Intel Processors Vulnerable to New Data Theft Method

Security researchers from the University of Qinghua and the University of Maryland have discovered a new attack on third-party channels that affects several generations of Intel processors. The attack exploits a vulnerability in transitional execution, which allows an attacker to extract confidential data from the user memory space using timing analysis. Unlike many other attacks on third-party channels, this new attack vector does not rely on a caching system.

The EFLAGS register, a CPU register that contains various flags associated with the condition of the processor, is exploited by the attack. The JCC instruction, a TsP instruction that allows conditional branching based on the contents of the EFLAGS register, is also affected. The attack works by launching transitional execution, encoding confidential data through the EFLAGS register, and measuring the time of the JCC instruction for data decoding.

Experimental data shows that the attack resulted in 100% data extraction in Intel i7-6700 and i7-7700 processors, as well as in the newer Intel i9-10980XE processor in some cases. However, the researchers note that the attack is not as reliable as an attack on third-party cache channels. To achieve best results in newer processors, the attack would have to be repeated thousands of times.

The researchers suggest implementing non-trivial measures such as a change in the implementation of the JCC instruction or rewriting EFLAGS after transitional execution to reduce its influence on the JCC instructions. These measures can prevent malicious execution and mitigate the effects of the new attack vector on vulnerable Intel processors.

/Reports, release notes, official announcements.