Intel moves to fix chip security holes in TSX

Intel has addressed dozens of security vulnerabilities in some of its computer chips found and reported by researchers 14 months ago. However, Intel also admits its fixes don’t go all the way.

In an email to FierceElectronics on Wednesday, Intel said it is “committed to addressing security vulnerabilities affecting our customers…We take seriously all potential security vulnerabilities whether they are found internally or externally and actively collaborate with all parties to ensure mitigations are in place before public disclosure.”

Some security researchers worry that Intel hasn’t been proactive enough in its response, however.

The continuing vulnerabilities in question only affect systems that rely on Transactional Synchronization Extensions or TSX, Intel said in its email. A new microcode update “substantively reduces the attack surface” by giving customers a means to disable TSX.

In a newly-launched monthly security blog, Intel said on Tuesday that it will be addressing the continuing vulnerabilities “in future microcode updates. We continuously improve the techniques available to address such issues and appreciate the academic researchers who have partnered with Intel."

The blog notes that it has addressed 77 vulnerabilities, of which 67 were found internally by Intel.

The vulnerabilities discovered in 2018 potentially allow hackers to trick Intel processors into revealing sensitive data stored elsewhere in a chip’s buffer. That data could contain cryptographic keys or passwords. 

In response, Intel said in the email to FierceElectronics that the reported vulnerabilities only provide a “potential means to read certain data. It does not provide the attacker with a reliable way to choose the data that is leaked.” The attacks are based “only on a sampling of data,” the email added.

The vulnerabilities have been reported over recent months by at least 11 security research organizations, universities and companies, including Oracle, BitDefender, Qihoo and Cyberus going back to May of 2018. The others are Austrian university TU Graz, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven in Belgium, Worcester Polytechnic Institute and Saarland University in Germany.

Intel refers to one group of the vulnerabilities as MDS, for microarchitectural data sampling. The researchers joined Intel in describing the chip vulnerabilities in May, as reported by Wired and others. The researchers called the exploits by various names, including ZombieLoad, Fallout and RIDL, for Rogue In-flight Data Load. At that time, Intel said its newest models of chips included a fix for the problem. The researchers didn’t find similar vulnerabilities in AMD and ARM-based chips.

Despite some improvements, researchers at VUSec (the security research group at Vrije University) on Tuesday disclosed that an earlier vulnerability in Intel CPUs had only been partially addressed by Intel. That vulnerability is called TXS Asynchronous Abort (TAA).

Experts explained the vulnerability this way: With some Intel chips, the ordinary process has been for some commands to access memory by guessing what a program will want, as a time-saving measure. However, that speculation sometimes results in accessing an invalid location in memory, which causes the processor instead to grab arbitrary data from buffers in the chip. Inside those buffers, researchers found they could find sensitive data.

Intel, in its Tuesday blog, said its mitigations for TAA and MDS “substantively reduce the potential attack surface” but also admitted “that some amount of data could still be inferred through a side-channel” to be addressed in future Intel code updates.

The upshot is that researchers don’t think Intel has acted quickly enough in fixing its chips. “We’re extremely disappointed with Intel,” VUSec’s Cristiano Giuffridea told Wired. “Our complaint with the entire process is the lack of security engineering that we see. Our impression is that they look at one variant at a time, but they’re not able to address the root cause.”

RELATED: Intel begins production of Stratix 10 chip with 10M logic elements