Behind the Naming of ZombieLoad and Other Intel Spectre-Like Flaws | Threatpost

There was a lot more to the name game behind choosing titles for ZombieLoad, Spectre and Meltdown than picking cool and edgy attack titles. If you have ever wondered why they were named what they were, Threatpost tracked down one of the researchers behind the naming convention (and discovery) and found out.

Much like the funky titles of advanced persistent threat groups, these speculative execution attacks, which impact Intel CPUs, are often named to reflect the impact behind the vulnerabilities, their attributes and how the attack processes work.

“We always try to come up with names that somehow resemble the nature of the attack,” Daniel Gruss, a security researcher from the Graz University of Technology and one of the founders of the ZombieLoad flaw, told Threatpost in a recent podcast interview.

ZombieLoad came to the forefront after a new class of side channel vulnerabilities impacting all modern Intel chips was disclosed last week, which can use speculative execution to potentially leak sensitive data from a system’s CPU. The flaws derive from a process called speculative execution in processors. This process –thrown into the spotlight after the 2018 Spectre and Meltdown flaws came to light – is used in microprocessors so that memory can read before the addresses of all prior memory writes are known.

When it comes to ZombieLoad, “the nature of the attack is also something which fits the name very well,” said Gruss. That’s because the attack relies on the processor sending multiple load requests out to load data (instead of loading data once), as a result of the chip carrying out processes that will work in the most optimistic, opportunistic way, said Gruss.

While sending out multiple load requests makes the CPU more efficient, the additional load opens the door for cause data leakage – and in addition, that extra load request doesn’t do anything very meaningful because it’s already clear that this doesn’t have the right data, he said.

“This is why we call it the Zombieload, because it runs a bit headless around and loads data that it shouldn’t load and provides it to us then,” said Gruss.

In addition to the technical details of the attack, Gruss also looked at the impact of ZombieLoad while thinking of names – particularly because, like a zombie, the attack is much more difficult to kill.

“With Zombieload, it’s a bit different,” he said. “It’s not a spectre, so it’s not something that will haunt us and it’s also not a meltdown, which is a very, very significant, imminent threat. But the Zombieload is rather something that you suddenly discover maybe in a cellar, maybe some loads rising from their graves. Also, it’s difficult to kill. It’s much more difficult to kill than the Meltdown attacks.”

(Find the full podcast interview with Daniel Gruss above, as well as a transcript of the interview here.)

It’s not just ZombieLoad – since the Spectre and Meltdown speculative execution attacks were disclosed in January 2018, an array of other flaws have been disclosed with their own unique names – including Foreshadow (so named because the attack is can be abused to “reconstruct secrets from future instructions”) and Fallout (researchers said they started working on Fallout imminently after Meltdown, and Fallouts are typically a direct consequence of Meltdowns).

Spectre and Meltdown, for their part, have their own history behind their names.

The idea for naming Spectre after a ghost – also known by its logo, of a malevolent-looking ghost with a stick in its hand – came from from Paul Kocher, one of the collaborating researchers who discovered the flaw.

“The reasoning behind the name was that Spectre is … it’s not a nice spectre,” Gruss told Threatpost. “It’s one that holds a branch in a hand ready to hit someone, so it’s really a nasty spectre. Spectre is also something that might haunt you, and we believe that the Spectre attack will haunt us for several years. And so, we won’t have this one solved in several years.”spectre meltdown zombieload name

Meltdown, meanwhile, was so named because the vulnerability “melts security boundaries which are normally enforced by the hardware.” But beyond that, unlike Spectre, the attack can be fixed and won’t haunt users for years to come, said Gruss.

“For Meltdown, this was something where we saw it is something really dangerous. It has a huge impact right now, but as soon as we have fixed it, it’s not a problem anymore,” said Gruss. “As soon as we have fixed it, we can forget about it, basically. This is exactly also what we thought is the Meltdown attack. We discovered this. We had a counter measure. As the counter measure was deployed, no one had to worry about the attack anymore.”

As some of these names suggest, looking forward, when it comes to side channel speculative execution flaws, “I think we are going to see more and more of these vulnerabilities,” Gruss said.

“I think as more flaws are discovered, more people realize that this is an area that you should look at, and more people will look at that in the future. I think this area will establish itself similar as other areas like software-based attacks, software flaws,” he said.

Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.