32 hardware and firmware vulnerabilities: A guide to the threats

In January 2018, the entire computer industry was put on alert by two new processor vulnerabilities dubbed Meltdown and Spectre that defeated the fundamental OS security boundaries separating kernel and user space memory. The flaws stemmed from a performance feature of modern CPUs known as speculative execution and mitigating them required one of the biggest patch coordination efforts in history, involving CPU makers, device manufacturers and operating system vendors.

Meltdown and Spectre were certainly not the first vulnerabilities to result from a hardware design decision, but their widespread impact sparked the interest of the security research community into such flaws. Since then, many researchers, both from academia and the private sector, have been studying the low-level operation of CPUs and other hardware components and have been uncovering more and more issues.

Some hardware vulnerabilities are impossible to mitigate completely without releasing a new generation of components, while others can be fixed in firmware, the low-level programming present in hardware chips. In either case, patching is not straightforward, so such flaws can continue to impact real world devices for a very long time.

Here is a list of hardware-related vulnerabilities, discovered both before and after Meltdown, that you should be aware of:

CPU side-channel attacks 

Spectre variant 1 - CVE-2017-5753

Also known as bounds check bypass, CVE-2017-5753 allows attackers to exploit the branch prediction feature of modern CPUs to extract information from the memory of other processes by using the CPU cache as a side channel. It allows one process to extract sensitive information from the memory of another process but could also bypass the user/kernel memory privilege boundary. The vulnerability affects Intel, IBM and a limited number of ARM CPUs.

Spectre variant 2 - CVE-2017-5715

Spectre variant 2 has the same impact as variant 1 but uses a different exploitation technique called branch target injection. Mitigating this variant of Spectre efficiently requires updates to the affected CPU microcode, which can be applied either through BIOS/UEFI updates or by the operating system at every reboot.

Meltdown variant 3 - CVE-2017-5754

Also known as Rogue Data Cache Load (RDCL) or variant 3 of the CPU speculative execution flaws, Meltdown is a vulnerability that leverages the out-of-order execution capabilities of modern Intel CPUs. It allows a user process to read protected kernel memory across security boundaries. The fix only requires operating system updates and involves enforcing stricter isolation of the kernel memory, which typically contains sensitive secrets, through mechanisms such as Linux's kernel page-table isolation (KPTI).

Meltdown-GP - CVE-2018-3640

A variant of Meltdown, or variant 3a, it uses speculative reads of system registers to achieve side-channel leaks of information. Because of this, it is also know Rogue System Register Read (RSRE). Mitigation requires microcode updates.

Meltdown-NM - CVE-2018-3665

A speculative execution flaw related to Meltdown that's also known as LazyFP and can be used to leak the state of the floating-point unit (FPU) -- a specialized math coprocessor present in Intel’s modern CPUs that's used to accelerate mathematical operations on floating point numbers. The FPU state can contain sensitive information from cryptographic operations. This vulnerability can be mitigated by enforcing "eager" instead of "lazy" FPU context switching at the operating system level.

Spectre-NG - CVE-2018-3639

Also known as Spectre variant 4, or Speculative Store Bypass (SSB), this is a Spectre variant that allows performing memory reads before prior memory write addresses are known and can be used to leak cross-process information. Mitigation requires both microcode and OS updates.

Spectre-PHT - CVE-2018-3693

Also known as Spectre 1.1, is a variant of Spectre that leverages speculative stores to create speculative buffer overflows. It allowed bypassing some of the previous software-based mitigations for Spectre and requires OS updates.

Meltdown-RW 

Also known as Spectre 1.2, is a variant that leverages speculative stores to overwrite read-only data and code pointers. This variant can be used to breach software sandboxes and is related Spectre 1.1. Mitigation required OS updates.

Foreshadow-OS - CVE-2018-3620

Also known as L1 Terminal Fault, Foreshadow is a speculative execution attack against Intel CPUs that allows extracting information from the processor's L1 data cache. This is particularly sensitive in the context of virtual machines which split the same physical CPU into multiple virtual CPUs, because those virtual CPUs use the same L1 cache. This variant allows attackers to extract information from the OS or SMM (system management mode), an alternate mode of CPU operation that is separate from the operating system and is designed to be used by BIOS/UEFI or low-level OEM code.

Foreshadow-VMM - CVE-2018-3646

A variant of Foreshadow that affects virtual machines and allows a guest operating system running inside a VM to potentially read sensitive memory from other guest VMs or the hypervisor itself.

