39 hardware vulnerabilities: A guide to the threats
Hertzbleed, however, shows that frequency scaling generates timing differences in computations and these can be observed even remotely without any power measurement interface. The novelty is that Hertzbleed works even against so-called constant time cryptographic implementations that were intentionally designed to prevent leaking information through timing analysis.
The researchers used Hertzbleed to implement a novel chosen-ciphertext attack against SIKE (Supersingular Isogeny Key Encapsulation), a post-quantum key encapsulation mechanism that is also a NIST competition finalist and is implemented as constant time. The team was able to perform a full key extraction via remote timing.
Intel published guidance for developers of cryptographic libraries to mitigate Hertzbleed using software countermeasures. Another possible mitigation is to disable “Turbo Boost” at runtime on the system, but this has a significant system-wide performance impact.
SQUIP (CVE-2021-46778)
SQUIP is a side channel attack and vulnerability impacting AMD CPUs that was disclosed in August 2022. The attack was devised by researchers from Lamarr Security Research, Graz University of Technology, and Georgia Institute of Technology, and it exploits scheduler queues used during simultaneous multithreading (SMT) operations to schedule instructions that will be executed in CPUs. By measuring the contention level on scheduler queues an attacker may potentially leak sensitive information, AMD said.
Zenbleed (CVE-2023-20593)
Zenbleed is a vulnerability patched in July 2013 in the Zen 2 family of AMD CPUs. The flaw was found by security researchers from Google and is described as a user-after-free memory vulnerability but for CPUs. It’s caused by incorrectly implemented speculative execution of the SIMD Zeroupper instruction and can allow attackers to leak stale data from physical hardware registers. Such data can include sensitive information such as passwords or encryption keys.
Downfall (CVE-2022-40982)
Downfall, technically called Gather Data Sampling (GDS) by Intel, is a transient execution vulnerability disclosed in August 2023 that impacts multiple generations of Intel CPUs. Found by security researchers from Google, the flaw is similar to Zenbleed in that it allows attackers to leak sensitive data belonging to other processes and users sharing the same CPU core because stale data stored in physical hardware registers as a result of speculative execution is forwarded to subsequent instructions. The data can be extracted using techniques similar to those used by Meltdown. The flaw also impacts the security of Intel’s Software Guard Extensions (SGX) security subsystem.
Reptar (CVE-2023-23583)
Reptar is a third CPU vulnerability found by Google security researchers last year and was patched in November 2023. It impacts Intel CPUs that support a new feature called fast short repeat move (FSRM) and can result in privilege escalation. The flaw is caused by the CPU microcode not ignoring redundant instruction prefixes when FSRM is active and interpreting them in weird ways.
Inception (CVE-2023-20569)
Inception is a vulnerability in AMD CPUs that can lead to found by researchers from ETH Zurich that was disclosed in August 2023 and can lead to sensitive information disclosure. Inception is a new type of speculative execution attack that hijacks the transient control-flow of return instructions and allows attackers to insert new predictions into the CPU branch predictor at an attacker-controlled address register.
SLAM
Spectre based on Linear Address Masking (SLAM) is a proof-of-concept attack technique devised by researchers from Vrije Universiteit Amsterdam that shows how previously unexplored Spectre gadgets could be exploited on upcoming AMD, Intel, and ARM CPUs that implement linear address masking, a new security feature planned by CPU vendors: Intel’s Linear Address Masking (LAM), AMD’s Upper Address Ignore (UAI), and ARM’s Top Byte Ignore (TBI). SLAM is notable for being the first speculative execution attack targeting CPU features that were announced but not yet released.
GhostRace (CVE-2024-2193)
GhostRace is a new type of CPU attack disclosed in March 2024 by researchers from Vrije Universiteit Amsterdam that take advantage of race conditions on speculatively executed code paths. The research shows that synchronization primitives implemented using conditional branches at the OS level can be bypassed on speculative paths using a Spectre v1 attack, potentially allowing for information leaks from targeted software.
TikTag
TikTag is an attack that leverages speculative execution to bypass a new security feature in ARM CPUs called the Arm Memory Tagging Extension (MTE). This feature, when used by operating systems, makes it harder to exploit out-of-bounds memory violations such as buffer overflows that can lead to arbitrary code execution. The TikTag attack was developed by a team of researchers from Seoul National University, Samsung Research and Georgia Institute of Technology and was described in a research paper in June 2024. Separately, researchers from Vrije Universiteit Amsterdam already showed that MTE is vulnerable to speculative execution probing with an attack they dubbed Spectre-MTE and proposed a proposed a mitigation called StickyTags.
Indirector
Indirector is a new speculative execution attack that is a variation of Spectre v2 and was disclosed in July 2024. The attack, developed by researchers from University of California San Diego exploits the indirect branch predictor (IBP) and the branch target buffer (BTB) in high-end Intel CPUs (Raptor Lake and Alder Lake) to perform precise branch target injections and leak sensitive data across processes and privilege levels.
DRAM memory attacks
- Rowhammer
- Rowhammer.js
- Drammer
- Flip Feng Shui
- ECCploit
- Throwhammer
- RAMBleed
Rowhammer
Rowhammer is a physical effect with security implications that occurs inside SDRAM chips when the same physical row of memory cells is read for a large number of times in rapid succession — an action dubbed hammering. This can cause electric charges from cells in the hammered row to leak into adjacent rows, modifying the value of the cells in those rows. This is known as bit flipping and possible because of the increased cell density of modern SDRAM chips, particularly DDR3 and DDR4.
While the Rowhammer effect has been known or documented for a long time, members of Google’s Project Zero team were the first to prove it can have security implications in March 2015 when they revealed two privilege escalation exploits based on it.
Rowhammer.js
Rowhammer.js was an implementation of the Rowhammer attack via JavaScript, proving that this flaw can be exploited remotely through the browser, simply by visiting a malicious web page. Browser vendors have added mitigations against this exploit.
Drammer – CVE-2016-6728
Drammer is a Rowhammer-type exploit demonstrated in 2016 against Android devices. Until then the memory chips in mobile devices were thought to be unaffected.
Flip Feng Shui
An implementation of the Rowhammer attack against virtual machines, where a malicious guest VM can flip bits in the physical memory affecting a different virtual machine in a controlled manner. The researchers demonstrated this by breaking the OpenSSH public key authentication in the target VM.
ECCploit
ECCploit is an attack that demonstrates that Rowhammer-type attacks can work even against SDRAM chips that have error-correcting code (ECC) capabilities. This type of memory, which is typically used in servers, was thought to be immune to Rowhammer.
Throwhammer
A Rowhammer attack that can be exploited over a network by leveraging the remote direct memory access (RDMA) feature present in fast network cards like those used in servers.
RAMBleed
RAMBleed is the first attack that has shown it is possible to use the Rowhammer effect to steal data from memory cells instead of simply modifying it. Previous Rowhammer attacks compromised memory integrity through bit flips, which could lead to privilege escalation and other conditions. Meanwhile, RAMBleed uses row hammering and a side-channel in order to infer information about and ultimately extract data from adjacent memory cells. In that respect it is similar to the effects of Meltdown and Spectre.
Editor’s note: This article, originally published in July 2019 and amended in August 2022, has been updated to include new vulnerabilities as they come to light.