Intel chips contain serious flaws that can be exploited over the internet to cause crashes of or gain complete control over systems, according to an independent security researcher who plans to release proof-of-concept code for such attacks later this year.
Kris Kaspersky said this week he will present the findings of CPU malware-detection research, funded by Endeavor Security, at the Hack In The Box conference in Kuala Lumpur, Malaysia, in October.
Kaspersky — who is not affiliated with the security firm Kaspersky Lab — said the presentation will include proof-of-concept exploits for which he will publicly release the code.
Because the flaws are in the processors themselves, the attacks can be carried out regardless of the operating system, and the demonstration is planned to include various versions of Windows, Linux and BSD, and possibly Mac OS X, Kaspersky said.
"Intel CPUs have exploitable bugs which are vulnerable to both local and remote attacks which work against any OS, regardless of the patches applied or the applications which are running," Kaspersky said in an abstract of the talk.
Among the exploits Kaspersky plans to demonstrate are techniques using JavaScript code, TCP/IP packet storms, and the manipulation of just-in-time (JIT) Java compilers using common instruction sequences such as short nested loops, Kaspersky said.
He said that, aside from active attacks, he has found that the CPU bugs in question have contributed to hard-drive damage. Kaspersky said that, while CPU bugs are not a new problem, not enough is being done to address the growing danger of remote attacks.
"It is just a matter of time before we start seeing these sort of attacks used in more devastating ways over the internet," he wrote in the abstract.
His comments echo those of other programmers and security researchers, who have warned of the growing danger caused by CPU bugs, known as 'errata'. Last June, following the release of workarounds for Intel Core 2 bugs by Microsoft and others, OpenBSD founder Theo de Raadt said the processors were "buggy as hell". "Some of these bugs don't just cause development/debugging problems, but will assuredly be exploitable from userland code," he wrote to an OpenBSD mailing list at the time.
Like Kaspersky, de Raadt argued that the workarounds provided by Intel are typically implemented by Bios vendors only after a delay, if at all. He also argued that some of the bugs were not fixable and could not be worked around.
However, Linux creator Linus Torvalds responded in a mailing list post that the bugs were "totally insignificant". Intel has also argued that the problems are unlikely to ever have an impact on the public.
"All processors from all companies have errata, and Intel has a well-known errata communication process to inform our customers and the public," said an Intel spokesman in a statement provided to the press during the Core 2 errata controversy.
On the other hand, modern processors are complicated enough that some bugs are likely to go undetected, according to research published last November by Israeli security researcher Adi Shamir. "With the increasing word size and sophisticated optimisations of multiplication units in modern microprocessors, it becomes increasingly likely that they contain some undetected bugs," he wrote.
In the report, Microprocessor Bugs Can Be Security Disasters, Shamir detailed a technique for exploiting processor errata to steal private encryption keys.
