Since the first examples of vulnerability which exploit side-channel attacks in processors (think of the historic Specter and Meltdown), security researchers have literally competed to identify similar problems. Having found themselves a real thorn in the side, I’m not for it Intel but also for its direct competitors.
Among the security flaws that have caused discussion most recently there is certainly the one known as Downfall. This is a microarchitectural flaw involving education AVX SIMD Gather and can be exploited to read data from memory during speculative execution operations. L’speculative execution it is a mode in which the CPU cores anticipate the operations performed by the applications following the jump into the code programming (think of the various constructs if o while…) which could more likely be subsequently carried out. This type of approach aims to improve performancebut it can present risks when an attacker tries to observe the behavior of the CPU at a low level.
During the speculative execution phase, in fact, the CPU could access personal data e reserved, such as security information or cryptographic keys, to anticipate the outcome of an operation. Changes in CPU state can affect things like the cache oh registers, creating a “side channel” through which an attacker can infer useful information. In another article we clarified the meaning of CPU and what happens when you run any program.
Intel called into question for Downfall: the accusation is of not having taken action in time to resolve the vulnerability
A group of users has started a legal dispute against Intel claiming that the company led by Pat Gelsinger did not properly take action to correct the problems underlying theDownfall attack. The indictment alleges that Intel was aware of vulnerabilities in its AVX instruction set (Advanced Vector Extensions) since 2018 but did not correct the reported flaw until 2023, when the Downfall flaw actually surfaced.
Again according to the complaint presented by the promoters of the dispute, which aspires to become one class actionIntel would then deliver to partner companies and end users one patch which slows down system performance by up to 50%. In the meantime, “Between 2018 and 2023, Intel reportedly sold billions of insecure chips“, we read in the formal complaint.
In 2018, when Intel was addressing the Specter and Meltdown vulnerabilities, the same company reportedly received two separate vulnerability reports highlighting how the AVX instruction set was vulnerable to a attack of type side channel very similar.
For three generations of processors, Intel would not patch the vulnerabilities underlying Downfall
The prosecution believes that Intel should have protected AVX as early as 2018 after reports received from researchers. Of course, this would have been an important undertaking as the Santa Clara company would have to “redesign” its chips hardware side to mitigate speculative execution vulnerabilities. Intel, however, for three consecutive generations did not review the design of the processors to ensure the safety of AVX instructions during speculative execution.
I bug not problems they can certainly exist at both hardware and software levels but must be taken into consideration by the respective ones vendor and corrected, where actually necessary, as quickly as possible. The lawsuit filed against Gelsinger’s company is somewhat historic because it aims to demonstrate potential passive behavior on the part of Intel.
