Security Market Segment LS
Monday, 25 June 2018 06:23

Ex-NSA hacker says new Intel bug will need 'ton of work' to fix Featured

Jake Williams: "'s ridiculous that this isn't eligible for a bug bounty. It's insane that Intel thinks it doesn't deserve a CVE." Jake Williams: "'s ridiculous that this isn't eligible for a bug bounty. It's insane that Intel thinks it doesn't deserve a CVE." Supplied

A security researcher says a fix for a new vulnerability in Intel processors is likely to require changes to the core operating system and would probably need "a ton of work to mitigate (mostly app recompile)".

Former NSA hacker Jake Williams said on Twitter: "Hyperthreading is THE main reason Intel won the processor war over AMD. Pretending that OS developers are the problem is ridiculous. I remember people talking about theoretical attacks on hyperthreading from its introduction."

The flaw, which has been dubbed TLBleed by the researchers who discovered it, has been played down by Intel with the company unwilling to even obtain a Common Vulnerabilities and Exposures number. The CVE system, a catalogue of known security threats sponsored by the US Department of Homeland Security, provides a reference method for publicly known vulnerabilities and exposures.

Details of TLBleed were leaked to the British tech website, The Register, on Friday; the side-channel vulnerability can be theoretically exploited to extract encryption keys and private information from programs. The name TLBleed comes from the fact that the flaw targets the translation lookaside buffer, a CPU cache.

Intel also refused to pay a bug bounty to the team that found the flaw, with one researcher Ben Gras commenting: "The HackerOne bug bounty program run by Intel has side channels in scope. However, Intel has dismissed our report as it does not demonstrate a side-channel attack against its ‘constant time’ — its side-channel hardened — cryptographic primitives."

The researchers, from the Systems and Network Security Group at Vrije Universiteit Amsterdam, in the Netherlands, had earlier shared the paper on their findings with the OpenBSD project which produces a highly secure UNIX-like operating system; the project took the step of disabling hyperthreading through which TLBleed can be exploited.

With the paper due to be presented at the Black Hat USA 2018 conference in August, OpenBSD leader Theo de Raadt told iTWire that he could not be more specific about the nature of the vulnerability that had led to the disabling of hyper-threading.

Williams, a former member of the NSA's elite Tailored Access Operations unit who now runs his own security company, Rendition Infosec, said: "First, it's ridiculous that this isn't eligible for a bug bounty. It's insane that Intel thinks it doesn't deserve a CVE.

"Second, it's hard to imagine that Intel won't make changes to their processors to fix this. TLB management has subtle nuances depending on the architecture. Even if Intel's answer to TLBleed is 'recompile' it's not clear how quickly compiler authors can work out the nuances to make the code safe across different processor models."

He said Intel has assured OS developers that hyper-threading was safe, "so they programmed to that spec. Nothing in the Intel programming docs says 'don't hyperthread different processes on the same core'. Wholesale changes will need to be made to scheduler subsystems."

Williams said the TLBleed vulnerability was likely to be easier to exploit than Spectre variants. He was referring to one of two vulnerabilities disclosed by Intel in January, the other being known as Meltdown.

"But from where I sit it's more evidence that we need to rethink our secure architecture design patterns. How we provision applications, VDI, and multi-tenant hypervisors needs to change," he added.

"I'm not jumping on a bandwagon either. I said the same thing in January when Meltdown and Spectre were released. The advice is just as sound now as it was then. Sure, apply patches when available, but this is about so much more than patching."

An Intel spokesperson told iTWire in an unsolicited comment: "Protecting our customers and their data continues to be a critical priority for us. We are looking into this feedback and thank the community for their ongoing efforts.” (Intel update is here.)


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments