Author

Topic: Intel CPUs fall to new hyperthreading exploit that pilfers crypto keys (Read 221 times)

hero member
Activity: 1834
Merit: 759
Luckily patches are easily rolling out from processor manufacturers but then again, if hackers can plant such exploits on your machine at that level, most probably they can target any other part of your hardware and do it all over again.

They apparently aren't patching it because they believe cache-snooping mitigations are enough to solve the problem:

https://hothardware.com/news/intel-no-plans-patch-tlbleed-hyper-threading-cpu-exploit

That was a while ago though, so maybe they've already taken steps I'm not aware of. But yeah, at the end of the day, it's just malware that you can avoid getting infected with with some precautions.
legendary
Activity: 3024
Merit: 2148
Since the article says that servers are the most affected by this, this should be a warning to businesses that choose to outsource running Bitcoin nodes and processing transactions to third parties. If some cloud provider will get hacked due to this bug, many hot wallets will get hacked in short time. Bitcoin is only decentralized and trustless if you run your own full node, otherwise the experience quickly starts to resemble a bank-client relationship.
legendary
Activity: 2170
Merit: 1427
For crypto users it a bit alarming because they are most likely to use their private keys online and turning to offline wallets is a most secure way to keep it safe.

Most crypto users are on the wrong side of the fence already.

Seriously, what average person is going to verify if a client they installed generates truly random keys? More importantly, what average person has the knowledge to do so?

I'm certain that even most of the longer term members here don't properly take care of storage and key generation. They just assume everything is done in a secure manner because they haven't faced any problems yet, which is quite dangerous actually.

I always have a non secured/encrypted bait wallet file containing a decent chunk of Bitcoin on my computer, all to see if there is some shady shit going on with my computer.
member
Activity: 462
Merit: 11
For crypto users it a bit alarming because they are most likely to use their private keys online and turning to offline wallets is a most secure way to keep it safe. As for the exploit it just means that the developers for Intel and AMD should up their security features for their CPUs.
legendary
Activity: 3542
Merit: 1352
Cashback 15%
And now I feel proud that I still have a Haswell processor (i7-4790k) running on my machine wherein I still connect my external hard drive for storage purposes of some sensitive information (not porn lol). If cryptographic exploits exist on hardware level, most especially on processor-level, this should be a cause for concern since this is probably the most technical and vital part of every single computer running nowadays. Luckily patches are easily rolling out from processor manufacturers but then again, if hackers can plant such exploits on your machine at that level, most probably they can target any other part of your hardware and do it all over again.
hero member
Activity: 1834
Merit: 759
I'd like to note that this can't necessarily steal Bitcoin private keys because Bitcoin uses a different signing implementation. It's still a cause for concern though. All of these vulnerabilities just highlight the importance of setting up an offline wallet for your funds. Online is a bad place for private keys to be, no matter how safe you think you are.
member
Activity: 420
Merit: 10
“Tackling Climate Change Using Blockchain”
Thanks for this wonderful idea. I have never heard about this until you posted it here. I am a computer enthusiast and likes to learn more about computers and how it functions. Talking about security not only for cryptocurrency, this seems to me a very bad situation if this vulnerability can't be fixed. Well perhaps this might be a bit hard to do for an ordinary hacker that is why they just don't really bother on this for now. I also heard about the virus that went undetected by residing on the bios of a computer. They seem to be almost the same in terms of concealing their codes. Hope this can be addressed soon to prevent further bad security implications.
legendary
Activity: 2562
Merit: 1441
Quote
Side-channel leak in Skylake and Kaby Lake chips probably affects AMD CPUs, too.

Over the past 11 months, the processors running our computers, and in some cases phones, have succumbed to a host of attacks. Bearing names such as Meltdown and Spectre, BranchScope, TLBleed, and Foreshadow, the exploits threaten to siphon some of our most sensitive secrets—say passwords or cryptographic keys—out of the silicon microarchitecture in ways that can’t be detected or stopped by traditional security defenses. On Friday, researchers disclosed yet another leak that has already been shown to exist on a wide range of Intel chips and may also affect other makers, too.

PortSmash, as the new attack is being called, exploits a largely overlooked side-channel in Intel’s hyperthreading technology. A proprietary implementation of simultaneous multithreading, hyperthreading reduces the amount of time needed to carry out parallel computing tasks, in which large numbers of calculations or executions are carried out simultaneously. The performance boost is the result of two logical processor cores sharing the hardware of a single physical processor. The added logical cores make it easier to divide large tasks into smaller ones that can be completed more quickly.

Port contention as a side channel
In a paper scheduled for release soon, researchers document how they were able to exploit the newly discovered leak to recover an elliptic curve private key from a server running an OpenSSL-powered TLS server. The attack, which was carried out on servers running Intel Skylake and Kaby Lake chips and Ubuntu, worked by sending one logical core a steady stream of instructions and carefully measuring the time it took for them to get executed.

The specific timing allowed PortSmash to deduce the key being processed in another logical core of the same processor. The resource providing the leak is port contention, a phenomenon that happens when multiple instructions using the same physical processor resources get assigned to various ports to await completion. The vulnerability is indexed as CVE-2018-5407. It affects PCs as well as servers, although the vector for exploit generally favors the latter.


“Our technique can choose among several configurations to target different configurations to target different ports in order to adapt to different scenarios, thus offering a very fine spatial granularity,” the researchers wrote in the paper. “Additionally, PortSmash is highly portable and its prerequisites for execution are minimal, i.e., does not require knowledge of memory cache-lines, eviction sets, machine learning techniques, nor reverse engineering techniques.”

