Security is a topic that I take seriously and try to cover with an even hand. When people need to know if a given piece of software or hardware is safe, they need a clear-eyed view of the situation in neutral terms, not a ton of colorful language. For over two years, we’ve covered serious issues like Spectre and Meltdown, as well as a range of similar, Spectre-class attacks. While companies like Apple, ARM, and AMD have all been impacted to some extent, Intel has been the worst affected.
Unfortunately, it’s starting to look like the PR departments working with security researchers the world over have taken a very real problem with problematic leakage of data in side-channel attacks and are now spinning theoretical scenarios that aren’t backed up by the data in the documents themselves. The just-released data on LVI (Load Value Injection) is a perfect example of this trend. Here’s how the LVI website describes this new attack:
If you read the top paragraphs, you’ll come away thinking this is actually worse than Meltdown, given that it bypasses Meltdown defenses and can drive a 19x reduction in computing performance. On the basis of clock alone, that would leave a 5GHz CPU performing like a 263MHz chip. Not good. Really not good. And the researchers say upfront that LVI is harder to mitigate.
What they don’t say upfront is that LVI is a theoretical attack. There’s a distinct difference in tone between the messaging in the Bitdefender PDF and the messaging on the Bitdefender blog. The blog states:
This new attack may be particularly devastating in multi-tenant and multi-workload environments which run on hardware shared between groups of workloads within an organization, or between organizations, such as public- and private-clouds. This is because, as the PoC [Proof of Concept] shows, there is the potential for a lesser-privileged process under attacker control to speculatively hijack control flow in a higher-privileged process when specific requirements are met.
The most straightforward risk is the theft of secret data which should otherwise be kept private by security boundaries at the hardware, hypervisor, and operating system levels. This information can include anything from encryption keys, to passwords, or other information which an attacker could exfiltrate, or use to gain further control of a targeted system.
The “Real-life exploit” section of the Bitdefender whitepaper is rather different. “Creating a real-life exploit,” it says, “poses some significant challenges.” Those challenges are:
1. Identifying a suitable gadget for one of the scenarios; this depends a lot on the victim and what code it contains; certain gadgets may not be suitable at all.
2. Making sure the pivot instruction incurs a microcode assist so it loads attacker-controlled data from the LFBs.
3. Finding a way to speculatively transmit the secret from the victim to the process. While transmitting the secret from kernel to user can be done rather easily, doing so from one process to another is more complicated.
The Bitdefender whitepaper contains none of the inflammatory language in the company’s blog or used on the LVI disclosure website. It states that the attack only currently exists as a synthetic proof of concept and discusses multiple problems related to actually taking advantage of the flaw. In other words, the papers contain the actual data telling you that this isn’t a current threat, while the public-facing blog posts are amped to deliver maximum scare-city.
Two-Faced Messaging Is Becoming a Problem
A few years ago, a company named CTS-Labs attempted to capitalize on what it declared were an absolutely stunning set of vulnerabilities in AMD processors that… actually came to nothing whatsoever. The appearance of Spectre and Meltdown have clearly unleashed a wave of interest in these projects and exposed a number of security issues, particularly in Intel CPUs. All such significant issues need to be fixed, and I’m 100 percent in favor of holding vendors accountable. But a recent story on LVI by ZDNet exemplifies how the marketing arm of the security industry and the actual research arm don’t seem to have much to do with each other these days.
After detailing all of the risks and problems supposedly associated with LVI, the story includes the following:
Currently, many administrators are expected to skip these patches, primarily because of the severe performance impact.
For good reasons, Intel has downplayed the severity of the LVI attack, and, for once, researchers have agreed.
“Due to the numerous complex requirements that must be satisfied to successfully carry out, Intel does not believe LVI is a practical method in real-world environments where the OS and VMM are trusted,” an Intel spokesperson told ZDNet in an email last week.
“Agree with Intel,” Bogdan Botezatu, Director of Threat Research and Reporting [at Bitdefender], told ZDNet yesterday. “This type of attack is much harder to pull off in practice, compared with other side-channel attacks such as MDS, L1TF, SWAPGS.”
In other words, security researchers (or security research firms’ PR divisions) are now putting out reports claiming Intel CPU’s are catastrophically at-risk from theoretical attacks that haven’t even been created yet, even though these attacks are incredibly difficult or downright theoretical. This is an absurdity.
Asking a company to design hardware intelligently to mitigate existing or well-known risks is one thing. Asking it to design hardware that secures against esoteric attacks that haven’t even been demonstrated in real-world testing yet is ridiculous. Even Bitdefender’s Director of Threat Research agrees that this attack isn’t one Intel should realistically bother securing against because it’s so hard to deploy.
Bad Messaging Cannot Be Tolerated
The PR-friendly tendency to maximize fear around security disclosures must stop, not because companies deserve to have their flaws overlooked, but because using maximalist language in these types of disclosures makes it impossible for anyone to estimate the actual degree of risk. Statements like “This type of attack is much harder to pull off in practice,” need to be made in both the body of the formal report and on the websites where these disclosures are made. We’re starting to hear about ‘theoretical’ risks to both Intel and AMD and threats that could emerge someday, but, you know, don’t actually exist right now. There’s nothing wrong with planning ahead, but given the long development cycles that CPUs go through, there’s no practical way for Intel to build a 2020 CPU to handle every possible security flaw that might be found in software, hardware, or both by 2025. The nature of security flaws is that after you patch one, people go out and find another.
I’m increasingly convinced that Intel isn’t being treated fairly by these reports, and it’s not just Intel. Earlier this week we covered another instance where the PR verbiage around an AMD flaw didn’t match what the actual security researchers said in public. I don’t want to impugn the good work that security researchers do, especially since I don’t know if the people writing the public-facing website copy are the same people actually performing the work, but the disconnect between PR blasts and whitepaper reports is becoming untenable.
You don’t see many journalists write stories downplaying security issues for a simple reason: Nobody wants to be the guy who swore that a security problem wasn’t an issue right before it explodes into a major problem. Frankly, I don’t either. At the same time, the way these reports are being sold to the public is making it actively harder to do my job. If Intel has an obvious interest in downplaying any security report and the company who found the flaw is doing everything it can to paint that flaw in the most apocalyptic language possible, it’s much harder for us journalists to know what to tell people.
I’m not going to say that LVI isn’t an issue or that Intel shouldn’t fix it. Intel has, in fact, already released some software updates intended to correct the problem. With that said, Meltdown and Spectre have now existed for over two years and no malware has yet been found to use them. What I will say is that when the head of a company’s threat-analysis division doesn’t believe an issue is worth patching, it also may not deserve to be front-page news declaring that yet another flaw has been found in Intel chips. There’s giving readers good information about pressing threats and there’s being used by PR teams to pump up a company in the news under the guise of security reporting. I’m always interested in the former and completely disinterested in the latter.
- Intel Has an Unfixable Chipset Security Flaw. Is it a Risk?
- Security Flaw Detected in AMD CPUs Going Back to 2011
- Intel Is Still Fighting the EU Over Its Anti-Competitive Actions Against AMD