Yet another side-channel attack, this time dubbed PortSmash, has been discovered in CPUs.
The attack allows attackers to manipulate a glitch in the simultaneous multithreading (SMT) architecture used in CPUs — and siphon processed data from chips.
Several attacks have popped up over the past year using a side-channel technique, which is an attack that uses reverse-engineering to glean the information used in different types of processes. That includes systems that use memory caches (which ultimately led to the infamous Spectre/Meltdown discoveries at the beginning of the year) or, in this case, systems using SMT.
The discoverers of the attack – five researchers from the Technical University of Havana, and the Tampere University of Technology in Finland – outlined the proof-of-concept exploit in a Github post, Friday.
PortSmash Breakdown
The attack exploits a vulnerability, CVE-2018-5407, existing in the SMT process in CPUs, which enables chips to run more than one program at the same time. It does this by allowing multiple threads to run simultaneously on one core.
Researchers said they could detect and measure delays in port contention, a process that allows multiple instructions in the same processor to be assigned to various ports before they are completed.
In tracking these delays in instructions that are awaiting completion on the processor core, researchers could work backwards to “exfiltrate information from processes running in parallel on the same physical core,” Billy Brumley, one of the researchers who discovered PortSmash, said in a notice about the attack.
All chips that have SMT (including Intel’s variation of it, called hyperthreading (HT) technology, used by its chip families like Skylake and Kaby Lake) are impacted.
In a real-world situation, “it has been feared the most likely exploit is going to happen on infrastructure as a service environments, in which cloud provider hosts all the capabilities of an on-premises data center, including the servers, storage and networking hardware, and the virtualization or hypervisor layer,” Sumanth Gangashanaiah, Director of Engineering at ShieldX, told Threatpost. “An attacker can rent instances in public cloud running malicious work load looking for extraction of the crypto keys to then steal data.”
The attack can be launched against PCs or servers; and in their proof of concept (PoC) on Github, the five researchers demonstrated how they could use the side-channel attack steal an OpenSSL private key from a TLS server.
Brumley said that to fix the issue, SMT/hyperthreading needs to be disabled in the BIOS.
The flaw “can result in leakage of secret data in applications such as OpenSSL, that has secret dependent control flow at any granularity level,” according to a Friday advisory by RedHat. “In order to exploit this flaw, the attacker needs to run a malicious process on the same core of the processor as the victim process.”
Intel, which was notified Oct. 1 of the attack, said in a statement to Threatpost that it has received notice of the research, but stressed that it is not unique to Intel platforms. AMD did not respond to a request for comment.
“Research on side-channel analysis methods often focuses on manipulating and measuring the characteristics (e.g. timing) of shared hardware resources,” the Intel spokesperson told us. “Software or software libraries can be protected against such issues by employing side-channel-safe development practices. Protecting our customers’ data and ensuring the security of our products is a top priority for Intel and we will continue to work with customers, partners and researchers to understand and mitigate any vulnerabilities that are identified.”
CVE-2018-5407 has a score of 4.8 (a moderate severity rating) on the CVSS v3 scale, with a “high” attack complexity and “law” level of privileges required.
However, there are shortcomings to PortSmash; as the attack is local “in the sense that the malicious process must be running on the same physical core as the victim,” said Brumley.
Computer scientist Colin Percival, for his part, said via Twitter that the attack is not serious enough to worry about.
I've been getting a few questions about the recent "PortSmash" vulnerability announcement. Short answer: This is not something you need to worry about. If your code is vulnerable to it, you were already vulnerable to other (easier) attacks.
— Colin Percival (@cperciva) November 2, 2018
Different From Spectre/Meltdown
Side-channel attacks impacting Intel processors have continued to crop up over the past year. However, the other attacks have impacted other areas of the chips’ technology, including Intel’s Software Guard Extensions (SGX) technology, its OS and system management mode (SMM) and hypervisor software.
Futher, previous infamous side-channel attacks including the Spectre and Meltdownattacks disclosed in January, focus on glitches in the processors’ memory through a process called speculative execution (used in microprocessors so that memory can read before the addresses of all prior memory writes are known).
That’s different than the side-channel technique used for PortSmash, which does not rely on tricking the memory in chips and instead targets processes in their hyperthreading technology.
“This issue is not reliant on speculative execution, and is therefore unrelated to Spectre, Meltdown or L1 Terminal Fault,” an Intel spokesperson told Threatpost.