Five academics from the Tampere University of Technology in Finland and Technical University of Havana, Cuba, have discovered yet another flaw in Intel’s Hyper-Threading (HT) technology that attackers could use to steal users’ encrypted data, as reported by ZDNet today.
Other CPUs that use Simultaneous Multithreading (SMT) technology may also be affected by the bug, but so far only Intel’s HT has been confirmed as vulnerable. SMT and HT are technologies that allow two or multiple computing threads to be executed on the same CPU core. Intel enables two threads per physical core with its HT technology.
More Threads, More Danger
The five researchers found a new vulnerability in Intel’s HT technology that can leak encrypted data from the CPU’s internal processes. They classified the vulnerability as a side-channel attack because attackers could use discrepancies in operation times or power consumption to gain additional information that could help them bypass the encryption of data.
The vulnerability, which the researchers nicknamed PortSmash, allows attackers to create a malicious process that can run alongside another legitimate process using HT’s parallel thread running capabilities. This malicious process can then leak information about the legitimate process and allow the attacker to reconstruct the encrypted data processed inside the legitimate process.
Attack PoC Made Available
The researchers also made available the proof of concept (PoC) for the attack, showing that it is indeed feasible and not just theoretical. This PoC can now also be re-purposed and modified by attackers to launch a real attack against owners of systems using Intel CPUs.
Attacks will require malicious code to be already running on users’ machines, but the researchers noted that administrative privileges are not required. Therefore, it shouldn’t be too difficult to apply the attack in practice.
The attack should be especially more effective against web hosting and cloud services that share the same physical core with multiple users, thus increasing the chance for a successful PortSmash attack.
Intel made a patch available to motherboard OEMs yesterday when the researchers made the flaw public. In a statement, Intel encouraged app developers to also use code that is not vulnerable to side-channel attacks, but that may be easier said than done:
"Intel received notice of the research. This issue is not reliant on speculative execution and is therefore unrelated to Spectre, Meltdown or L1 Terminal Fault. We expect that it is not unique to Intel platforms. Research on side-channel analysis methods often focuses on manipulating and measuring the characteristics, such as timing, of shared hardware resources. Software or software libraries can be protected against such issues by employing side channel safe development practices. Protecting our customers’ data and ensuring the security of our products is a top priority for Intel, and we will continue to work with customers, partners and researchers to understand and mitigate any vulnerabilities that are identified," Intel said in a statement.
Second Flaw Found in Intel HT This Year
PortSmash is the second major vulnerability found in Intel’s HT (and potentially other SMT technologies) this year. The first one was Foreshadow, or the L1 Terminal Fault (L1TF) flaw, which prompted the founder of the security-oriented OpenBSD operating system to disable support for Intel’s HT in new versions of the operating system.
Intel itself may have started to listen to this advice, as the company’s Core i7-9700K will be the first Core i7 in the company’s history to ship without HT.