Rambus

At Rambus, we create cutting-edge semiconductor and IP products, spanning memory and interfaces to security, smart sensors and lighting.

Home > Blogs

Cable Haunt vulnerability can give hackers remote access to approximately 200 million cable modems

by Leave a Comment

Danish cybersecurity experts Alexander Krog, Jens Stærmose and Kasper Terndrup of cybersecurity firm Lyrebirds ApS, and independent Danish researcher Simon Sillesen, announced a new vulnerability dubbed Cable Haunt. In the announcement, they disclosed a critical remote code execution vulnerability in hundreds of millions of cable modems.

According to the website the researchers set up, “The vulnerability enables remote attackers to execute arbitrary code on your modem, indirectly through an endpoint on the modem. Your cable modem is in charge of the internet traffic for all devices on the network. Cable Haunt might therefore be exploited to intercept private messages, redirect traffic, or participation in botnets.”

The researchers further state that the affected modems are vulnerable to a DNS rebind attack followed by overflowing the registers and executing malicious functionality. Use of default credentials and a programming error in the spectrum analyzer also contribute to the vulnerability.

While a buffer overflow exploit would normally be written directly to the memory stack, the memory structure of the MIPS assembly language that runs the spectrum analyzer requires the attack code to know the precise memory address of the vulnerable code. To get around this, Cable Haunt uses return-oriented programming to move between pre-existing pieces of code and then create a patchwork of existing code.

This approach indicates that through the use of a hardware root of trust model, this vulnerability could have been eliminated.

Bart Stevens, senior director of product marketing for Rambus elaborates. “The recent Cable Haunt exploit demonstrates the need for a security by design approach, led by a hardware root of trust to silo away secure processes from the main CPU. This siloed approach to security ensures that a potential compromise of the main processor does not expose critical keys and credentials — or impair the execution of security applications that monitor system operation and detect tampering. A hardware root of trust would not necessarily prevent the host CPU from being attacked by a similar attack like Cable Haunt. But at a minimum, a hardware root of trust could prohibit alternate firmware from replacing the original firmware. In addition, many future vulnerabilities could be prevented if sensitive configuration and network parameter handling is moved from the normal host CPU onto a separate and dedicated, secure CPU residing inside the root of trust section.”

It is important to note that this is a proof-of-concept exploit and has not been seen in the wild. The exploit is complicated by the fact that the vulnerable spectrum analyzer component is available on the cable modem’s internal network, and not directly exposed to the internet. While it would require a lot of skill, and maybe a bit of luck, if successful it would give a hacker intimate access to all the data coming in and going out. In a high-value target, the value of that access could inspire some to try.

Additional Resources:
“Hundreds of millions of Broadcom-based cable modems at risk of remote hijacking, eggheads fear,” The Register, 1/10/2020

“Hundreds of millions of cable modems are vulnerable to new Cable Haunt vulnerability,” ZDNet, 1/10/2020

“Cable Haunt Vulnerability Exposes Modems to Remote Attacks,” Tom’s Hardware, 1/13/2020

“Cable Haunt vulnerability affects millions of Broadcom cable modems,” Security Boulevard, 1/13/2020

PCI Express 5 vs. 4: What’s New? [Everything You Need to Know]

by Leave a Comment

Introduction

What’s new about PCI Express 5 (PCIe 5)? The latest PCI Express standard, PCIe 5, represents a doubling of speed over the PCIe 4.0 specifications.

We’re talking about 32 Gigatransfers per second (GT/s) vs. 16GT/s, with an aggregate x16 link bandwidth of almost 128 Gigabytes per second (GBps).

This speed boost is needed to support a new generation of artificial intelligence (AI) and machine learning (ML) applications as well as cloud-based workloads.

Want to know a little more about AI/ML applications and cloud-based workloads?

Both are significantly increasing network traffic. In turn, this is accelerating the implementation of higher speed networking protocols which are seeing a doubling in speed approximately every two years.

