A team of researchers have discovered a security vulnerability in multiple Intel CPUs which could result in data leaks.
Cybersecurity researchers from the University of Maryland and Tsinghua University, together with a lab within the Chinese Ministry of Education (BUPT), uncovered a side-channel attack, somewhat similar to Meltdown which, if exploited, could allow threat actors to leak sensitive data from endpoints (opens in new tab) through the EFLAGS register.
The team published their findings in a paper released on Arxiv.org, explaining the attack abuses a flaw in transient execution “that makes it possible to extract secret data from user memory space through timing analysis”. A change in the EFLAGS register in transient execution affects the timing of Jump on Condition Code (JCC) instructions.
Different chips, different results
The FLAGS register is described as “the status register that contains the current state of a x86 CPU”, while the JCC is a “CPU instruction allowing conditional branching” based on the contents of the EFLAGS register.
In absolute layman’s terms, to pull off the attack, one should first trigger transient execution of encoded secret data through the EFLAGS register, and then measure the execution time JCC instruction to read the contents of that encoded data.
The researchers tested the flaw on multiple chips, and found that it was 100% successful on i7-6700 and i7-7700, as well as “somewhat successful” on i9-10980XE. All tests were done on Ubuntu 22.04 jammy/Linux kernel version 515.0.
To get more consistency on newer chips, the researchers found, the attack would need to be run thousands of times.
“In our experiment, we found that the influence of the EFLAGS register on the execution time of Jcc instruction is not as persistent as the cache state,” the researchers said in the paper. “For about 6-9 cycles after the transient execute, the Jcc execute time will not be about to construct a side-channel. Empirically, the attack needs to repeat thousands of times for higher accuracy.”
They still don’t know what is causing the bug.
Via: BleepingComputer (opens in new tab)
