New Intel Chip Vulnerability ‘Load Value Injection’ Found

Mar. 11, 2020

AfterSpectre and Meltdown, Intel chips are on the news again for a new vulnerability. The newest threat is called Load Value Injection and itallows attackers to access Intel’s Software Guard eXstensions (SGX)– the part responsible for storing sensitive information.

“LVI is a new class of transient-execution attacks exploiting microarchitectural flaws in modern processors to inject attacker data into a victim program and steal sensitive data and keys from Intel SGX, a secure vault in Intel processors for your personal data.”,wrote the researchers on the website detailing the vulnerability.

The vulnerability was first discovered by the researchers from imec-DistriNet, KU Leuven, Worcester Polytechnic Institute, Graz University of Technology, the University of Michigan, the University of Adelaide, and Data61. It was then independently discovered by professionals at cybersecurity firm Bitdefender.

Just like Spectre, LVI exploitsspeculative execution. As detailed by the researchers, LVI is a hybrid of Spectre and Meltdown where the attackers gain theability to alter or inject the data into the SGX system. Below is a flow diagram demonstrating the process.Credits: Lviattack.eu

You probably need not worry about LVI as the attack is highly complex in itself and general users are not the ideal target for this attack.“Crucially, LVI is much harder to mitigate than previous attacks, as it can affect virtually any access to memory. Unlike all previous Meltdown-type attacks, LVI cannot be transparently mitigated in existing processors and necessitates expensive software patches, which may slow down Intel SGX enclave computations 2 up to 19 times.”

Intel isaware of the situationand has given the vulnerability a “medium” severity. In fact, the chipmaker has started rolling out an update for the SGX Platform Software (PSW) and SDK to mitigate the issue.

Here is what Intel has to say regarding LVI:“Due to the numerous complex requirements that must be satisfied to successfully carry out the LVI method, Intel does not believe LVI is a practical exploit in real world environments where the OS and VMM are trusted.”

You can learn more about LVI in the detailed research paper published onthiswebsite. Also, do not forget to watch the dramatic teaser video and demonstration video published by the researchers.

Subin writes about consumer tech, software, and security. He secretly misses the headphone jack while pretending he’s better off with the wireless freedom.