You can find much more about PCIe 5 in the article below.

Table of contents

1. PCI Express: Frequently Asked Questions (FAQ)
2. PCIe 5 – A New Era
3. PCIe 5 vs. PCIe 4 (+Comparison table included)
4. PCIe 5: Applications and Market Adoption
5. Complete PCIe 5 Interface Solutions from Rambus
6. Conclusion

 

PCI Express: Frequently Asked Questions (FAQ)

Let’s answer five frequently asked questions about PCI Express and PCIe 5.

a. What is PCI Express 5?

With the preliminary specification announced in 2017, PCIe 5 is a high-speed serial computer expansion bus standard that moves data at high bandwidth between multiple components. The PCIe 5.0 specification was formally released in May of 2019.

You might be wondering why a new PCI Express standard like PCIe 5 is needed. Well, PCIe 5 offers twice the data transfer rate of its PCIe 4 predecessor, delivering 32GT/s vs. 16GT/s. This speed increase is critical to support new AI/ML applications and cloud-centric computing.

b. Why both GT/s and GBps?

GT/s is a measure of raw speed – how many bits can we transfer in a second. The data rate, on the other hand, has to take into consideration the overhead for encoding the signal. Bandwidth is data rate times link width, so encoding overhead’s impact on the data rate translates directly to an impact on bandwidth.

Back in the days of PCIe 2, the encoding scheme was 8b/10b, so there was a hefty overhead penalty for encoding. With such a high overhead, it was particularly useful to have measures of transfer rate (x GT/s) and data rate (y Gbps), where “y” was only 80% of “x.”
With Gen 3 and continuing through to the present Gen 5, the PCI Express standard moved to a very efficient 128b/130b encoding scheme, so the overhead penalty is now less than 2%. As such, the link speed and the data rate are roughly the same.

For a PCI 5 x8 link, 32GT/s raw speed translates to 31.5GBps bandwidth (we chose a x8 link so we could go straight from bits to bytes). And since PCIe is a duplex link, total aggregate bandwidth rounds to 63GBps (32GT/s x 8 lanes / 8 bits-per-byte x 128/130 encoding x 2 for duplex).

c. What is a PCI Express lane?

So what’s a PCI Express lane? Well, a PCIe lane consists of four wires to support two differential signaling pairs. One pair transmits data (from A to B), while the other receives data (from B to A). Want to know the best part? Each PCIe lane is designed to function as a full-duplex transceiver which can simultaneously transfer 128-bit data packets in both directions.

d. What does PCIe x16 mean?

We’ve discussed lanes, but what do they have to do with x16? Well, the term “PCIe x16” is used to refer to a 16-lane link instantiated on a board or a card. Physical PCIe links may include 1, 2, 4, 8, 12, 16 or 32 lanes. The 32-lane link is a pretty rare beast, so in practical terms the x16 represents the top end of the PCI Express link options.

e. What is PCI Express used for?

We’ve talked a lot about PCIe 5, but what is PCI Express actually used for?

You can think of the PCIe interface as the system “backbone” that transfers data at high bandwidth between various compute nodes.What’s the bottom line? Put simply, PCIe 5 rapidly moves data between CPUs, GPUs, FPGAs and ASIC accelerators using links with various lane widths configured to meet the bandwidth requirements for the linked devices.

PCIe 5: A New Era

Now that we’ve explored some PCI Express basics, we can take a closer look at PCIe 5 which was formally released in May of 2019.

PCIe 5 offers long-awaited capabilities for system designers building new cloud-based and AI/ML applications.

You might be wondering how and why.

Well, it starts with PCIe 5 offering twice the bit transfer rate of its PCIe 4 predecessor at 32GT/s vs. 16GT/s. With a x16 link, that scales to ~128GBps aggregate bandwidth.

