All the major Intel vulnerabilities
According to researchers, Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
Meltdown, together with the Spectre vulnerability, was disclosed in January 2018 and showed the world that today's CPU hardware was inherently flawed as CPU makers chased performance with little regard to data security.
According to researchers, Spectre breaks the isolation between different applications and allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. Per researchers, the very same safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.
While the Meltdown attack impacted only Intel CPUs, Spectre was an industry-wide problem, also impacting AMD and ARM processors as well.
Just like Meltdown, Spectre is the result of performance-driven design. The vulnerability leaks data from a CPU's "speculative execution," a series of operations that CPUs calculate in advance to guess a possible outcome and cut down future computing time.
The ZombieLoad attack allows stealing sensitive data while the computer accesses them. While programs normally only see their own data, a malicious program can exploit internal CPU buffers to get hold of secrets currently processed by other running programs.
Zombieload is part of a class of vulnerabilities that named Microarchitectural Data Sampling attacks, or MDS attacks, that target a CPU's microarchitectural data structures, such as the load, store, and line fill buffer caches. More specifically, ZombieLoad exploits the line buffer cache to extract data from a CPU's internal cache. Other MDS attacks are RIDL and Fallout.
RIDL is part of a class of vulnerabilities impacting modern processors that are named Microarchitectural Data Sampling attacks, or MDS attacks. These attacks target a CPU's microarchitectural data structures, such as the load, store, and line fill buffer caches.
More specifically, RIDL exploits a hardware design flaw in the line buffer cache to extract secret data from a CPU's sensitive areas. It is similar to ZombieLoad, however, different, and was discovered by a different set of academics.
Fallout is in the same class of MDS attacks as ZombieLoad and RIDL, but unlike the first two, Fallout uses bugs in the store buffer cache to leak data from within a vulnerable CPU.
According to researchers:
"Fallout demonstrates that attackers can leak data from Store Buffers, which are used every time a CPU pipeline needs to store any data. Making things worse, an unprivileged attacker can then later pick which data they leak from the CPU's Store Buffer."
In practice, it has been shown that Fallout can break Kernel Address Space Layout Randomization (KASLR), as well as leak sensitive data written to memory by the operating system kernel.
Discovered by Bitdefender researchers, the SWAPGS attack is also a vulnerability in the speculative execution feature of modern CPUs.
Per researchers, this attack takes advantage of a combination of Intel speculative execution of the SWAPGS instruction set and how the Windows operating systems handles SWAPGS within what is known as a gadget. The combination of SWAPGS and Windows can lead to situations were data can be extracted from an Intel CPU.
LVI (or Load Value Injection) is a reverse of the Meltdown attack. Instead of leaking data from an Intel CPU, LVI lets an attacker inject and modify data that is already inside the CPU's speculative execution processes.
In practice, the attack has been used to leak data from Intel SGX enclaves.
While Meltdown could be mitigated through software mitigations, LVI requires a redesign of the CPU hardware.
Foreshadow, or L1TF, is a speculative execution attack on Intel processors which allows an attacker to steal sensitive information stored inside personal computers or third party clouds.
Foreshadow has two versions, the original attack designed to extract data from SGX enclaves and a Next-Generation version which affects Virtual Machines (VMs), hypervisors (VMM), operating system (OS) kernel memory, and System Management Mode (SMM) memory.
The Snoop attack can leak data by abusing the internal mechanism (bus snooping) that Intel CPUs employ to keep their multiple cache levels in sync (an operation known as cache coherence).
The attack can be mitigated by applying the patches for the Foreshadow (L1TF) attack.
PortSmash impacts all CPUs that use a Simultaneous Multithreading (SMT) architecture, a technology that allows multiple computing threads to be executed simultaneously on a CPU core.
Attackers can run a PortSmash attack that then leaks data from nearby processes running on the same CPU. Researchers say they've already confirmed that PortSmash impacts Intel CPUs which support the company's Hyper-Threading (HT) technology, Intel's proprietary implementation of SMT.
BranchScope is a side-channel leak that occurs during speculative execution. More precisely, it's a leak that happens when an attacker manipulates the shared directional branch predictor.
The attack has been used in tests to leak data from Intel SGX enclaves. See more in this PDF paper.
NetCAT is a vulnerability that impacts Intel's line of server-grade CPUs. Namely, it is a vulnerability in all Intel chips that support the Data-Direct I/O Technology (Intel DDIO) and Remote Direct Memory Access (RDMA) features.
The NetCAT attack can be carried out remotely, via a network connection, to leak data processed by these features, such as SSH session keys, and others.
SgxPectre is a variation of the original Spectre attack, adapted specifically for leaking data from CPU secure enclaves by exploiting bugs in the software development kits used to build the enclave's software.
Vulnerable SGX development kits include the Intel SGX SDK, Rust-SGX, and Graphene-SGX.
As the name implies, SpectreRSB is also a variation of the Spectre attack. It exploits hardware design flaws in the return stack buffer (RSB) of modern CPUs, including Intel.
Proof of concept attacks have shown SpectreRSB can be used to leak data from the CPU cache's RSB, but also from Intel SGX enclaves.
TPM-Fail is a vulnerability that impacts Intel firmware-based trsuted platform module (fTPM), which runs on a separate microprocessor inside the main Intel CPU.
The attack takes from minutes to hours to run, and can result in the leak of sensitive encryption keys.
The Plundervolt attack exploits the interface through which an operating system can control an Intel processor's voltage and frequency, namely the Dynamic Voltage and Frequency Scaling (DVFS) system.
It is based on the CLKSCREW attack that abused frequency adjustments to leak data from ARM chipsets. Plundervolt is different because it uses rogue voltage adjustments to leak data from Intel chipsets.
The Platypus attack can steal data from Intel CPUs by using the Intel RAPL interface to monitor power consumption values inside the CPU and infer what kind of data is being processed inside.
The difference between PlunderVolt and Platypus is that PlunderVolt is an active attack that infers data by modifying power values, while Platypus is a passive attack that infers data just by looking at the power consumption data.