Security Market Segment LS
Monday, 25 June 2018 06:23

Ex-NSA hacker says new Intel bug will need 'ton of work' to fix Featured

By
Jake Williams: "...it's ridiculous that this isn't eligible for a bug bounty. It's insane that Intel thinks it doesn't deserve a CVE." Jake Williams: "...it's ridiculous that this isn't eligible for a bug bounty. It's insane that Intel thinks it doesn't deserve a CVE." Supplied

A security researcher says a fix for a new vulnerability in Intel processors is likely to require changes to the core operating system and would probably need "a ton of work to mitigate (mostly app recompile)".

Former NSA hacker Jake Williams said on Twitter: "Hyperthreading is THE main reason Intel won the processor war over AMD. Pretending that OS developers are the problem is ridiculous. I remember people talking about theoretical attacks on hyperthreading from its introduction."

The flaw, which has been dubbed TLBleed by the researchers who discovered it, has been played down by Intel with the company unwilling to even obtain a Common Vulnerabilities and Exposures number. The CVE system, a catalogue of known security threats sponsored by the US Department of Homeland Security, provides a reference method for publicly known vulnerabilities and exposures.

Details of TLBleed were leaked to the British tech website, The Register, on Friday; the side-channel vulnerability can be theoretically exploited to extract encryption keys and private information from programs. The name TLBleed comes from the fact that the flaw targets the translation lookaside buffer, a CPU cache.

Intel also refused to pay a bug bounty to the team that found the flaw, with one researcher Ben Gras commenting: "The HackerOne bug bounty program run by Intel has side channels in scope. However, Intel has dismissed our report as it does not demonstrate a side-channel attack against its ‘constant time’ — its side-channel hardened — cryptographic primitives."

The researchers, from the Systems and Network Security Group at Vrije Universiteit Amsterdam, in the Netherlands, had earlier shared the paper on their findings with the OpenBSD project which produces a highly secure UNIX-like operating system; the project took the step of disabling hyperthreading through which TLBleed can be exploited.

With the paper due to be presented at the Black Hat USA 2018 conference in August, OpenBSD leader Theo de Raadt told iTWire that he could not be more specific about the nature of the vulnerability that had led to the disabling of hyper-threading.

Williams, a former member of the NSA's elite Tailored Access Operations unit who now runs his own security company, Rendition Infosec, said: "First, it's ridiculous that this isn't eligible for a bug bounty. It's insane that Intel thinks it doesn't deserve a CVE.

"Second, it's hard to imagine that Intel won't make changes to their processors to fix this. TLB management has subtle nuances depending on the architecture. Even if Intel's answer to TLBleed is 'recompile' it's not clear how quickly compiler authors can work out the nuances to make the code safe across different processor models."

He said Intel has assured OS developers that hyper-threading was safe, "so they programmed to that spec. Nothing in the Intel programming docs says 'don't hyperthread different processes on the same core'. Wholesale changes will need to be made to scheduler subsystems."

Williams said the TLBleed vulnerability was likely to be easier to exploit than Spectre variants. He was referring to one of two vulnerabilities disclosed by Intel in January, the other being known as Meltdown.

"But from where I sit it's more evidence that we need to rethink our secure architecture design patterns. How we provision applications, VDI, and multi-tenant hypervisors needs to change," he added.

"I'm not jumping on a bandwagon either. I said the same thing in January when Meltdown and Spectre were released. The advice is just as sound now as it was then. Sure, apply patches when available, but this is about so much more than patching."

An Intel spokesperson told iTWire in an unsolicited comment: "Protecting our customers and their data continues to be a critical priority for us. We are looking into this feedback and thank the community for their ongoing efforts.” (Intel update is here.)


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments