'Crosstalk' info leak flaw bridges Intel processor cores

Security researchers have expanded on existing unfixed Intel processor design flaws and discovered a novel way to leak sensitive information across cores.

Researchers at security vendor VUsec inspected the behaviour of complex x86 instructions and found an undocumented staging buffer or memory area in Intel processors that is shared between all cores, and which contained sensitive data.

By using microarchitectural "Fallout" data sampling attacks, the researchers were able to glean data from applications runniing in Intel's Software Guard Extension secure enclaves such as private digital signature keys.

This is the first time cross-core speculative execution attacks have been made possible, and they do not rely on symmetrical multithreading (SMT), also known as HyperThreading, being enabled.

Apart from high-end servers and the very latest CPUs, most other processors from Intel are likely to be vulnerable to the CrossTalk vulnerability.

Intel refers to the vulnerability as Special Register Buffer Data Sampling (SRBDS) and has released a microcode update to software vendors that mitigates against it.

This is done by locking the memory buffer before updating the staging buffer, and only releasing after the content of the memory has been cleared, VUsec said.

Locking the system memory bus like this carries considerable performance overhead, however.

Due to this, Intel decided to only apply the mitigation to specific, security-criticial instructions, leaving others that issue off-core requests vulnerable to leaking.

VUsec has worked on the vulnerability for almost two years.

It was first reported to Intel as a same-core leak flaw in September 2018, but as VUsec developed the attack further, the security vendor told Intel that it was possible to do the same across all processor cores in July 2019.

The root cause of the flaw is Intel not properly fixing the existing microarchitecture data sampling vulnerability in its processor design, and instead playing "whack-a-mole" with its symptoms, VUsec said.