Intel's CPUs are vulnerable to the new 'Snoop' attack

Intel processors are vulnerable to a new attack that may leak data from the CPU's internal memory - also known as cache.

The attack, described as "Snoop-Assisted L1 Data Sampling", or simply Snoop (CVE-2020-0550), was discovered by Pawel Wieczorkiewicz, software engineer at Amazon Web Services (AWS).

Wieczorkiewicz reported the issue to Intel, and after further investigation, company concluded that the patches released in August 2018 for the Foreshadow vulnerability (L1TF) apply to this new attack as well.

A list of Intel processors vulnerable to Snoop attacks is available here. The list includes Intel series, such as Core and Xeon processors.

On a technical level, the new Snoop attack exploits CPU mechanisms such as multiple levels of cache, cache consistency and bus snooping. Below is a simple, non-technical explanation of why the attack exists and how it works.

Processors, cache levels, cache consistency and bus snooping

Today, most modern processors have multiple levels of cache available to store data while processing within the CPU.

Depending on the CPU specifications, there could be a Level 1 (L1), Level 2 (L2) or even Level 3 (L3) cache.

The most commonly used cache level is L1, which is split into two, with one available for user data processing (L1D) and the second for handling of the CPU instruction code (L1I).

Because of the multi-core architectures and multiple cache levels, data is often stored in multiple CPU caches at the same time, even within RAM.

Cache consistency is the process of keeping all cache levels in sync so that L2, L3 and RAM have the same data that are in the L1D cache, the place where they usually change first.

The term "bus snooping" (or "snooping") is the function by which the CPU updates all cache levels when a change occurs in the L1D.

Wieczorkiewicz found that under certain conditions malicious code could exploit the bus snooping feature and cause errors leaking data from the cache coherence process - namely the cache data currently being modified in L1D cache and the efficient leakage of data from the CPU internal memory.

Snoop attacks do not work if you apply L1TF patches

The main disadvantage of this attack is that the malicious code running on one CPU kernel can leak data from other kernels, a problem in cloud computing and in virtual environments.

The good news is that this attack is incredibly difficult and does not return large amounts of data (unlike the original Meltdown and Specter vulnerabilities).

In addition, Intel says the attack also requires conditions that are difficult to satisfy in the real world.

"Given the many complex requirements that must be met in order to be successful, Intel does not believe that Snoop Assisted L1 Data Sampling is a practical method in real-world environments where the operating system is reliable," Intel said.

For users using systems High Risk, the chip maker recommends that the Foreshadow (L1TF) patches released in August 2018 be implemented.

In addition, disabling Intel TSX (Transactional Synchronization Extensions) also significantly reduces all vulnerabilities and makes Snoop attacks even tougher.

Snoop attack can be difficult to accomplish, but it's still notable because it exposes a new vector of attack within functions bus snooping, an area of ​​modern CPU architecture that had not been tested as a possible attack before.