Current LVI attack demos rely on running malicious code on a computer, suggesting that local access is needed -- such as delivering malicious code to the target via malware.Intel released mitigation code but security researchers believe the flaw can only be fully solved via hardware-level fixes, making it basically unfixable in current processors. The mitigation also comes with a very high performance cost.
However, according to preliminary tests, these mitigations come with a severe performance impacted that may slow down computations from 2 to 19 times, depending on the number of mitigations system administrators decide to apply to their CPUs.Intel downplays the severity of the LVI attack and security researchers point out that the attack is indeed difficult to pull off:
"Due to the numerous complex requirements that must be satisfied to successfully carry out, Intel does not believe LVI is a practical method in real-world environments where the OS and VMM are trusted," an Intel spokesperson told ZDNet in an email last week.
"Agree with Intel," Bogdan Botezatu, Director of Threat Research and Reporting, told ZDNet yesterday. "This type of attack is much harder to pull off in practice, compared with other side-channel attacks such as MDS, L1TF, SWAPGS."