Researchers Exploit Another Intel Hyper-Threading Flaw
Five academics from the Tampere University of Technology in Finland and Technical University of Havana, Cuba, have discovered yet another flaw in Intel’s Hyper-Threading (HT) technology that attackers could use to steal users’ encrypted data, as reported by ZDNet today.
Other CPUs that use Simultaneous Multithreading (SMT) technology may also be affected by the bug, but so far only Intel’s HT has been confirmed as vulnerable. SMT and HT are technologies that allow two or multiple computing threads to be executed on the same CPU core. Intel enables two threads per physical core with its HT technology.
More Threads, More Danger
The five researchers found a new vulnerability in Intel’s HT technology that can leak encrypted data from the CPU’s internal processes. They classified the vulnerability as a side-channel attack because attackers could use discrepancies in operation times or power consumption to gain additional information that could help them bypass the encryption of data.
The vulnerability, which the researchers nicknamed PortSmash, allows attackers to create a malicious process that can run alongside another legitimate process using HT’s parallel thread running capabilities. This malicious process can then leak information about the legitimate process and allow the attacker to reconstruct the encrypted data processed inside the legitimate process.
Attack PoC Made Available
The researchers also made available the proof of concept (PoC) for the attack, showing that it is indeed feasible and not just theoretical. This PoC can now also be re-purposed and modified by attackers to launch a real attack against owners of systems using Intel CPUs.
Attacks will require malicious code to be already running on users’ machines, but the researchers noted that administrative privileges are not required. Therefore, it shouldn’t be too difficult to apply the attack in practice.
The attack should be especially more effective against web hosting and cloud services that share the same physical core with multiple users, thus increasing the chance for a successful PortSmash attack.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Intel made a patch available to motherboard OEMs yesterday when the researchers made the flaw public. In a statement, Intel encouraged app developers to also use code that is not vulnerable to side-channel attacks, but that may be easier said than done:
"Intel received notice of the research. This issue is not reliant on speculative execution and is therefore unrelated to Spectre, Meltdown or L1 Terminal Fault. We expect that it is not unique to Intel platforms. Research on side-channel analysis methods often focuses on manipulating and measuring the characteristics, such as timing, of shared hardware resources. Software or software libraries can be protected against such issues by employing side channel safe development practices. Protecting our customers’ data and ensuring the security of our products is a top priority for Intel, and we will continue to work with customers, partners and researchers to understand and mitigate any vulnerabilities that are identified," Intel said in a statement.
Second Flaw Found in Intel HT This Year
PortSmash is the second major vulnerability found in Intel’s HT (and potentially other SMT technologies) this year. The first one was Foreshadow, or the L1 Terminal Fault (L1TF) flaw, which prompted the founder of the security-oriented OpenBSD operating system to disable support for Intel’s HT in new versions of the operating system.
Intel itself may have started to listen to this advice, as the company’s Core i7-9700K will be the first Core i7 in the company’s history to ship without HT.
-
stdragon It's hypothetical. They haven't cracked an encrypted session; and I doubt they'll ever be able too. That said, again, Theo de Raadt already pointed out that SMT was susceptible to side-channel exploits.Reply
https://marc.info/?l=openbsd-tech&m=153504937925732&w=2
August 23, 2018
"Two recently disclosed hardware bugs affected Intel cpus:
- TLBleed
- T1TF (the name "Foreshadow" refers to 1 of 3 aspects of this
bug, more aspects are surely on the way)
Solving these bugs requires new cpu microcode, a coding workaround,
*AND* the disabling of SMT / Hyperthreading.
SMT is fundamentally broken because it shares resources between the two
cpu instances and those shared resources lack security differentiators.
Some of these side channel attacks aren't trivial, but we can expect
most of them to eventually work and leak kernel or cross-VM memory in
common usage circumstances, even such as javascript directly in a
browser.
There will be more hardware bugs and artifacts disclosed. Due to the
way SMT interacts with speculative execution on Intel cpus, I expect SMT
to exacerbate most of the future problems.
A few months back, I urged people to disable hyperthreading on all
Intel cpus. I need to repeat that:
DISABLE HYPERTHREADING ON ALL YOUR INTEL MACHINES IN THE BIOS."
