Everything you need to know about CPU vulnerabilities like Zenbleed, Downfall, Inception, and more

CPU vulnerabilities have been in and out of the news in recent years, and they often come with a pretty scary message when it comes to them being disclosed. In the case of Zenbleed and Downfall, it was that any application on your computer could access the memory of any other program running under the right circumstances. Sounds intense, right?

However, it’s not quite as bad as it seems. It’s obviously significant enough to warrant a disclosure and a software update to fix the errors, even at the cost of performance, but what exactly is going on to cause these security issues? Should you be worried?

Should you be worried about CPU vulnerabilities like Zenbleed, Downfall, and Inception?

To be honest, neither of these exploits affects the vast majority of people. While they can leak data from one program to another, any piece of malware on a consumer’s machine already has a great level of access that it can abuse. Instead, where these attacks are particularly worrisome is in cloud computing contexts.

To understand the problem, you need to understand that many different cloud servers are simply computers with a lot of horsepower, a large network bandwidth, and some other specialized hardware if required. Many companies rent out what’s called a VPS, or a virtual private server, which are virtualized machines with limited power where dozens of other virtual machines may be running toward.

Where this can be a problem is that one person on one virtual machine could execute one of these vulnerabilities, gaining insight into what data is flowing through the processor, including data from other virtual machines. This should not be possible and is a major breach of security. That’s why when Zenbleed was disclosed, there were already patches for AMD’s Epyc processors, which are aimed at server usage.

Most severe CPU vulnerabilities currently

The industry standard of “ranking” vulnerabilities and their severity is through the Common Vulnerability Scoring System (CVSS). It provides a quantitative measure of severity, as the different aspects of the vulnerability will impact the score. It measures by taking into account the following:

Attack vector: Network/Adjacent/Local/Physical
Attack complexity: Low/High
Privileges required: None/Low/High
User interaction: None/Required
Scope: Unchanged/Changed
Confidentiality: None/Low/High
Integrity: None/Low/High
Availability: None/Low/High

All of these classify the severity of a bug. For example, a vulnerability that can be executed over a network with a low complexity, no privileges required, no user interaction, with a changed scope, high data confidentiality leakage, high data integrity violation, and high impact on availability will score a perfect 10 in CVSS 3.1, the highest score possible.

By that metric, we can assess the damage that Zenbleed and Downfall are capable of. Spoiler: They’re the same, though they affect different CPUs. Therefore, while they score a certain amount in the context of vulnerabilities, they can affect different amounts of products, and that won’t impact their score. CVSS scores are essentially just for triage but don’t tell the full story.

Zenbleed: 6.5 (Medium)

Attack vector: Local
Attack complexity: Low
Privileges required: Low
User interaction: None
Scope: Changed
Confidentiality: High
Integrity: None
Availability: None

Explanation: The attack vector requires local access to the machine (as in, it runs on the machine) while also having no impact on the integrity of the data on the machine or its availability. However, it changes scope (meaning it impacts resources beyond its privileges) and the attack complexity, and the privileges required to execute are low. It also totally violates the confidentiality of information on the machine.

Downfall: 6.5 (Medium)

Attack vector: Local
Attack complexity: Low
Privileges required: Low
User interaction: None
Scope: Changed
Confidentiality: High
Integrity: None
Availability: None

Inception: 5.6 (Medium)

Attack vector: Local
Attack complexity: High
Privileges required: Low
User interaction: None
Scope: Changed
Confidentiality: High
Integrity: None
Availability: None

Explanation: The attack vector requires local access to the machine (as in, it runs on the machine) while also having no impact on the integrity of the data on the machine or its availability. However, it changes scope (meaning it impacts resources beyond its privileges), the attack complexity is high, and the privileges required to execute are low. It also totally violates the confidentiality of information on the machine.

Spectre: 5.6 (Medium) (Patched)

Spectre, despite being a more widespread phenomenon, actually scores less than Zenbleed and Downfall. That’s thanks to the fact that the attack complexity was dubbed as “High,” which dropped its score.

