[ad_1]
A new vulnerability that affects Intel processors may allow attackers to leak encrypted data from internal processor processes.
The new vulnerability, which bears the code name PortSmash, was discovered by a team of five academics from the Tampere University of Technology in Finland and the Technical University of Havana, Cuba.
The researchers rated PortSmash as a secondary attack. In terms of computer security, a secondary channel attack describes a technique used to leak encrypted data from the memory or CPU of a computer. This technique consists of recording and analyzing differences in operating time, power consumption, electromagnetic leakage or even sound in order to obtain additional information. can help break encryption algorithms and recover data processed by the CPU.
The researchers claim that PortSmash has an impact on all processors using a Simultaneous Multithreading (SMT) architecture, a technology that allows multiple computational threads to run simultaneously on a processor core.
In simple terms, the attack works by running a malicious process alongside legitimate processes using SMT's parallel threading features. The malicious PortSmash process leaks small amounts of data from the legitimate process, thus helping an attacker rebuild the encrypted data processed in the legitimate process.
Researchers have already confirmed that PortSmash has an impact on Intel processors that support the company's Hyper-Threading (HT) technology, the proprietary implementation of SMT by Intel.
"Our attack has nothing to do with the memory subsystem or caching," said Billy Brumley, one of five researchers, referring to previous secondary channel attacks that have affected SMT architectures and HT implementation of Intel.
"The nature of the leak is due to running engine sharing on SMT architectures (for example, Hyper-Threading)." Specifically, we detect port conflicts to build a delay side channel that allows us to do more. Exfiltrate information from processes running in parallel on the same physical kernel, "Brumley added.
A research paper detailing PortSmash's vulnerability for savvy technical readers will be published on the Cryptology ePrint Archive portal in the coming days, said Brumley. ZDNet earlier today by email when we requested more details.
PoC available
His team also published proof-of-concept (PoC) code on GitHub that illustrates a PortSmash attack on the Intel Skylake and Kaby Lake processors.
The PoC steals an OpenSSL private key (<= 1.1.0h) P-384 from a TLS server by successfully exploiting PortSmash, but the attack can be modified to target any type of data.
PortSmash's PoC also requires malicious code to run on the same physical kernel as the victim, but it's not such a big obstacle for hackers.
"IaaS [Infrastructure-as-a-Service] is a scenario to make it more 'remote' "said Brumley ZDNet. "In this case, the attackers would try to co-locate the virtual machines with the victims to then run the exploit on the same physical kernel as the victim, but with a different logical kernel."
"[PortSmash] certainly does not need root privileges, "he said. Just user space ".
Researchers claim to have informed Intel's security team on Oct. 1, but that the company did not provide a fix until yesterday, by which time the results of their research had been made public. An Intel spokesperson was not available to comment on the state of the PortSmash patching process before this article was published.
AMD processors probably affected
"Our future work is exploring the capabilities of PortSmash on other architectures integrating SMT, especially on AMD Ryzen systems," said the research team in a version of their shared document with ZDNet, but Brumley told us by email that he strongly suspected that the AMD processors were also affected.
The PortSmash discovery works are also the first result of "SCARE: Parallel Security Research Software", a five-year safety research project funded by the European Council of Europe. the research.
"The goal of the project is to find new secondary channel vectors and mitigate them," Brumley explained.
It's time to end SMT / HT support
Last year, another team of researchers discovered a similar secondary channel vulnerability, TLBleed, that affects Intel's Hyper-Threading (SMT) technology. Following the discovery of TLBleed, the OpenBSD project decided to disable support for Intel's HT technology in future versions of the OpenBSD operating system, for security reasons.
"That's the main reason why we published this feat – to show how reproducible it is," Brumley told us, "and help eliminate the SMT trend in chips."
"Security and SMT are mutually exclusive concepts," he added. "I hope our work encourages users to disable SMT in the BIOS or to choose to spend their money on architectures that do not have SMT."
PortSmash is tracked in the CVE Vulnerability Tracking System with the CVE-2018-5407 identifier.
Updated November 2 at 3:20 pm ET: An Intel spokesperson provided the following statement regarding the release of the PortSmash Breakthrough Research Team results:
Intel has been notified of the search. This problem does not depend on a speculative run and is therefore not related to Spectrum, Meltdown or an L1 terminal fault. We expect that it is not unique to Intel platforms. Research on side channel analysis methods often focuses on manipulating and measuring features, such as synchronization, of shared hardware resources. Software or software libraries can be protected against such problems by using secure development practices by the secondary channels. Protecting our customers' data and ensuring the safety of our products is a top priority for Intel and we will continue to work with our customers, partners and researchers to understand and reduce the identified vulnerabilities.
RELATED COVERAGE:
Source link