New Side-Channel Attacks Impacting Modern CPUs: Collide+Power, Downfall, and Inception

August 9, 2023

Cybersecurity researchers have unveiled three new side-channel attacks that could potentially compromise modern Central Processing Units (CPUs) and leak sensitive information. The attacks, named Collide+Power (CVE-2023-20583), Downfall (CVE-2022-40982), and Inception (CVE-2023-20569), follow the discovery of a fresh security vulnerability affecting AMD's Zen 2 architecture-based processors, known as Zenbleed (CVE-2023-20593).

Daniel Moghimi, a senior research scientist at Google, explained that Downfall attacks exploit a critical weakness present in billions of modern processors used in personal and cloud computers. This vulnerability allows a user to access and steal data from other users sharing the same computer. In a potential attack scenario, a malicious app installed on a device could employ this method to steal sensitive data such as passwords and encryption keys, effectively bypassing Intel's Software Guard eXtensions (SGX) protections.

The issue originates from the memory optimization features implemented by Intel in its processors, particularly those with AVX2 and AVX-512 instruction sets. This allows untrusted software to circumvent isolation barriers and access data stored by other programs. The data breach is accomplished through two transient execution attack techniques, Gather Data Sampling (GDS) and Gather Value Injection (GVI), the latter combining GDS with Load Value Injection (LVI).

Intel has categorized Downfall (also known as GDS) as a medium severity flaw that could lead to information disclosure. The company is releasing a microcode update to address the issue, although it may result in a 50% performance reduction.

In related news, the chipmaker is also working to fix a number of flaws, including a privilege escalation bug in the BIOS firmware for some Intel(R) Processors (CVE-2022-44611) that arises from improper input validation. A remote attacker within Bluetooth proximity to the victim device can corrupt BIOS memory by sending malformed Human Interface Device Report structures, according to Jeremy Boone, a security researcher at NCC Group.

Concurrently, there's Inception, a transient execution attack that leaks arbitrary kernel memory on all AMD Zen CPUs, including the latest Zen 4 processors. Inception manipulates the transient control-flow of return instructions on all AMD Zen CPUs, combining Phantom speculation (CVE-2022-23825) and Training in Transient Execution (TTE) to allow for information disclosure similar to branch prediction-based attacks like Spectre-V2 and Retbleed. AMD has provided microcode patches and other mitigations, stating that the vulnerability is only potentially exploitable locally, such as via downloaded malware, and recommends customers employ security best practices, including running up-to-date software and malware detection tools.

The final side-channel attack is an unusual software-based method named Collide+Power, which could be used to leak arbitrary data across programs and from any security domain. This problem arises from shared CPU components, like the internal memory system, combining attacker data and data from any other application, resulting in a combined leakage signal in the power consumption. Mitigations must be deployed at a hardware level to prevent the exploited data collisions or at a software or hardware level to prevent an attacker from observing the power-related signal.

Latest News

• Microsoft Office Defense-In-Depth Update Thwarts Actively Exploited RCE Attack Chain
• Critical Zero-Day Vulnerabilities Expose Industrial Communications to Threats
• Critical Citrix Vulnerability Being Actively Exploited: Thousands of Instances Still at Risk
• Microsoft's August 2023 Patch Tuesday Addresses Two Zero-Days Among 87 Vulnerabilities
• Rise in Ransomware Attacks Through Zero-Day Exploits: An Analysis