New Details Leak on Security Flaw That Led OpenBSD to Disable Hyper-Threading
Last week, the head of OpenBSD development, Theo de Raadt, told the press that the OS project he leads would no longer enable Hyper-Threading on Intel processors because of security issues. A full paper is due to be released in August at the Black Hat security conference. All de Raadt has said is that the issue is related to simultaneous multi-threading and that it impacted Intel CPUs.
“In particular, it is ill-advised to run different security domains (address spaces) on a pair of hyperthread CPUs,” he said. “Maybe there are other ways to resolve this problem, but Intel isn’t sharing solutions with us. We have selected the expedient approach of disabling hyperthreading until we know more.”
Last week, researchers at VU Amsterdam disclosed a new vulnerability dubbed TLBleed that leverages side-channel vulnerabilities and Hyper-Threading to read data out of the translation lookaside buffer, or TLB cache inside Intel CPUs, The Register reported. The TLB cache isn’t like the L1 or L2 caches used inside a conventional microprocessor. Instead, the TLB is used to cache maps of the tables that convert virtual memory addresses into the actual physical locations where data is stored in RAM. The most commonly-used maps are stored within the TLB.
As with the other side channel attacks we’ve discussed, there’s a gap here that can be exploited. A ‘fast’ access (the data to be looked-up is already stored within the TLB) is going to have slightly different characteristics than a ‘slow’ access, in which the CPU must go and search the full tables rather than the handful of frequently-accessed maps that were stored within the TLB itself. In the test case, the researchers were able to implement a strategy in which the Curve 25519 EdDSA algorithm (using libcrypt) was implemented and run on one core, while the second core ran an attack program. The attack program was capable of determining the 256-bit key used to calculate the signature in 99.8 percent of tests on a Skylake Core i7-6700K, 98.2 percent of tests on an Intel Broadwell Xeon E5-2620v4, and 99.8 percent on a Coffee Lake CPU. The keys can be leaked via the side channel based less on which TLB entries are changed but when they changed.
“The end-to-end attack time is composed of: 2ms of capture time; 17 seconds of signals analysis with the trained classifier; and a variable amount of brute-force guessing with a median work factor of 213, taking a fraction of a second,” the team – Ben Gras, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida – stated in their paper.
This may not represent a major flaw, and Intel doesn’t seem particularly concerned about it. One of the authors of the report has published a tweet to this effect:
time but not data flow is unsafe; (c) coarse-grained access patterns leak more than was previously thought. But don't panic, while a cool attack, #tlbleed is not the new #Spectre. Full details and paper out next week. cc @vu5ec @c_giuffrida @gober @herbertbos 2/2
— Ben Gras (@bjg) June 22, 2018
Intel has also released a statement:
Intel has received notice of research from Vrije Universiteit Amsterdam, which outlines a potential side-channel analysis vulnerability referred to as TLBleed. This issue is not reliant on speculative execution, and is therefore unrelated to Spectre or Meltdown. Research on side-channel analysis methods often focuses on manipulating and measuring the characteristics (e.g. timing) of shared hardware resources. These measurements can potentially allow researchers to extract information about the software and related data. TLBleed uses the Translation Lookaside Buffer (TLB), a cache common to many high performance microprocessors that stores recent address translations from virtual memory to physical memory. Software or software libraries such as Intel® Integrated Performance Primitives Cryptography version U3.1 – written to ensure constant execution time and data independent cache traces -should be immune to TLBleed. Protecting our customers’ data and ensuring the security of our products is a top priority for Intel and we will continue to work with customers, partners and researchers to understand and mitigate any vulnerabilities that are identified.
Ars Technica suggests that while TLBleed is a new side channel attack, it isn’t more powerful than known side-channel attacks. It’s also not clear if it impacts more than cryptography. As Ars writes: “It’s a problem for crypto; it’s probably not a problem for everyone.”
It isn’t known, at this juncture, whether CPUs from AMD are impacted. They also implement SMT, but do so in a manner that is different from Intel’s implementation.
Continue reading
The Best Smart Home Security Systems
Once a niche business with a few traditional players and some startups, home security systems are now a major battleground for not just security companies, but several internet giants. We round up highlights of the most popular options for 2020.
Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs
Intel, AMD, and Qualcomm are working to make Pluton part of their upcoming designs, which should make PCs more difficult to hack, but it also bakes Microsoft technology into your hardware.
Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019
SolarWinds, the company at the center of the massive hack that hit US government agencies and corporations, doesn't exactly use cutting-edge password techniques.
A File Sharing App With 1 Billion Downloads Has a Major Security Flaw
Trend Micro says SHAREit is a security nightmare that could allow intruders to sneak a peek at your data or even install malware. Perhaps most troublingly, the developers have not responded to Trend Micro's warnings.