Security warning over Intel chip design flaw

Design flaw identified in Intel Haswell CPUs last year might be more widespread than first thought

A fundamental chip design could leave PCs wide open to malware - and may also be hard to patch, according to a team of Dutch researchers who uncovered the flaw.

An attack on the Memory Management Units (MMU) of microprocessors can exploit the locations used to store virtual memory and cache, and the deliver a payload to them.

The Dutch researchers has found a way to enable an attacker to make a marker showing where they are within the virtual memory, and then all they need to do is exploit their way in through a software flaw (which aren't exactly uncommon) and drop the malware.

In theory, there should be randomisation where this is concerned, known as Address Space Layout Randomisation (ASLR), but because this technique waves a big flag showing what part of random you are in, that entire line of defence is useless.

The technique was first demonstrated with Intel Haswell chips last year, but the problem is bigger than first thought. It has also reared its head in Apple iOS code, but this is the first time it has been shown to be this easy.

Worse still, because it's on the chip, it's not platform dependent, and it can't be fixed with a software update. Of course, preventing sloppy coding and paying attention to fixes as they arise should help, but when push comes to shove unless every piece of software is bug-free , a potential problem still remains.

And, if that were not enough, the whole thing can be done in a web browser with JavaScript.

"Bugs are everywhere, but ASLR is a mitigation that makes bugs hard to exploit," Ben Gras, a researcher at the Free University of Amsterdam told Wired. "This technique makes bugs that weren't exploitable, exploitable again. In some sense, it takes us back to the 1990s in terms of security."

The vulnerability comes from the program listening to the speed of the cache and thus deducing what part has just been overwritten, like a stethoscope at a safe.

At present, the team that has built the proof of concept has not made it public, but has shared it with major chip manufacturers and hardware companies with a warning to get it fixed. However, they warn that there's enough information from what they've said so far to enable it to be reverse engineered.

Prevention techniques suggested in the meantime are just sticking plaster, but there are javascript blocking extensions from browsers, and the browser makers could hypothetically block their software from monitoring MMU speeds.