After Spectre or Meltdown, a vulnerability in processors is once again shaking users' data security. »ÆPIC« is one of the first CPU security vulnerabilities that reads sensitive data directly from a cache. Intel is providing important updates for affected devices starting today.
»At first, we couldn't believe, what we discovered,« says Dr. Michael Schwarz. The faculty researcher at the CISPA Helmholtz Centre for Information Security, together with an international research team, has once again found a processor security vulnerability. It is forcing manufacturer Intel to act quickly. »If we previously suspected the biggest security problems in the internal, barely documented implementation (microarchitecture) of the processors, it now turns out that very similar sources of error can also be found at the well-documented architecture level of the processors.«
The new vulnerability has been named »ÆPIC« because hackers exploit it via a function of the so-called APIC (Advanced Programmable Interrupt Controller). APIC is a control element in processors that has been used for decades. Its main task in processors with multiple cores is to regulate which core must interrupt its computing processes if a new request – for example, from a user input – comes in. The processor can communicate with the APIC to configure it and request information. Here, communication between the processor and the APIC takes place via the so-called superqueue. It is a buffer that is also used for transferring data from the main memory (RAM) via certain data caches to the processor. In contrast to the transfer of data from the main memory, however, only a small part of the super queue is used for communication with the APIC.
»We discovered that when APIC puts information into the superqueue, it does not delete all the older data in the superqueue as we thought. The information only overwrites a small part of the data. Older data remains and the CPU can access it without proper authorization,« Schwarz explains. Particularly problematic is that this also applies to highly sensitive data stored in specially protected memory areas. »We were also able to obtain Intel's cryptographic keys, which are needed to access these protected areas, along the way,« the researcher explains.
Proven to be affected are all current Sunny Cove-based Intel CPUs, such as Ice Lake and Alder Lake, launched in 2019 to 2021. »It is possible that this gap also exists in other processors, but we were not able to test all of them.« Processor manufacturer Intel has responded to the recent data leak by releasing important updates that users should install as soon as possible.
In the past, Dr. Michael Schwarz was involved in the discovery of the Meltdown, Spectre, LVI and Zombieload processor vulnerabilities, among others. While Meltdown could be fixed on the hardware side, Spectre vulnerabilities still keep researchers and manufacturers on their toes. »Exploiting these vulnerabilities, however, usually requires some know-how and is complex because data can only be stolen through so-called side channels. Side channels refer to information that the processor involuntarily reveals during processing, such as electromagnetic radiation, heat generation or processing times. This information then allows conclusions to be drawn about data. Exploiting ÆPIC is far less complex. We are very surprised that no one has noticed this before,« says Michael Schwarz. In addition to Pietro Borrello from Sapienza University of Rome, Andreas Kogler, Daniel Gruss and Martin Schwarzl from Graz University of Technology and Moritz Lipp from Amazon Web Services were involved in the discovery of ÆPIC.
The researchers cannot say whether and to what extent the vulnerability has been exploited so far. Together with his colleagues, Schwarz intends to continue systematically examining the architecture of processors in the future for vulnerabilities that show parallels to already known software-side gaps.