Here’s another important point: The higher transfer rates of PCIe 5 enables system designers to balance bandwidth requirements with simplicity by working with fewer lanes for certain applications such as 40GigE and SSDs. More demanding, high-bandwidth applications such as AI and ML can take full advantage of a x16 lane.

Want to know what else PCIe 5 technology offers system designers? PCIe 5 is expected to be the technological cornerstone of additional interconnects. For example, Intel recently announced that its upcoming Compute eXpress Link (CXL) cache coherent interconnect will use the PCIe 5 standard’s physical layer (PHY) specification.

Since going faster entails more signal integrity (SI) issues, PCIe 5 adds more capabilities under the hood for handling signal loss and noise than were built into PCIe 4.

PCIe 5 vs. PCIe 4

Here’s a handy by-the-numbers comparison of PCIe 5 vs. PCIe 4 with the actual aggregate bandwidth adjusted for the encoding overhead.

Comparison table: PCI express 5 vs PCIe 4
Comparison table: PCIe 5 vs PCIe 4

 

PCIe 5: Applications & Market Adoption

AI/ML and Cloud Computing

No surprise, PCIe 5 is the fastest PCI Express ever. While the speed upgrade makes the applications of today run faster, what’s particularly exciting is that PCIe 5 is enabling new applications in markets such as AI/ML and cloud computing.

AI applications generate, move and process massive amounts of data at real-time speeds. An example is a smart car which can generate as much as 4TB of data per day!

But that’s not all, the size of AI/ML training models are doubling every 3-4 months. The torrent of data, and the rapid growth in training models is putting tremendous stress on every aspect of the compute architecture, with interconnections between devices and systems being of critical importance. Also critical is fast access to memory as AI/ML workloads are extremely compute intensive.

But while AI/ML is one major megatrend, there are others. Data centers are changing, with enterprise workloads moving to the cloud at a rapid pace. Those applications mean moving more data, often with real-time speed and latency.

This shift to the cloud, along with ever-more sophisticated AI/ML applications, is accelerating the adoption of higher speed networking protocols that are experiencing a doubling in speed about every two years: 100GbE ->200GbE-> 400GbE->800GbE.

Now this is where PCI express 5 comes in. PCIe 5 delivers an aggregate link bandwidth of almost 128GBps in a x16 configuration. Put simply, PCI express 5 effectively addresses the demands of AI/ML and cloud computing by supporting higher speed networking protocols as well as higher speed interconnections between system devices..

Complete PCI Express 5 Interface Solutions from Rambus

Now that we’ve explained the important benefits of PCI express 5, where can you get a reliable PCIe 5 interface?

Rambus offers a comprehensive interface solution for PCI Express 5 (PCIe 5.0) that consists of a PCIe 5.0 PHY and a co-verified PCIe 5.0 digital controller (from recently acquired Northwest Logic).

Want to know the best part? Having a comprehensive solution with a co-verified PHY and controller means that integration complexity is significantly reduced for chip designers.

What if you already have a PCIe 5 PHY or controller from another vendor or have developed one in house?

Both the Rambus PCIe 5 PHY and controller can be paired with PIPE 5.2 – compliant 3rd-party solutions if so desired. In addition, both PHY and controller are backward compatible to PCIe 4, 3 and 2.

But that’s not all. The Rambus PCIe 5 PHY supports the Compute Express Link (CXL) connectivity standard, a new high-speed interconnect between CPUs and workload accelerators or other attached devices. This helps support accelerators used to complement CPUs in AI/ML applications.

Conclusion

In “PCI Express 5 vs. 4: What’s New?” we explain how PCI Express is the system backbone that transfers data at high bandwidth between CPUs, GPUs, FPGAs and ASIC accelerators using links of variable lane widths depending on the bandwidth needs of the linked devices.

We also detail how the latest PCI Express standard, PCIe 5, represents a doubling over PCIe 4 with a raw speed of 32GT/s vs. 16GT/s translating to aggregate bandwidth for a x16 link of ~128GB/s vs. ~64GB/s.