In an email, Billy Bob Brumley, a professor at the Tampere University of Technology in Finland and one of the authors of the paper, said he expects that chips beyond the Skylake and Kaby Lake architectures are similarly vulnerable with slight modifications to the attack code. “We strongly suspect AMD Ryzen architectures which feature SMT are vulnerable, but we leave that for future work,” he wrote. “(The real reason is we don’t have the [hardware] to test it on at the moment, so we have to wait.)”

Brumley said the most likely real-world scenario for maliciously exploiting the vulnerability is in so-called infrastructure as a service environments, in which a cloud provider hosts all the trappings of an on-premises data center, including the servers, storage and networking hardware, and the virtualization or hypervisor layer.

“Personally speaking, I feel remote login scenarios are the biggest targeted threat,” Brumley wrote. “Here, a [malicious] user with credentials logs in (e.g. via SSH), compiles the exploit code, and runs it to extract information from other processes running in parallel.”

Brumley said the exploit was written in x64 assembly code that runs locally on a vulnerable computer. He said he knows of no evidence the results can currently be reproduced using JavaScript downloaded from a website. Given the ability of Spectre to be exploited in JavaScript, it remains a possibility. The researchers' proof-of-concept exploit is available here.

In a statement, Intel officials wrote:

Quote
This issue is not reliant on speculative execution, and is therefore unrelated to Spectre, Meltdown or L1 Terminal Fault. We expect that it is not unique to Intel platforms. Research on side-channel analysis methods often focuses on manipulating and measuring the characteristics, such as timing, of shared hardware resources. Software or software libraries can be protected against such issues by employing side channel safe development practices. Protecting our customers’ data and ensuring the security of our products is a top priority for Intel and we will continue to work with customers, partners and researchers to understand and mitigate any vulnerabilities that are identified.

Hyperthreading under the gun
PortSmash is the second processor attack that targets hyperthreading. TLBleed disclosed in June also used hyperthreading to determine a private encryption key. The researchers developing that attack ran a program calculating cryptographic signatures using the Curve 25519 EdDSA algorithm implemented in libgcrypt on one logical core and their attack program on the other logical core. They were able to determine the 256-bit encryption key used to calculate the signature with a combination of two milliseconds of observation, followed by 17 seconds of machine-learning-driven guessing and a final fraction of a second of brute-force guessing. The side channel in that case was provided by the translation lookaside buffer.

TLBleed was worrisome enough to prompt developers to disable hyperthreading in OpenBSD, the operating system that prioritizes security. Brumley also recommended that users disable SMT in their BIOS or choose platforms that don’t offer it at all. Better yet, he told Ars, OS developers should disable SMT at boot time.

On a vulnerability disclosure group thread discussing PortSmash, Alexander Peslyak, the security specialist better known as Solar Designer, praised the research as “top notch.” He then said that the port contention side-channel has long been obvious and “a fully expected property.”

“Maybe the problem is it wasn’t documented as such,” he wrote. “Maybe we should have put more effort into making it more obvious to everyone in 2005, like it’s finally done now.”

Peslyak went on to say that the version of OpenSSL exploited by PortSmash was doing things that in theory could leak keys even when SMT is turned off, albeit at a pace that would require much more time and many more resources.

An OpenSSL bug, too
Paul Kocher, the cryptography security expert who discovered Spectre, agreed that a key weakness that makes PortSmash so alarming was the way OpenSSL carried out sensitive operations using branch instructions that’s based on secret values.

“This kind of leakage is something that crypto library authors already understand pretty well and know they need to protect against,” Kocher wrote in an email “E.g. it’s typically assumed that any situation where secrets to affect the control flow, such as the condition for a branch, needs to be avoided. As a result, I’d say that this work describes an OpenSSL bug that can be exploited using well-known issues with hyperthreading (and perhaps other ways as well, e.g. branch predictor state).”

OpenSSL developers have since released an update that makes PortSmash infeasible. While details weren’t immediately available, they likely involve changes in the way OpenSSL uses, or interacts with, SMT.

The PortSmash paper, titled Port Contention for Fun and Profit, continues to recommend fully disabling SMT, not only to blunt the threat of PortSmash, but also those of TLBleed and two similar attacks known as CacheBleed and MemJam. But the authors go on to recognize the performance loss the countermeasure will have on thread-intensive applications.[/b] A defense that would have less of a performance cost is a proposed change to OSes to support logical core isolation requests that apps could make when carrying out sensitive tasks. The selective SMT disabling would inflict a much lower performance penalty, but it also requires a large upfront investment in the form of changes to OSes and the code libraries.

Another approach the authors recommend is for applications to use port-independent code, which “can be achieved through secret-independent execution flow secure coding practices, similar to constant-time execution.”

To repeat a point made earlier, PortSmash currently poses a threat mainly to people using computers or services that allow untrusted people to use the same physical processor. These users should pay close attention to the research and carefully consider the recommendations. For the time being, the risk to others is likely low, but that could change with more research.

https://arstechnica.com/information-technology/2018/11/intel-cpus-fall-to-new-hyperthreading-exploit-that-pilfers-crypto-keys/

....

More vulnerabilities. Some are recommending end users disable hyperthreading or SMT (simultaneous multi threading?) on devices where security is a top priority to maintain system integrity.

To a degree, computer security depends on exploits to push standards higher. We've seen virus and malware authors write relatively harmless code in the past, in an effort to compel vendors to fix vulns before they develop into real issues. It would seem this has been an issue since 2005 but for whatever reason, the topic went neglected and ignored and hasn't been addressed until now.
Jump to: