Monday, March 23, 2009

Intel chip flaw--but what of it?


Intel chip bug? Or simply much more than you need to know? Researchers claim Intel has a serious chip bug. But that all depends.

Security experts who are into the arcana of chip security may find "CPU cache poisoning" riveting and serious stuff. Others, however, may simply scratch their heads and move on.

But let's not move on too quickly. First, a quote from an abstract of the paper that has all, uh, let me rephrase that, some of the chip world abuzz. "In this paper we have described practical exploitation of the CPU cache poisoning...This is the third attack on SMM (system management mode) memory our team has found within the last 10 months, affecting Intel-based systems. It seems that the current state of firmware security, even in case of such reputable vendors as Intel, is quite unsatisfying."

Joanna Rutkowska, who exposed the potential of the so-called Blue Pill flaw back in August of 2006 and founded Invisible Things Lab, wrote that excerpt (along with colleague Rafal Wojtczuk) and obviously takes this very seriously. As do others. Not worried yet? "This is the scariest, stealthiest, and most dangerous exploit I've seen come around since the legendary Blue Pill!," writes Jamey Heary, a Consulting Systems Engineer for Cisco Systems in a Network World blog.

So, now that we know it's scary, what can happen in a worst case scenario? This post will not presume to dive into details. Suffice to say, if a hacker can get access to "privileged" SMM memory, this would essentially allow the hacker to do anything to the target system they want, which is described in more detail here.

In response to an email query, Heary went on to say: "If a hacker can use this new exploit to embed a SMM rootkit (malware) they would have ultimate control over the box (computer). Additionally, it would be virtually undetectable," he said. But added: "In a nutshell. This exploit is very serious and needs to fixed. But...I don't see a mass virus or worm using this. The attacks will be targeted. A rootkit must be perfectly matched to the of hardware. This makes mass infection more difficult."

Rutkowska and Wojtczuk, in the abstract, say that the paper discusses "how to practically exploit this problem, showing working proof of concept codes that allow for arbitrary SMM code execution. This allows for various kind of abuses of the super-privileged SMM mode, e.g. via SMM rootkits," she writes.

Who can do this? "We assume that the attacker has (what is in practice)...equivalent to administrator privileges on the target system, and on some systems, e.g. Windows, also the ability to load and execute arbitrary kernel code," writes Rutkowska and Wojtczuk in the abstract cited above.

And what systems are potentially vulnerable? Though both Intel and Rutkowska say the "attack" presented in the paper has been fixed on some systems, Rutkowska goes on to say: "We have however found out that even the relatively new boards, e.g. Intel DQ35 are still vulnerable (the very recent Intel DQ45 doesn't seem to be vulnerable though). The exploit attached is for DQ35 board--the offsets would have to be changed to work on other boards (please do not ask how to do this)," she writes. (Here is a list of Intel motherboards she refers to.)

These motherboards are used with Core 2 Quad, Core 2 Duo, Pentium, and Celeron processors, according to Intel's Web site.

What does Intel have to say? "We are working with these researchers. We take this research and all reports seriously. Currently as far as we know, there are no known exploits in the wild," said Intel spokesman George Alfs said in a written statement.

One point worth noting is that this is not an Intel errata per se, which Intel typically details in processor specification updates. This is a theoretical attack from a malicious hacker. Nevertheless, users can minimize the risk by keeping up to date on patches and operating system and security suite updates. In particular, BIOS (Basic Input-Output System) and firmware updates for the processors and motherboards referenced above are important.

So, what is the average user to make of all of this? Security attacks and security vulnerabilities have been around since (computer) time immemorial (in the relatively brief history of mass-market computing). A report from U.K.-based technology Web site The Register in 2006, for example, suggested that people should not purchase Core 2 Duo systems (now virtually ubiquitous worldwide) because of security vulnerabilities and cited an open source expert, who prophesied doom and gloom for the Core 2 Duo architecture.

Then there's the whopper of them all. The show-stopping 1994--very different in nature from the SMM vulnerability discussed above-- Intel FDIV bug, discovered by Professor Thomas Nicely, then at Lynchburg College in Virginia. Also referred to as the floating point bug, it wasn't a flaw exploitable by malicious hackers, rather, it was a bug in Intel's original Pentium floating point unit. Certain arcane floating point division operations done on these processors would generate incorrect results.

This bug, covered prominently by The New York Times and CNN at the time, actually had virtually no affect on users, except causing them to panic and, as a consequence, some insisted that Intel provide them with new processors. The recall cost Intel close to half a billion dollars.

0 comments:

Post a Comment