Foreshadow-SGX - CVE-2018-3615

A variant of Foreshadow that allows attackers to read the memory of Intel Software Guard Extensions (SGX) enclaves. SGX is a trusted execution environment provided by some Intel CPUs that allows developers to store data and execute code securely, even if the operating system itself has been compromised.

Meltdown-PK and Meltdown-BND

Meltdown-PK (Protection Key Bypass) and Meltdown-BND (Bounds Check Bypass) are two variants of Meltdown presented in November 2018 by a team of academic researchers as part of a larger evaluation of transient execution attacks. Meltdown-PK affects Intel CPUs while Meltdown-BND affects both Intel and AMD.

Spectre-PHT-CA-OP, Spectre-PHT-CA-IP and Spectre-PHT-SA-OP

These are variants of Spectre that leverage the CPU's Pattern History Table (PHT). They were disclosed at the same time as Meltdown-PK and Meltdown-BND by the same team.

Spectre-BTB-SA-IP and Spectre-BTB-SA-OP 

These are variants of the Spectre attack that leverage the Branch Target Buffer (BTB). They were disclosed in November 2018 by the same team who found Meltdown-PK and Meltdown-BND. The team concluded at the time that "most defenses, including deployed ones, cannot fully mitigate all attack variants."

Fallout - CVE-2018-12126

Fallout, also known as microarchitectural store buffer data sampling (MSBDS), is a vulnerability whose effects are similar to Meltdown in that it can be used to leak sensitive secrets from protected memory regions across security boundaries. It is part of a new class of side-channel attacks against CPUs that Intel calls Microarchitectural Data Sampling (MDS). The flaw affects both operating systems and hypervisors and mitigation requires CPU microcode updates.

RIDL - CVE-2018-12127 and CVE-2018-12130

Another two variants of MDS attacks known as microarchitectural load port data sampling (MLPDS) and microarchitectural fill buffer data sampling (MFBDS). Like Fallout, mitigation requires CPU microcode updates.

Zombieload - CVE-2019-11091

A fourth variant of MDS attacks known as microarchitectural data sampling uncacheable memory (MDSUM). Like Fallout and RIDL, it can be used to leak sensitive kernel or hypervisor memory.

Starbleed

Starbleed is a design flaw in the bitstream encryption process of field-programmable gate arrays (FPGAs) made by Xilinx. Unlike CPUs, which come with a predetermined set of general purpose instructions that are fit for most computing tasks, FPGAs are integrated circuits whose logic is completely programmable by the customer. They're usually configured to perform one specific task better and more efficiently than general purpose CPUs and are widely used for mission- or safety-critical applications in sectors such as aerospace, finance and the military.

The configuration files loaded by customers onto FPGAs are called bitstreams and FPGA manufacturers like Xilinx, which controls around 50% of the FPGA market, have added encryption and bitstream validation mechanisms to allow customers to protect their intellectual property and other secrets their deployed FPGAs might contain. A team of researchers from the Horst Goertz Institute for IT Security at Ruhr University Bochum in Germany have found a design flaw in the bitstream security mechanism of Xilinx 7-Series and Virtex-6 FPGAs that can allow an attacker to decrypt bitstreams and even modify them.

"By our attack, we can circumvent the bitstream encryption and decrypt an assumedly secure bitstream on all Xilinx 7-Series devices completely and on the Virtex-6 devices partially," the researchers wrote in their paper, which will be presented at the 29th USENIX Security Symposium. "Additionally, we are also able to manipulate the bitstream by adjusting the HMAC. Out attack setting in general is the same one as commonly encountered in mainstream practice: The adversary only needs access to the configuration interface of a fielded FPGA. In this setting, the secret decryption key has already been loaded into the FPGA -- e.g., after device manufacturing, the key is stored in internal battery-backed RAM (BBRAM) or eFUSEs. As will be shown later, the adversary uses the FPGA with the stored key as an oracle to decrypt the bitstream."

To pull off the Starbleed attack, hackers need access to a hardware configuration interface on the FPGA which normally means they would need physical access to the device. However, some FPGAs are programmed and reprogrammed through separate microcontrollers, which can be connected to a network, in which case such an attack could be executed remotely.

The design flaw cannot be patched because it exists in the silicon, so it will be corrected in future generations of Xilinx FPGAs. The company has been notified of the vulnerability before the paper was published and has sent an advisory to customers.