Attack vector: Local
Attack complexity: High
Privileges required: Low
User interaction: None
Scope: Changed
Confidentiality: High
Integrity: None
Availability: None

Explanation: The attack vector requires local access to the machine (as in, it runs on the machine) while also having no impact on the integrity of the data on the machine or its availability. However, it changes scope (meaning it impacts resources beyond its privileges), the attack complexity is high, and the privileges required to execute are low. It also totally violates the confidentiality of information on the machine.

Meltdown: 5.6 (Medium) (Patched)

Like Spectre, Meltdown scores lower than Zenbleed and Downfall, owing to the greater attack complexity required.

Attack vector: Local
Attack complexity: High
Privileges required: Low
User interaction: None
Scope: Changed
Confidentiality: High
Integrity: None
Availability: None

Explanation: The attack vector requires local access to the machine (as in, it runs on the machine) while also having no impact on the integrity of the data on the machine or its availability. However, it changes scope (meaning it impacts resources beyond its privileges), the attack complexity is high, and the privileges required to execute are low. It also totally violates the confidentiality of information on the machine.

The biggest cause: Branch prediction

Source: AMD

Branch prediction and speculative execution broadly refer to when your computer performs operations that are not needed at the moment but will be in subsequent cycles. It’s often done in times when your system has free resources since it speeds up overall processing when instructions or data would otherwise not yet be ready for the CPU. If the work done is not needed, it’s typically discarded, and the processor can jump back to where it needs to in order to execute the next correct instruction. When it does this, this is called a branch misprediction.

For a more in-depth understanding of branch predictors, imagine a scenario where a program consistently adds the same two numbers in its execution. At some stage, the processor may recognize this pattern and prepare the next steps should the method where those two numbers are added be called again. If that outcome changes at some point, even if the processor planned for the same two numbers to be the same, then the guess will be thrown out and replaced by the actual execution flow. However, for the time that those numbers are the same, then the processor can skip through those instructions quickly.

There are many problems when it comes to speculative execution, though, and vulnerabilities like Spectre, Zenbleed, Downfall, and more are a result. It’s a powerful feature that we owe a lot of modern-day CPU performance, but it’s a major target when researchers look for vulnerabilities in CPUs.

Mitigation: A performance inhibitor

Mitigating these vulnerabilities is of utmost importance, but the problem is that these mitigations are often taxing on performance. In the case of AMD’s most recent Zenbleed, the mitigation could see massive performance overheads.

The reason for this is that the only real way around it is to disable or change the behavior of the branch predictor in the affected processor. The same performance hit can be found in the mitigations for Intel’s Downfall, with early reports suggesting performance impacts of up to 39%. Epic Games once famously shared CPU utilization graphs once the Meltdown vulnerability was disclosed and how much of an impact those mitigations had on the company’s CPU usage. There was a major uptick in CPU usage, as one would expect. Where things get scary is with the fix for AMD’s Inception, performance was found to drop by up to 54%.

Because vulnerabilities like this affect features fundamental to the processor, it’s hard to really fix them aside from disabling or severely maiming core features. Speculative execution is incredibly important, and these mitigations will be felt by many people. Gaming performance is less predictable, so if your PC’s primary usage is gaming, you might be alright as your computer can’t make as many predictions, but these problems scale up in much bigger systems.

Are future processors affected?

Thankfully, in the case of both Intel Downfall and Zenbleed, these exploits affect older processors. Newer processors from both companies are safe, and there’s nothing to worry about for now. A significant redesign is usually what ends up fixing these problems. For example, Spectre affected Intel’s eighth and ninth-generation CPUs, but the ninth generation incorporated a hardware version of the software fixes that were implemented, complete with the performance hit. Intel’s 10th generation was still safe but also no longer had a performance impact from those mitigation measures.

As a result, given that both Downfall and Zenbleed were already fixed in the most recent versions of their respective processors, users don’t have much to worry about. Of course, there can always be more vulnerabilities discovered, but at this point in time, you’re safe.