We then explored how the higher data rates of PCIe 5 are enabling system designers to support a new generation of cloud computing and AI/ML applications.

Lastly, we highlighted Rambus’ comprehensive interface solution for PCI Express 5 (PCIe 5.0) which comprises a PCIe 5.0 PHY and a co-verified digital controller. This comprehensive solution significantly reduces integration complexity for chip designers while providing state-of-the-art performance.

 

California’s IoT law is a good start, but more needs to be done

by Leave a Comment

Written by Paul Karazuba, head of product, Rambus Security

Passed by former California governor Jerry Brown, cybersecurity law SB-327 is slated to go into effect on January 1, 2020. This proactive legislation requires manufacturers to equip IoT devices with “reasonable” security features to prevent unauthorized access, modification and data leaks. Specifically, SB-327 requires manufacturers to implement a unique preprogrammed (default) password for each device. Additionally, manufacturers must ensure that users create a new password the first time a device is activated. Together, these steps are expected to help protect California consumers, as hackers are known to routinely target vulnerable devices shipped with generic or default login credentials.

From our perspective, SB-327 is clearly long overdue. Indeed, unprotected IoT devices continue to pose a threat to both consumer privacy and security across the country. For example, a Ring camera installed in the Memphis bedroom of a young girl was recently hijacked by a hacker who seized control of the device to spy on the 8-year-old, taunt her with music and encourage destructive behavior. Another instance of a Ring camera falling victim to a hacker was reported in December by a Houston family who heard an eerily disembodied voice ask if “anyone [was] home” and promised it was “gonna find out.”

According to various reports, the recent spate of Ring hacks likely involved basic attack techniques such as credential stuffing. This simple process involves accessing accounts with stolen account credentials and large-scale automated login requests. Consequently, Ring users who don’t enable the optional two-step authentication skip setting a unique password or recycle credentials across multiple online services, and are at a greater risk of being hacked. To be sure, malicious hackers have coded dedicated software for breaking into Ring security cameras. Beyond Ring cameras, a wide range of vulnerable consumer IoT devices are frequently targeted by hackers who actively search for devices with default or weak login credentials such as “admin” usernames and “1234” passwords.

Although SB-327 sets an important precedent by requiring a unique preprogrammed (default) password for each IoT device, we believe much more needs to be done to secure connected devices. Security starts at the hardware level, and it should begin on day one of product design. Device designers need to prioritize security as a primary design goal of a connected device; not an afterthought, and certainly not lip service. A solid start to security is basing the foundation of your security in silicon; specifically, a siloed security co-processor capable of executing all security-centric processes completely independently of the main CPU.

Our CryptoManager Root of Trust is an ideal implementation. While located on the same chip as the main CPU, its physical separation and 7 layers of hardware security ensure that secure processes remain exactly that – secure. The root of trust can better help protect consumers by enabling robust remote access authentication and monitoring of anomalous system activity. This siloed approach to security ensures that a potential compromise of the main processor does not expose critical keys and credentials – or impair the execution of security applications that monitor system operation and detect tampering.

Cybersecurity law SB-327 is a good start for California consumers, although far more needs to be done to comprehensively protect IoT devices. Implementing a unique preprogrammed (default) password for each device and requiring users to create a new password can help prevent basic attacks, although a siloed security co-processor is necessary to thwart determined adversaries and complex hacking techniques.

 

Additional Resource:
California’s IoT Law Is A Good Start, But More Needs To Be Done

Plundervolt steals keys from cryptographic algorithms

by Leave a Comment

An international team of white hat researchers has successfully corrupted the integrity of Intel Software Guard Extensions (SGX) on Intel Core processors with a software-based fault injection attack aptly dubbed “Plundervolt.” Using Plundervolt, attackers can recover keys from cryptographic algorithms (including the AES-NI instruction set extension) and induce memory safety vulnerabilities into bug-free enclave code.

