Intel processors are impacted by a new vulnerability that can allow attackers to leak encrypted data from the CPU’s internal processes.
The new vulnerability, which has received the codename of PortSmash, has been discovered by a team of five academics from the Tampere University of Technology in Finland and Technical University of Havana, Cuba.
Researchers have classified PortSmash as a side-channel attack. In computer security terms, a side-channel attack describes a technique used for leaking encrypted data from a computer’s memory or CPU, which works by recording and analyzing discrepancies in operation times, power consumption, electromagnetic leaks, or even sound to gain additional info that may help break encryption algorithms and recovering the CPU’s processed data.
Researchers say PortSmash impacts all CPUs that use a Simultaneous Multithreading (SMT) architecture, a technology that allows multiple computing threads to be executed simultaneously on a CPU core.
In lay terms, the attack works by running a malicious process next to legitimate ones using SMT’s parallel thread running capabilities. The malicious PortSmash process than leaks small amounts of data from the legitimate process, helping an attacker reconstruct the encrypted data processed inside the legitimate process.
Researchers say they’ve already confirmed that PortSmash impacts Intel CPUs which support the company’s Hyper-Threading (HT) technology, Intel’s proprietary implementation of SMT.
“Our attack has nothing to do with the memory subsystem or caching,” said Billy Brumley, one of the five researchers, referring to previous side-channel attacks that have impacted SMT architectures and Intel’s HT implementation.
“The nature of the leakage is due to execution engine sharing on SMT (e.g. Hyper-Threading) architectures. More specifically, we detect port contention to construct a timing side-channel to exfiltrate information from processes running in parallel on the same physical core,” Brumley added.
A research paper detailing the PortSmash vulnerability in more depth for astute technical readers will be published on the Cryptology ePrint Archive portal in the coming days, Brumley told ZDNet earlier today via email when we reached out for more details.
His team also published proof-of-concept (PoC) code on GitHub that demonstrates a PortSmash attack on Intel Skylake and Kaby Lake CPUs.
The PoC steals an OpenSSL (<= 1.1.0h) P-384 private key from a TLS server by successfully exploiting PortSmash, but the attack can be modified to target any type of data.
The PortSmash PoC also requires malicious code to be running on the same physical core as the victim, but this isn’t such a big hurdle for attackers.
“IaaS [Infrastructure-as-a-Service] is one scenario to make it more ‘remote’,” Brumley told ZDNet. “There, attackers would try to co-locate VMs with victims to end up running the exploit on the same physical core as the victim, but different logical core.”
“[PortSmash] definitely does not need root privileges,” he said “Just user space.”
Researchers say they notified Intel’s security team last month, on October 1, but the company has not provided a patch until yesterday, the date on which researchers went public with their findings. An Intel spokesperson was not available for comment regarding the state of the PortSmash patching process before this article’s publication.
AMD CPUs likely impacted
“We leave as future work exploring the capabilities of PortSmash on other architectures featuring SMT, especially on AMD Ryzen systems,” the research team said in a version of their paper shared with ZDNet, but Brumley told us via email that he strongly suspects that AMD CPUs are also impacted.
The work behind discovering PortSmash is also the first result of “SCARE: Side-Channel Aware Engineering,” a five-year security research project funded by the European Research Council.
“The goal of the project is to find new side-channel vectors and mitigate them,” Brumley told us.
Time to end SMT/HT support
Last year, another team of researchers found a similar side-channel vulnerability named TLBleed impacting Intel’s Hyper-Threading (SMT) technology. Following the discovery of TLBleed, the OpenBSD project decided to disable support for Intel’s HT technology in upcoming versions of the OpenBSD operating system, on the grounds of security.
“This is the main reason we released the exploit — to show how reproducible it is,” Brumley told us, “and help to kill off the SMT trend in chips.”
“Security and SMT are mutually exclusive concepts,” he added. “I hope our work encourages users to disable SMT in the BIOS or choose to spend their money on architectures not featuring SMT.”
PortSmash is tracked in the CVE vulnerability tracking system with the CVE-2018-5407 identifier.