Jump to content

Hardware security bug

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by DIYeditor (talk | contribs) at 03:44, 2 June 2019 (Firmware: clarify). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

In digital computing, hardware security bugs are hardware bugs or flaws that create vulnerabilities affecting computer central processing units (CPUs), or other devices which incorporate programmable processors or have direct memory access, which allow data to be read by a rogue process when such reading is not authorized. Such vulnerabilities are considered "catastrophic" by security analysts.[1][2][3]

Speculative execution vulnerabilities

Starting in 2017 a series of security vulnerabilities were found in the implementations of speculative execution on common processor architectures which effectively enabled an elevation of privileges.

These include:

Intel VISA

In 2019 researchers discovered that a manufacturer debugging mode, known as VISA, had an undocumented feature on Intel Platform Controller Hubs, known as chipsets, which made the mode accessible with a normal motherboard possibly leading to a security vulnerability.[4]

Firmware

Several weaknesses have been found in the code for the Intel Management Engine (ME) which is a processor that operates independently and in the background on Intel motherboard chipsets. On May 1, 2017, Intel confirmed a Remote Elevation of Privilege bug (SA-00075) in its Management Technology.[5] Every Intel platform with provisioned Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME.[6][7] Several ways to disable the ME without authorization that could allow ME's functions to be sabotaged have been found.[8][9][10] Additional major security flaws in the ME affecting a very large number of computers incorporating ME, Trusted Execution Engine (TXE), and Server Platform Services (SPS) firmware, from Skylake in 2015 to Coffee Lake in 2017, were confirmed by Intel on 20 November 2017 (SA-00086).[11] Unlike SA-00075, this bug is even present if AMT is absent, not provisioned or if the ME was "disabled" by any of the known unofficial methods.[12] In July 2018 another set of vulnerabilitites were disclosed (SA-00112).[13] In September 2018, yet another vulnerability was published (SA-00125).[14]

See also

References

  1. ^ Bruce Schneier (January 5, 2018). "Spectre and Meltdown Attacks Against Microprocessors – Schneier on Security". www.schneier.com. Retrieved February 4, 2019. Spectre and Meltdown are pretty catastrophic vulnerabilities, ...
  2. ^ "This Week in Security: Internet Meltdown Over Spectre of CPU Bug". Cylance.com. 2018-01-05. Retrieved February 4, 2019. The security implications of the Meltdown and Spectre vulnerabilities are indeed catastrophic for systems engineering.
  3. ^ "Meltdown, Spectre: here's what you should know". Rudebaguette.com. January 8, 2018. Retrieved February 4, 2019. [sic]: The effects of these vulnerabilities are catastrophic: « at best, the vulnerability can be used by malwares and hackers to exploit other security linked bugs. At worse, the flaw can be used by softwares and authentified users to read the kernel's memory
  4. ^ Lucian Armasu. "Intel Chipsets' Undocumented Feature Can Help Hackers Steal Data". Tom's Hardware.
  5. ^ "Intel® Product Security Center". Security-center.intel.com. Retrieved 2017-05-07.
  6. ^ Charlie Demerjian (2017-05-01). "Remote security exploit in all 2008+ Intel platforms". SemiAccurate. Retrieved 2017-05-07.
  7. ^ "Red alert! Intel patches remote execution hole that's been hidden in chips since 2010". Theregister.co.uk. Retrieved 2017-05-07.
  8. ^ Alaoui, Youness (October 19, 2017). "Deep dive into Intel Management Engine disablement".
  9. ^ Alaoui, Youness (March 9, 2017). "Neutralizing the Intel Management Engine on Librem Laptops".
  10. ^ "Positive Technologies Blog: Disabling Intel ME 11 via undocumented mode". Retrieved 2017-08-30.
  11. ^ "Intel Patches Major Flaws in the Intel Management Engine". Extreme Tech.
  12. ^ https://www.theregister.co.uk/2017/12/06/intel_management_engine_pwned_by_buffer_overflow/
  13. ^ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00112.html
  14. ^ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00125.html


Stub icon

This computer-engineering-related article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Hardware_security_bug&oldid=899901925"