TU Graz releases “Pick Leak” and “Squid”
International computer security research teams, led by Daniel Grass, a researcher at the University of Graz, have published two new options for hardware attacks on computer systems.
Secure software depends on reliable, bug-free hardware. Hardware vulnerabilities are attracting more and more attention from attackers and developers. The discovery of the Meltdown and Specter side-channel attacks in 2018 by researchers at TU Graz also contributed to this. Since then, researchers – including at TU Graz – have explored new attack methods, Take advantage of computer hardware vulnerabilities. The team, led by Daniel Grus of the Institute for Applied Information Processing and Communication Technologies, is currently releasing two more vulnerabilities: Epic Leak and Squid.
Pickup Leak: No side channel required
Roman researcher Pietro Borello came across a new attack variant in the fall of 2021 during a research stay in the team of IT security specialist Daniel Grass at the Graz University of Technology. “As all possible attacks were explored, we first reported the issue to the manufacturer, in this case to Intel, and gave them time to provide a fix,” says Daniel Grus. That time has now expired in coordination with Intel, and researchers are now releasing details of the attack in what’s called a “selection leak.”
Epic Leak (Architectural Leaking Uninitialized Data from Microarchitecture) is the first attack that does not use any side channel information Can read data directly from the main processor microarchitecture (CPU, central processing unit). The attack uses a hardware vulnerability to directly read data that has not yet been overwritten in the CPU’s internal memory. This includes sensitive data in the SGX enclave (Intel Software Guard eXtensions, a specially protected area on the processor that treats sensitive data securely and separately from the rest of the system), which actually protects the system against attacks such as malware. makes.
Processors based on the “Sunny Cove” microarchitecture and others from the manufacturer Intel are affected by the vulnerability. Intel has already worked out the necessary improvements and released them today for servers – for client applications, SGX is now completely phased out. New processors should have built-in solutions – but, according to the researchers: “We know that a common solution to such architecture-based vulnerabilities is an open research topic that needs to be resolved first.” As the researchers show later in their publication, Hardware vulnerabilities follow the same pattern as software vulnerabilities. However, unlike the software side, troubleshooting and preventing hardware errors is still in its infancy.
However, since image leaks can only be done at a very high security level – admin or root – most systems are protected. Epic Leaks will be presented this week at the prestigious USENIX Security Symposium in Boston and BlackHat in Las Vegas.
Architectural leak of uninitialized microarchitecture data. Pietro Borello (Sapiens University of Rome), Andreas Kogler (TU Graz), Martin Schwarzl (TU Graz), Moritz Lipp (Amazon Web Services), Daniel Grass (TU Graz) and Michael Schwarz (CISPA Helmholtz Center for Information Security). USENIX Security Symposium 2022.
SQUIP: another side channel attack
In the same breath, another research team led by Daniel Grus also published a recently discovered attack: SQUIP (Scheduler Queue Convention Side Channel Exploitation). This is again a side-channel attack that does not directly attack data, but draws inferences about information from observations of temporal relationships. For the first time, SQUIP uses scheduling queues, that is to say a chronological order and an organization of the calculation steps. These parts of the system are not yet attacked because they offer no advantage over other attacks with more widespread chips from manufacturer Intel – but they do offer the same with similar large manufacturers AMD, and partly Apple. Eh. “Our attack exploits the limited capacity of the scheduler queue for multiplication. If it is full, the processor still has to wait until the space becomes free. We measure these wait times and draw conclusions about the program schedule. Let’s use them to extract,” says Stephen Gast.
Exploitation of the channel on the contention side of the scheduler queue. Stefan Gast (Lamar Security Research, TU Graz), Jonas Zafinger (Lamar Security Research, TU Graz), Martin Schwarz (TU Graz), Gururaj Saileshwar (Georgia Institute of Technology), Andreas Kogler (TU Graz), Simone Franza (TU Graz ) ) ), Marcus Kostel (TU Graz) and Daniele Gras (TU Graz).