FacebookTwitterLinkedIn

Zombieload: New Intel Side-Channel Attack

In January 2018, the InfoSec community was rocked by the news of the Meltdown and Spectre vulnerabilities affecting entire generations of Intel processors. As of May 14, 2019, academics announced that they had discovered a new side-channel attack affecting Intel processors. The attack utilizes a set of vulnerabilities that can allow attackers to retrieve data being processed inside a CPU. The flaw has been termed Zombieload and is fundamentally similar to the Meltdown, Spectre, and Foreshadow side-channel attacks that emerged.

As with the other three, the Zombieload flaw is exploited by abusing the speculative execution process. Speculative execution is an optimization technique where a computer system performs some task that may not be needed. Work is done before it is known whether it is actually needed, so as to prevent a delay that would have to be incurred by doing the work after it is known that it is needed. If it turns out the work was not needed, after all, most changes made by the work are reverted and the results are ignored. The academics who discovered the flaw published their findings in an academic paper titled, “ZombieLoad: Cross-Privilege-Boundary Data Sampling”, where prior to publishing the academics in question spent more than a year punching holes through the various components of the speculative execution process. What they discovered was an attack method which allowed for the leaking of data from the target CPU’s buffer zones and data processing operations.

The findings of the academic team have been confirmed by Bitdefender, who likewise published a whitepaper informing customers and the community at large of the flaw and how it is possible to exploit. The academics have called the attack method a Microarchitectural Data Sampling (MDS) attack, as it targets a CPU's microarchitectural data structures, such as the load, store, and line fill buffers, which the CPU uses for fast reads/writes of data being processed inside the CPU.

zombieload intel

These are smaller-sized caches that are used alongside the main CPU cache. When properly exploited an MDS attack can infer data that is being processed in the CPU by other apps, to which an attacker should not normally have access to. According to the published paper, the academics discovered four vulnerabilities which could be exploited by MDS attacks. In summary, these vulnerabilities are targeting store buffers (CVE-2018-12126), load buffers (CVE-2018-12127), line fill buffers (CVE-2018-12130), and uncacheable memory (CVE-2019-11091).

Zombieload: the Good and the Bad

Unlike with the Spectre and Meltdown vulnerabilities, Intel has not been caught by surprise. According to a press release issued by the processor manufacturer the newer 8th and 9th generation products are already protected against such an attack, this also includes the 2nd Generation Intel® Xeon® Scalable processor family and updates have already been released to mitigate affected products which are listed here. Further the hardware giant stated,

“First identified by Intel’s internal researchers and partners, and independently reported to Intel by external researchers, MDS is a sub-class of previously disclosed speculative execution side channel vulnerabilities and is comprised of four related techniques. Under certain conditions, MDS provides a program the potential means to read data that program otherwise would not be able to see. MDS techniques are based on a sampling of data leaked from small structures within the CPU using a locally executed speculative execution side channel. Practical exploitation of MDS is a very complex undertaking. MDS does not, by itself, provide an attacker with a way to choose the data that is leaked.”

Despite Intel’s readiness in combating the new threat, there are some important bad sides of Zombieload to consider. According to the academic paper, processors manufactured since 2011, other than the ones listed by Intel above, are vulnerable. Processors for desktops, laptops, and including cloud servers are all impacted, researchers said on a special website they've set up with information about the Zombieload flaws. In one proof of concept case, the academics published a video where the academics performed a Zombieload attack to monitor websites that a user was visiting using a privacy-protecting Tor Browser running inside a virtual machine. This effectively means that if malware is developed to exploit the Zombieload flaw it can effectively break all privacy protections that exist between apps, similar to how both Meltdown and Spectre broke those lines, but via other vulnerabilities in the speculative execution process.

There are significant hurdles to exploiting Zombieload in the wild, which forms part of the good news along with Intel’s readiness to combat the flaw if exploited by a malicious attacker. Intel pointed out that exploiting this vulnerability, like with other side-channel attacks, outside of a laboratory is extremely complex and when one considers the myriad of other tried and tested methods available to hackers this further reduces the likelihood of it been used in the wild to a major extent. There are other practical considerations regarding exploiting the flaw, the first been that the structures exploited are much smaller than the first level data cache (L1D), and therefore hold fewer data and are overwritten more frequently. Second, it is also more difficult to use MDS attacks to infer data that is associated with a specific memory address, which may require the malicious actor to collect significant amounts of data to analyze and locate any secret data. Third, only recently accessed data can be leaked when attempting an MDS attack and by simply turning off a processors hyperthreading function successfully prevents the flaw from being exploited.

Intel advises that all new updates are installed to mitigate the threat, they further advise,

“Once these updates are applied, it may be appropriate for some customers to consider additional steps. This includes customers who cannot guarantee that trusted software is running on their system(s) and are using Simultaneous Multi-Threading (SMT). In these cases, customers should consider how they utilize SMT for their particular workload(s), guidance from their OS and VMM software providers, and the security threat model for their particular environment. Because these factors will vary considerably by customer, Intel is not recommending that Intel® HT be disabled, and it’s important to understand that doing so does not alone provide protection against MDS.”

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal