CrossTalk/SRBDS Shows Possibility Of Leaking Information Across Physical CPU Cores

This morning I noted CrossTalk / SRBDS as the newest side-channel vulnerability following Intel's monthly security advisories being sent out. It turns out Intel broke their own embargo on the disclosure and I happened to spot it quickly before they retracted it. In the hours since, the university researchers behind this CrossTalk vulnerability reached out and have provided an embargoed copy of the whitepaper. As of now, the formal disclosure time has passed so information on this new side-channel Intel CPU vulnerability is public and it shows for the first time that speculative execution can enable attackers to leak sensitive information across physical cores on Intel CPUs.

The university researchers discovered this newest vulnerability can bypass existing intra-core mitigations from the likes of Spectre and Meltdown while not being contingent upon the attacker/victim being on the same CPU core. So even if Hyper Threading is disabled and with prior mitigations, Intel CPUs can still be exposed to CrossTalk until obtaining new CPU microcode. SRBDS is similar in nature to MDS (Microarchitectural Data Sampling) but with this important difference. Making this discovery were researchers at Vrije Universiteit Amsterdam, The Netherlands and ETH Zurich, Switzerland.

This new transient execution vulnerability is referred to as Special Register Buffer Data Sampling (SRBDS). This vulnerability is about instructions that perform off-core accesses to shared buffers. Among the instructions vulnerable to SRBDS is RDRAND and RDSEED, which is particularly problematic due to the often sensitive nature of needing secure random number generation. The university researchers do have a proof of concept implementation showing that the output of RDRAND/RDSEED can even be leaked from within Intel SGX enclaves on separate CPUs.

The affected CPUs found by researchers span from Intel Skylake through at least Coffee Lake. Intel Cascade Lake appears to be the first generation not vulnerable to cross-core attacks.

Mitigating CrossTalk involves locking the entire memory bus before updating the staging buffer and unlocking it after the contents have been cleared. But as that is a huge performance penalty, the current Intel CPU microcode mitigation is only imposing this behavior around "security critical" instructions like RDRAND / RDSEEED / EGETKEY while other instructions that issue off-core requests may still end up being leaked across CPU cores. While there is proof of concept code, Intel for their part believes SRBDS is difficult to exploit in the real world.

An initial proof-of-concept implementation of this staging buffer contents leakage was made in September 2018 and further RDRAND/RDSEED leakage proved in July 2019. Only now is Intel making this disclosure public while rewarding the researchers via the bug bounty program. This very long disclosure period was reportedly done due to "the difficulty of implementing a fix for the cross-core vulnerabilities", according to the researchers.

The paper and more details will be published on the CrossTalk vulnerability site now that the embargo has lifted. I am already running benchmarks internally on the mitigated microcode and will have those up, but given the more limited scope that Intel is mitigating it for just select instructions, the overall impact is likely to be small except for areas like RdRand performance. Stay tuned for benchmarks on Phoronix shortly.

UPDATE: Intel has now released updated CPU microcode for Linux spanning from Haswell to Coffee Lake for today's disclosure.