As the researchers explain, Intel SGX is a set of security-related instruction codes that are integrated into modern Intel CPUs. Essentially, SGX shields sensitive operations inside so-called enclaves. In theory, the contents of these enclaves are protected and cannot be accessed or modified from outside the enclave. This includes an attacker who has root privileges in the normal (untrusted) operating system.

“[However], modern processors are being pushed to perform faster than ever before – and with this comes increases in heat and power consumption,” the researchers state on the Plundervolt website. “To manage this, many chip manufacturers allow frequency and voltage to be adjusted as and when needed. But more than that, they offer the user the opportunity to modify the frequency and voltage through privileged software interfaces.”

Plundervolt, says the researchers, demonstrates how these vulnerable software interfaces can be maliciously exploited to undermine system security.

“Plundervolt carefully controls the processor’s supply voltage during an enclave computation, inducing predictable faults within the processor package. Consequently, even Intel SGX’s memory encryption/authentication technology cannot protect against Plundervolt,” the researchers write in an in-depth paper detailing the exploit. “In multiple case studies, we show how the induced faults in enclave computations can be leveraged in real-world attacks to recover keys from cryptographic algorithms (including the AES-NI instruction set extension) or to induce memory safety vulnerabilities into bug-free enclave code.”

It should be noted that a malicious attacker does not require physical access to execute Plundervolt.

“The undervolting interface is accessible from software, so if a remote attacker can become root in the untrusted OS, [the attacker] can also mount the Plundervolt attack,” the researchers add. “In any case, attackers with physical access would also be in the threat model of SGX (e.g. to protect against malicious cloud providers).”

Protecting against Plundervolt-like techniques

Plundervolt is a technique that enables an attacker to manipulate the voltage of Intel chips and extract information by exploiting Intel’s Secure Guard Extensions (SGX) feature. Plundervolt highlights the real-world challenges of designing processors that satisfy both performance and security demands. This is because the complexity of modern CPUs creates an incalculable number of potential vulnerabilities that can be taken advantage of by an attacker.

To protect CPUs against techniques like Plundervolt, we recommend implementing a secure co-processor that is siloed away from the primary, general performance processor. A purpose-built security co-processor can be hardened against a wide range of attack vectors, including side-channel attacks and voltage manipulation. This paradigm allows the primary processor to be designed uncompromisingly for performance — with sensitive operations safeguarded in a dedicated security co-processor.

Shattering the neural network memory wall with Checkmate

by Leave a Comment

A recent paper published on arXiv by a team of UC Berkeley researchers observes that neural networks are increasingly bottlenecked and constrained by the limited capacity of on-device GPU memory. Indeed, deep learning is constantly testing the limits of memory capacity on neural network accelerators as neural networks train with high-resolution images, 3D point-clouds and long Natural Language Processing (NLP) sequence data.

“In these applications, GPU memory usage is dominated by the intermediate activation tensors needed for backpropagation. The limited availability of high bandwidth on-device memory creates a memory wall that stifles exploration of novel architectures,” the researchers explain. “One of the main challenges when training large neural networks is the limited capacity of high-bandwidth memory on accelerators such as GPUs and TPUs. Critically, the bottleneck for state-of-the-art model development is now memory rather than data and compute availability and we expect this trend to worsen in the near future.”

As the researchers point out, some initiatives to address this bottleneck focus on dropping activations as a strategy to scale to larger neural networks under memory constraints. However, these heuristics assume uniform per-layer costs and are limited to simple architectures with linear graphs. As such, the UC Berkeley team uses off-the-shelf numerical solvers to formulate optimal rematerialization strategies for arbitrary deep neural networks in TensorFlow with non-uniform computation and memory costs. In addition, the UC Berkeley team demonstrates how optimal rematerialization enables larger batch sizes and substantially reduced memory usage – with minimal computational overhead across a range of image classification and semantic segmentation architectures.

“Our approach allows researchers to easily explore larger models, at larger batch sizes, on more complex signals with minimal computation overhead,” says the UC Berkeley team.

Specifically, the paper published by the UC Berkeley team on arXiv describes a formalization of the rematerialization problem as a mixed integer linear program with significantly more flexible search space than prior work. As well, it details an algorithm to translate a feasible solution into a concrete execution plan and a static training graph – and describes an implementation of optimal tensor rematerialization in Tensorflow at runtime. Finally, it introduces Checkmate, a system that enables training models with up to 5.1× larger input sizes and up to 2.6× larger batch sizes (than prior art) at minimal overhead.

Checkmate: Breaking the Memory Wall with Optimal Tensor Rematerialization
Image Credit: Department of EECS, UC Berkeley

“Checkmate enables practitioners to train a high-resolution U-Net on a single V100 GPU with an unprecedented batch size of 57, as well as batch size of 1105 for MobileNet,” the UC Berkeley team states. “The former is 2.6× larger than the maximum batch size with prior art. Checkmate … solves for optimal schedules in reasonable times (under an hour) using off-the-shelf MILP solvers, then uses these schedules to accelerate millions of training iterations.”

The UC Berkeley research team also notes that its method scales to complex, realistic architectures and is hardware-aware via the use of accelerator-specific, profile-based cost models.

“In addition to reducing training cost, Checkmate enables real-world networks to be trained with up to 5.1× larger input sizes,” they conclude.

Commenting on the above, Steven Woo, Rambus fellow and distinguished inventor, states: “The work of the team at UC Berkeley is focused on one of the key problems facing neural networks today – how to keep up with the trend of using larger models and training sets that are growing faster than the memory capacity of individual hardware accelerators can scale. Distributing the training among multiple accelerators is one method, but communication between the accelerators reduces performance and increases the energy used. There is a clear need to do more on each accelerator if possible.”

Complete Interface Solution for PCIe 5.0 Launched

by Leave a Comment

Rambus has announced a comprehensive interface solution for PCI Express 5 (PCIe 5.0) consisting of a new PCIe 5.0 PHY and a co-verified Northwest Logic Expresso 5.0 controller.

Have you read our primer? PCI Express 5 vs. 4: What’s New? [Everything You Need to Know]

“Our high-speed SerDes and memory interface solutions make possible amazing advancements in performance-intensive applications in AI, data center, HPC, storage and networking,” said Hemant Dhulla, VP and GM of IP Cores. “Now we’ve added PCIe 5 to our industry-leading portfolio of high-speed interface solutions giving chip makers another tool to unleash the power of their designs.”

PCIe 5.0 Interface Subsystem Example
PCI Express 5 Interface Subsystem Example

With co-verified PHY and controller, Rambus greatly reduces integration complexity for chip designers. Both PHY and controller support PCI Express 5 and are backward compatible to PCIe 4.0, 3.0 and 2.0. While together they are an ideal complete solution, both PHY and controller can be paired with PIPE 5.2 – compliant 3rd-party solutions if so desired.

In addition to PCI Express 5, the Rambus PHY supports the Compute Express Link (CXL) connectivity standard. CXL is a new high-speed interconnect between CPUs and workload accelerators or other attached devices, as well as CPUs and memory. It maintains memory coherency between the CPU and attached devices. This greatly benefits accelerators used to complement CPUs in applications such as artificial intelligence and machine learning.

This latest portfolio addition highlights Rambus leadership in high-speed SerDes PHY and controller IP, leveraging the company’s long tradition of signal and power integrity expertise coupled with the design talent and products from newly acquired Northwest Logic.

Keep on reading: all the details on the PCI Express 5 interface solution

FREE Webinar: Understanding Fault Injection Attacks and Their Mitigation

Register Today