Cyber security researchers from Bitdefenders and academic universities found a new security vulnerability in Intel Microprocessors as named LVI attack.
Load value injection (LVI) is an attack on Intel microprocessors that can be used to attack Intel’s SGX technology. It is a development of the previously known Meltdown security vulnerability. Unlike Meltdown, which can only read hidden data, LVI can inject data values, and is resistant to the countermeasures so far used to mitigate the Meltdown vulnerability.
What is Intel SGX?
Intel Software Guard eXtensions (SGX) is an innovative processor technology released in 2015 to create isolated environments in the computer’s memory, so-called enclaves. SGX acts like a secure vault in the processor itself, combining strong encryption and hardware-level isolation to safeguard enclave programs, and the data they operate on, even against very advanced types of malware that compromise the operating system, hypervisor, or firmware (BIOS).
In theory, any processor affected by Meltdown may be vulnerable to LVI, but as of March 2020, LVI is only known to affect Intel microprocessors. Intel has published a guide to mitigating the vulnerability by using compiler technology, requiring existing software to be recompiled to add LFENCE instructions at every potentially vulnerable point in the code. However, this mitigation appears likely to result in substantial performance reductions in the recompiled code.
Load Value Injection (LVI) in 4 simple steps
- Poison a hidden processor buffer with attacker values.
- Induce a faulting or assisted load in the victim program.
- The attacker’s value is transiently injected into code gadgets following the faulting load in the victim program.
- Side channels may leave secret-dependent traces, before the processor detects the mistake and rolls back all operations.
“LVI turns previous data extraction attacks around, like Meltdown, Foreshadow, ZombieLoad, RIDL and Fallout, and defeats all existing mitigations. Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: we smuggle — “inject” — the attacker’s data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim’s fingerprints or passwords.”
Crucially, LVI is much harder to mitigate than previous attacks, as it can affect virtually any access to memory. Unlike all previous Meltdown-type attacks, LVI cannot be transparently mitigated in existing processors and necessitates expensive software patches, which may slow down Intel SGX enclave computations 2 up to 19 times.
Responsible Disclosure and Impact
Security researchers responsibly disclosed Load Value Injection (LVI) to Intel on April 4, 2019. They also described the non-Intel-specific parts to ARM and IBM. To develop and deploy appropriate countermeasures, Intel insisted on a long embargo period for LVI, namely, until March 10, 2020 (CVE-2020-0551, Intel-SA-00334).