At the upcoming HackInTheBox conference in Malaysia, security researcher Kris Kaspersky will demonstrate how bugs in microprocessors can be exploited to take control of local machines and servers. Commonly security holes have involved exploiting flaws in software applications, such as developer errors made in bounds checking (buffer overflow), input filtering or user access etc. But with each new chipset released by Intel, AMD and others there are large numbers of bugs (referred to as errata – because they are documented in that section of the chipset developer documentation) and these bugs can now be exploited remotely to gain access to systems.
Errors in microprocessors have been a long-known issue, though it was never considered possible to exploit transistor-level bugs remotely. There have been a number of local security vulnerabilities that take advantage of these bugs, but until this most recent research there was no well-established method for a more convenient remote attack. Systems can be exploited by forcing the computer to run a series of instructions that can cause or trigger an error. Systems can be forced into running these instructions commonly via a JIT compiler (Java in the browser) or by finding another program accessible remotely where the instructions executed are well known or can be manipulated.
The demonstration by Kaspersky will include showing how Vista security can be bypassed remotely using Javascript, and another demo showing a remote DoS attack against the TCP/IP stack implementation. With microprocessor bugs, exploits work across all operating system regardless of patch updates or version. Fixing the physical bugs is impossible without a CPU replacement, but Intel has issued patched to BIOS vendors to be included in their updates. The bugs themselves are not solved, but rather the patches simply block any exploit attempt (or any poorly written code from tiggering a bug). Since the common computer user is very unlikely to update their BIOS at all, let alone frequently, most of these security holes are likely to remain open forever – and it will be up to the processor manufacturers to release bug-free chips rather than just documenting known bugs.
It is unknown just how many microprocessor bugs are undiscovered, as it is the vendors themselves who are documenting them for the benefit of developers. It would also be theoretically possible to exploit bugs in other chipsets – such as graphics controllers or bus controllers. As with everything security related, it would probably take a large-scale attack before awareness of these issues rises – at which time chip manufacturers will then need to invest in improved processes in checking for bugs (like software developers do now) prior to releasing circuit designs for manufacturing.