing an attacker to hijack the machine.

It affects AMD Zen v.3 and v.4 chipsets, including Ryzens and Threadripper Pros. Some of the firmware updates are now available, with others expected before the end of the year. Earlier Zen v.2 chipsets had their own vulnerability called Zenbleed that was discovered by Google researcher Tavis Ormandy and fixed last month.

The 2018 attacks were discovered independently by various security researchers, including Google’s Project Zero. Both of these take advantage of a special series of CPU instructions called speculative execution and can be used either to steal kernel-level data, in the case of Meltdown, or to steal from other apps running on the same system, in the case of Spectre.

“Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers,” the researchers wrote on their exploit website. That contains all sort of useful information, along with a collection of security advisories from more than a dozen different vendors, including phone and cloud server platforms.

Implications for business

Both of the earlier attacks can take advantage of Intel, AMD and Arm chipsets going back to 1995. Enoch Root of Kaspersky posted an update last year that recaps where things stand with both of these earlier exploits, saying that it’s unlikely that either have been seen in the wild despite the passage of time.

These flaws are quite pervasive across almost everything that has a CPU in it, including phones, cars and numerous embedded devices. On a public cloud server, it’s possible for software in a guest virtual machine to drill down into the host machine’s physical memory and steal data from other customers’ virtual machines.

Though it’s great to have fixes, the bad news is that these fixes will extract a processing tax, because some of the processors’ power will have to be diverted to the shields, as they say in “Star Trek” lingo. “For most organizations whose business model depends on the performance of a large fleet of servers a performance drop will be the most noticeable impact of anti-Spectre measures,” Root said in his blog post. He cited another report that predicted a 25% hit in performance when all the Linux-related measures are implemented.

Most security experts recommend the usual advice, to patch where appropriate and develop update plans as newer exploits develop. They also suggest that information technology managers spend some time on the exploit description websites and read the relevant papers.

Root also urged caution. Despite the research on all of these exploits, he said, they “may not have a practical value, because researchers create ideal conditions for the attacks.” He believes the possibility of an actual attack to be unlikely. “At this moment, there is no immediate threat of exploitation of Spectre vulnerabilities in real conditions,” he said. “All known attacks are extremely complex and require the highest skill of the attacker.”

Image: CPUcoin