Specialists from the Tampere University of Technology and the University of Technology in Havana discovered a new bug in the Intel Skylake and Kaby Lake processors related to the simultaneous multithreading (SMT) technology, also known as Hyper-Threading in the proprietary Intel implementation.
The problem was called PortSmash and identifier CVE-2018-5407. The researchers explain that this is another attack on a side channel (side-channel) for which Intel solutions are vulnerable.
Let me remind you that SMP allows you to turn the physical core of the processor into two logical cores, allows you to work with multiple threads and increase performance. The essence of the PortSmash problem is that on all processors with SMT support, a malicious process running side by side with a legitimate process can “merge” small portions of data from this neighboring legitimate process. Thus, the attacker can extract and reconstruct the encrypted data of any legitimate process.
The researchers say that their method has nothing to do with memory subsystems and caching, referring to previously discovered side-channel attacks that also affected SMT and Hyper-Threading.
A proof-of-concept exploit for PortSmash has already been published on GitHub, which demonstrates an attack on Intel's Skylake and Kaby Lake processors. Now the exploit is configured to steal the OpenSSL private key (<= 1.1.0h) P-384 from the TLS server, but it can be modified to perform other tasks. In addition, for successful operation, PoC problems should work on the same physical core as the target process, but researchers write that it is not so difficult to organize it.
"One of the possible attack scenarios – IaaS [Infrastructure-as-a-Service], it will allow to make the attack more “remote”. In addition, PortSmash definitely does not require root privileges, only user space, ”say experts.
In addition, experts from the Tampere University of Technology and the University of Technology in Havana warn that PortSmash is likely to be a danger to other architectures using SMT. That is, AMD processors (in particular, AMD Ryzen) are probably also subject to the problem.
Intel engineers were notified of the problem a month ago, but the patch for the problem appeared only yesterday, after experts publicly announced the vulnerability. A detailed report on PortSmash will be published on the Cryptology ePrint Archive portal in the coming days.
It is worth saying that the technology of simultaneous multithreading, hyper-threading and Intel engineers are far from being criticized. For example, last month, Theo de Raadt, the leader of the OpenBSD project, spoke rather sharply on this topic. He said that after the recent discovery of Specter class vulnerabilities, called Foreshadow, the developers decided to completely abandon the use of SMT after the release of OpenBSD 6.4.
More hardware bugs and artifacts will be revealed. Given how SMT interacts with speculative computing on Intel processors, I expect that SMT will only exacerbate most of these future problems, ”wrote Theo de Raadt.