NSA Offers Guide on Speculative Execution Side-Channel Attacks
The U.S. National Security Agency (NSA) issued updated guidance (PDF) late last month on the various speculative execution side-channel flaws that open up all systems using modern processors to potential attacks.
The guide essentially directs U.S. government agencies to keep everything patched. They should apply UEFI and BIOS firmware updates from system vendors, apply microcode updates, and also patch operating systems, drivers and applications, including Web browsers.
The patching, though, is just a "mitigation" or stop-gap measure, rather than actually addressing the technical problems involved. The problems actually seem to be growing as researchers continue to probe the depths of the attack methods available. Modern processors are designed to predict the next steps that could be taken in order to speed up operations, which is called the speculative execution process. However, that design can be exploited to reveal information. Typically, though, some sort of application is needed on a system to carry out these kinds of attacks.
The NSA keeps updated information on the latest research findings on speculative execution side-channel attacks in this GitHub document. The document gets updated as new information about the attacks becomes known. The page could serve as a useful resource for organizations as it contains information that hasn't been well publicized since chip vendors first publicly revealed the Meltdown and Spectre attack methods about a year ago.
The NSA document does include a discouraging note for organizations that perhaps were hoping that recent processor upgrades would avoid the potential information disclosure flaws associated with speculative execution side-channel attacks. The attack methods affect processors built by AMD, ARM, Dell, HP, HPE, IBM, Intel and Nvidia to varying degrees.
In essence, though, no processors were available on the market as of last year that avoided the associated security issues. Here's how that idea was expressed in the document:
As of January 23, 2018, no hardware vendor has confirmed general availability of in-silicon fixes to side-channel attacks their respective products are vulnerable to. Replacing older hardware with newer hardware does not guarantee mitigation of all vulnerabilities. However, newer hardware features updated instructions that lessen the performance impact of patches.
Another detail described in the NSA's document is a possibly "new" vulnerability called "NetSpectre." It's the only speculative execution side-channel attack method that doesn't require "local code execution on a target system" for an attack to get carried out. However, it does require tapping an "exploitable network driver, network service, or network application, such as a web browser" on the target system.
The NSA document also described a few other possibly new attack methods that perhaps aren't so well known as Meltdown, Spectre and Foreshadow. These new vulnerabilities include BranchScope, TLBleed and PortSmash, which, like NetSpectre, are all based on the Spectre attack method.
In addition to speculative execution side-channel flaws, there are firmware and microcode vulnerabilities, according to the NSA's document. For instance, there's a LoJax "malicious modification" to the "antitheft solution known as Computrace or LoJack" in the UEFI modules of system firmware. The UEFI Secure Boot process will work as a preventative measure against LoJax, but it isn't effective when systems are in "fast boot or minimal boot check mode," so organizations should check with system vendors on the proper settings.
The NSA document also described apparently new "AMD flaws" that can be used to compromise administrator credentials. The problem is found in some computers optimized for computer games, which the document recommended avoiding:
To mitigate AMD Flaws, purchase business-class machines that lack "gamer" features such as overclocking, fan control, custom thermal management, RGB lighting, and firmware modding support. Also ensure that all firmware, microcode, and software updates are applied. Carefully analyze software before using it in conjunction with the AMD Secure Processor (SP) or Platform Security Processor (PSP) protected enclaves.
There are four attacks based on these AMD flaws, namely "Ryzenfall," "Chimera," "Fallout" and "Masterkey," according to the document.
About the Author
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.