-
jpe1701 Yeah I'm sure that's why there's no hyperthreading on the 9700k. That's a good one. That Intel, they're so good to their customers.Reply -
SkyBill40 While I know AMD isn't out of the woods here seeing that they use SMT, since nothing was yet stated as affecting their CPUs, this can't be anything but a blessing for them and another bad beat for Intel. If they don't develop a new architecture and soon, OS patches and BIOS updates are going to become as frequent as changing one's socks.Reply -
jimmysmitty 21453323 said:It's hypothetical. They haven't cracked an encrypted session; and I doubt they'll ever be able too. That said, again, Theo de Raadt already pointed out that SMT was susceptible to side-channel exploits.
https://marc.info/?l=openbsd-tech&m=153504937925732&w=2
August 23, 2018
"Two recently disclosed hardware bugs affected Intel cpus:
- TLBleed
- T1TF (the name "Foreshadow" refers to 1 of 3 aspects of this
bug, more aspects are surely on the way)
Solving these bugs requires new cpu microcode, a coding workaround,
*AND* the disabling of SMT / Hyperthreading.
SMT is fundamentally broken because it shares resources between the two
cpu instances and those shared resources lack security differentiators.
Some of these side channel attacks aren't trivial, but we can expect
most of them to eventually work and leak kernel or cross-VM memory in
common usage circumstances, even such as javascript directly in a
browser.
There will be more hardware bugs and artifacts disclosed. Due to the
way SMT interacts with speculative execution on Intel cpus, I expect SMT
to exacerbate most of the future problems.
A few months back, I urged people to disable hyperthreading on all
Intel cpus. I need to repeat that:
DISABLE HYPERTHREADING ON ALL YOUR INTEL MACHINES IN THE BIOS."
I just wonder is this is Intel SMT specific or all SMT. And does it affect older implementations of SMT considering that SMT has changed a lot since it first debut.
21453496 said:While I know AMD isn't out of the woods here seeing that they use SMT, since nothing was yet stated as affecting their CPUs, this can't be anything but a blessing for them and another bad beat for Intel. If they don't develop a new architecture and soon, OS patches and BIOS updates are going to become as frequent as changing one's socks.
Thats part of my question too though. Are these same researchers testing AMD also or just Intel? While it is different AMDs current implementation of SMT is the similar to Intels so it could be vulnerable to the same attacks or even ones Intel may not be.
The uASrch is not really part of it though. SMT is a feature Intel could easily bake out of the Core arch, remember when Intel went dual core they dropped HT from the Netburst arch. -
SkyBill40 21453804 said:21453496 said:While I know AMD isn't out of the woods here seeing that they use SMT, since nothing was yet stated as affecting their CPUs, this can't be anything but a blessing for them and another bad beat for Intel. If they don't develop a new architecture and soon, OS patches and BIOS updates are going to become as frequent as changing one's socks.
Thats part of my question too though. Are these same researchers testing AMD also or just Intel? While it is different AMDs current implementation of SMT is the similar to Intels so it could be vulnerable to the same attacks or even ones Intel may not be.
The uASrch is not really part of it though. SMT is a feature Intel could easily bake out of the Core arch, remember when Intel went dual core they dropped HT from the Netburst arch.
One would certainly hope so for the sake of thoroughness and accuracy. I do know that the main nasties in Spectre, Meltdown, and Heartbleed really didn't play rough on AMD due to the way their architecture is designed; however, that's not to say that they escaped unscathed as we did see OS related patches come about and largely just in case. Even as overblown as the whole "Ryzenfall" mess was by that halfwit group from CT Labs, AMD saw fit to investigate it and patch.
If Intel wants to bake out the SMT as you mentioned, they'll have to do that as another 14nm revision unless they make the change on whatever they release as a completely new build and we all know how they're struggling mightily with progress towards 10nm.
-
emeralds1000000 Intel itself may have started to listen to this advice, as the company’s Core i7-9700K will be the first Core i7 in the company’s history to ship without HT.
yea Right , how about the tons of Xeons CPU ? in which security is far more important than gaming PCs ? what advice and what "listened" and what i7 9700K ???
this is a Serious issue that concern Servers and Huge companies alot. and not the gamers.