Researchers Exploit Another Intel Hyper-Threading Flaw

Five academics from the Tampere University of Technology in Finland and Technical University of Havana, Cuba, have discovered yet another flaw in Intel’s Hyper-Threading (HT) technology that attackers could use to steal users’ encrypted data, as reported by ZDNet today. 

Other CPUs that use Simultaneous Multithreading (SMT) technology may also be affected by the bug, but so far only Intel’s HT has been confirmed as vulnerable. SMT and HT are technologies that allow two or multiple computing threads to be executed on the same CPU core. Intel enables two threads per physical core with its HT technology.

More Threads, More Danger

The five researchers found a new vulnerability in Intel’s HT technology that can leak encrypted data from the CPU’s internal processes. They classified the vulnerability as a side-channel attack because attackers could use discrepancies in operation times or power consumption to gain additional information that could help them bypass the encryption of data.

The vulnerability, which the researchers nicknamed PortSmash, allows attackers to create a malicious process that can run alongside another legitimate process using HT’s parallel thread running capabilities. This malicious process can then leak information about the legitimate process and allow the attacker to reconstruct the encrypted data processed inside the legitimate process.

Attack PoC Made Available

The researchers also made available the proof of concept (PoC) for the attack, showing that it is indeed feasible and not just theoretical. This PoC can now also be re-purposed and modified by attackers to launch a real attack against owners of systems using Intel CPUs.

Attacks will require malicious code to be already running on users’ machines, but the researchers noted that administrative privileges are not required. Therefore, it shouldn’t be too difficult to apply the attack in practice.

The attack should be especially more effective against web hosting and cloud services that share the same physical core with multiple users, thus increasing the chance for a successful PortSmash attack.

Intel made a patch available to motherboard OEMs yesterday when the researchers made the flaw public. In a statement, Intel encouraged app developers to also use code that is not vulnerable to side-channel attacks, but that may be easier said than done:

"Intel received notice of the research. This issue is not reliant on speculative execution and is therefore unrelated to Spectre, Meltdown or L1 Terminal Fault. We expect that it is not unique to Intel platforms. Research on side-channel analysis methods often focuses on manipulating and measuring the characteristics, such as timing, of shared hardware resources. Software or software libraries can be protected against such issues by employing side channel safe development practices. Protecting our customers’ data and ensuring the security of our products is a top priority for Intel, and we will continue to work with customers, partners and researchers to understand and mitigate any vulnerabilities that are identified," Intel said in a statement. 

Second Flaw Found in Intel HT This Year

PortSmash is the second major vulnerability found in Intel’s HT (and potentially other SMT technologies) this year. The first one was Foreshadow, or the L1 Terminal Fault (L1TF) flaw, which prompted the founder of the security-oriented OpenBSD operating system to disable support for Intel’s HT in new versions of the operating system.

Intel itself may have started to listen to this advice, as the company’s Core i7-9700K will be the first Core i7 in the company’s history to ship without HT.

Create a new thread in the News comments forum about this subject
25 comments
Comment from the forums
    Your comment
  • remus.mihai26
    Laughts in i7 9700k
  • stdragon
    It's hypothetical. They haven't cracked an encrypted session; and I doubt they'll ever be able too. That said, again, Theo de Raadt already pointed out that SMT was susceptible to side-channel exploits.

    https://marc.info/?l=openbsd-tech&m=153504937925732&w=2

    August 23, 2018

    "Two recently disclosed hardware bugs affected Intel cpus:

    - TLBleed

    - T1TF (the name "Foreshadow" refers to 1 of 3 aspects of this
    bug, more aspects are surely on the way)

    Solving these bugs requires new cpu microcode, a coding workaround,
    *AND* the disabling of SMT / Hyperthreading.

    SMT is fundamentally broken because it shares resources between the two
    cpu instances and those shared resources lack security differentiators.
    Some of these side channel attacks aren't trivial, but we can expect
    most of them to eventually work and leak kernel or cross-VM memory in
    common usage circumstances, even such as javascript directly in a
    browser.

    There will be more hardware bugs and artifacts disclosed. Due to the
    way SMT interacts with speculative execution on Intel cpus, I expect SMT
    to exacerbate most of the future problems.

    A few months back, I urged people to disable hyperthreading on all
    Intel cpus. I need to repeat that:

    DISABLE HYPERTHREADING ON ALL YOUR INTEL MACHINES IN THE BIOS."
  • TechyInAZ
    So this is why the 9700K doesn't have hyperthreading. hahahha.