A team of security researchers has discovered another serious side-channel vulnerability in Intel CPUs that could allow an attacker to sniff out sensitive protected data, like passwords and cryptographic keys, from other processes running in the same CPU core with simultaneous multi-threading feature enabled.
The vulnerability, codenamed PortSmash (CVE-2018-5407), has joined the list of other dangerous side-channel vulnerabilities discovered in the past year, including Meltdown and Spectre, TLBleed, and Foreshadow.
Discovered by a team of security researchers from the Tampere University of Technology in Finland and Technical University of Havana, Cuba, the new side-channel vulnerability resides in Intel’s Hyper-Threading technology, the company’s implementation of Simultaneous MultiThreading (SMT).
Simultaneous MultiThreading is a performance feature that works by splitting up each physical core of a processor into virtual cores, known as threads, allowing each core to run two instruction streams at once.
Since SMT runs two threads in two independent processes alongside each other in the same physical core to boost performance, it is possible for one process to see a surprising amount of what the other is doing.
“We recently discovered a new CPU microarchitecture attack vector. The nature of the leakage is due to execution engine sharing on SMT (e.g., Hyper-Threading) architectures,” the team says.
“More specifically, we detect port contention to construct a timing side channel to exfiltrate information from processes running in parallel on the same physical core.”
Thus, an attacker can run a malicious PortSmash process alongside a selected victim process on the same CPU core, allowing the PortSmash code to snoop on the operations performed by the other process by measuring the precise time taken for each operation.
PortSmash Attack to Steal OpenSSL Decryption Keys
As a proof-of-concept released on Github, researchers tested the PortSmash attack against OpenSSL (version <= 1.1.0h) cryptography library and were successfully able to steal the private decryption key using a malicious process (exploit) running on the same physical core as the OpenSSL thread (victim).
While the PortSmash attack has been confirmed to work on Intel’s Kaby Lake and Skylake processors at this moment, researchers “strongly suspected” the attack to work on other SMT architectures, including AMD’s, with some modifications to their code.
In August this year, after TLBleed and ForeShadow attacks were unveiled, Theo de Raadt, the founder of OpenBSD and leader at OpenSSH projects, advised users to disable SMT/Hyperthreading in all Intel BIOSes.
“SMT is fundamentally broken because it shares resources between the two CPU instances and those shared resources lack security differentiators,” Theo said.
He also suspected that “there will be more hardware bugs and artifacts disclosed. Due to the way SMT interacts with speculative execution on Intel CPUs, I expect SMT to exacerbate most of the future problems.”
How to Protect Your Systems Against PortSmash Attack
Researchers reported the new side-channel vulnerability to Intel security team early last month, but when the company failed to provide the security patches until 1 November, the team went public with the PoC exploit.
The team has also promised to release detailed paper on the PortSmash attack, titled Port Contention for Fun and Profit, in the coming days.
The simple fix for the PortSmash vulnerability is to disable SMT/Hyper-Threading in the CPU chip’s BIOS until Intel releases security patches. OpenSSL users can upgrade to OpenSSL 1.1.1 (or >= 1.1.0i if you are looking for patches).
In June this year, the OpenBSD project disabled Intel’s Hyper-Threading to prevent its users from previously disclosed Spectre-class attacks, as well as future timing attacks.
AMD is investigating the PortSmash side-channel vulnerability report to know any potential AMD product susceptibility.