DRAM memory Rowhammer attacks

Rowhammer

Rowhammer is a physical effect with security implications that occurs inside SDRAM chips when the same physical row of memory cells is read for a large number of times in rapid succession -- an action dubbed hammering. This can cause electric charges from cells in the hammered row to leak into adjacent rows, modifying the value of the cells in those rows. This is known as bit flipping and possible because of the increased cell density of modern SDRAM chips, particularly DDR3 and DDR4.

While the Rowhammer effect has been known or documented for a long time, members of Google's Project Zero team were the first to prove it can have security implications in March 2015 when they revealed two privilege escalation exploits based on it.

Rowhammer.js

Rowhammer.js was an implementation of the Rowhammer attack via JavaScript, proving that this flaw can be exploited remotely through the browser, simply by visiting a malicious web page. Browser vendors have added mitigations against this exploit.

Drammer - CVE-2016-6728

Drammer is a Rowhammer-type exploit demonstrated in 2016 against Android devices. Until then the memory chips in mobile devices were thought to be unaffected.

Flip Feng Shui

An implementation of the Rowhammer attack against virtual machines, where a malicious guest VM can flip bits in the physical memory affecting a different virtual machine in a controlled manner. The researchers demonstrated this by breaking the OpenSSH public key authentication in the target VM.

ECCploit 

ECCploit is an attack that demonstrates that Rowhammer-type attacks can work even against SDRAM chips that have error-correcting code (ECC) capabilities. This type of memory, which is typically used in servers, was thought to be immune to Rowhammer.

Throwhammer

A Rowhammer attack that can be exploited over a network by leveraging the remote direct memory access (RDMA) feature present in fast network cards like those used in servers.

RAMBleed

RAMBleed is the first attack that has shown it is possible to use the Rowhammer effect to steal data from memory cells instead of simply modifying it. Previous Rowhammer attacks compromised memory integrity through bit flips, which could lead to privilege escalation and other conditions. Meanwhile, RAMBleed uses row hammering and a side-channel in order to infer information about and ultimately extract data from adjacent memory cells. In that respect it is similar to the effects of Meltdown and Spectre.

Wide-impact firmware vulnerabilities 

BlueBorne 

A set of vulnerabilities announced in 2017 in the Bluetooth stack implementations of Linux, Android, Windows and macOS. It was estimated these vulnerabilities affected over 5 billion devices and while on computers it was easier to fix through OS updates, Bluetooth-enabled smart watches, TVs, medical devices, car infotainment systems, wearables and other internet-of-things devices required firmware updates. Researchers estimated one year later, in 2018, that over 2 billion devices remained exposed.

KRACK

KRACK, or the Key Reinstallation Attack, is an attack revealed in 2016 that exploited a weakness in the WPA2 wireless security standard, which is used to protect most wireless networks in use today. Because the weakness was in the standard itself, WPA2 implementations in all types of devices, including home routers and other IoT devices, were affected. Fixing the vulnerability required firmware updates, so many out-of-support devices remained vulnerable to this day.

BadUSB

An attack demonstrated in 2014 that allows reprogramming the microcontrollers in USB thumb drives in order to make them spoof other types of devices such as keyboards and used them to take control of computers or to exfiltrate data. Many USB thumb drives remain affected.

Thunderstrike and Thunderstrike 2  

Two attacks that exploited vulnerabilities in the firmware of Apple's Macbook devices in order to install firmware rootkits when malicious devices were connected to the Thunderbolt ports. Thunderstrike 2 also allowed compromising newly inserted Thunderbolt devices, creating the possibility of a worm.

Thunderclap

Another attack revealed this year that can execute privileged code on computers equipped with Thunderbolt ports.

ROCA

The Return of Coppersmith’s Attack (ROCA) is an attack against the Trusted Platform Modules (TPMs) and Secure Elements (SEs) produced by Infineon Technologies. These TPMs and SEs are used in tens of millions of business computers, servers, hardware authentication tokens and various types of smart cards, including national identity cards. The vulnerability allows the RSA keys generated with these components to be significantly more vulnerable to factorization -- attacks designed to recover keys. Researchers estimated the cost of recovering individual 2048-bit RSA keys generated by such devices to be around $20,000 and for 1024-bit RSA keys around $40.

Intel Management Engine 

The Intel Management Engine (ME) is a dedicated coprocessor and subsystem present in many Intel CPUs and is used for out-of-band management tasks. Intel ME runs its own lightweight operating system which is completely separate from the user-installed operating system, which is why it has often been described as a backdoor in the security community. Over the years there have been serious vulnerabilities found in Intel ME and fixing them requires installing firmware updates from computer manufacturers. This means many older, out-of-support systems are unlikely to receive such updates.