Only recently we wrote about a vulnerability similar to SPECTRE in processors based on the ARM architecture. A new research paper came out last week Work, which describes another attack on Intel and AMD processors. Like SPECTRE and similar attacks, Hertzbleed uses not exactly a bug, but rather the usual functionality of processors. In this case, this is a system for dynamically adjusting the frequency and voltage of the processor depending on the load. Hence the name of the study.
In short, the paper shows a method for extracting secrets (specifically, encryption keys) by manipulating the processor frequency control system. By creating conditions for changing the frequency, and, accordingly, the speed of processing instructions when executing a cryptographic function, the researchers were able to organize a data leak through a third-party channel. Thus, this is a hardware attack, similar in nature to the classical data analysis through third-party channels directly on the hardware. A typical example of a classical attack is the analysis of fluctuations in the energy consumed by a microcircuit. But in the case of Hertzbleed, the attack could theoretically be carried out remotely, since the method of monitoring the execution of instructions is built into the processor itself.
Sources of information:
In this paper, of extreme interest is the symbolic connection between Hertzbleed and more traditional side-channel attacks using a conventional “voltmeter” to monitor the operation of a microcircuit or module. But such a reference is not the first time, since in modern processors (very!) a conditional voltmeter is often built-in. For example, this is the Running Average Power Limit metric on Intel processors that reports power consumption. In February reported about a potential attack that, by monitoring the RAPL, allows you to extract secret information, in particular from the secure Software Guard Extensions enclave.
However, such attacks can be made more difficult by simply restricting software access to mechanisms like RAPL. Dynamic voltage and frequency scaling (DVFS) systems cannot be disabled just like that, and if you can somehow organize a channel for monitoring the execution of instructions through them, you can get quite detailed data.
Another necessary input in research work is systems for protecting cryptographic algorithms from observation. For a long time (since 1996) in such algorithms, the method constant-time programming. If the time spent on the execution of the data encryption procedure somehow depends on the input (for example, on the encryption key), then theoretically it is possible to reconstruct the key simply by observing the execution of this procedure. And there is no need to use hardware attacks. Constant-time programming removes this vulnerability, that is, regardless of the input, the execution of the procedure on the same hardware always takes the same time. A modern example of a cryptographic algorithm with such a method is SIKEdeveloped over the past 10 years and claiming to be one of the solutions to post-quantum cryptography.
The problem is that DVFS breaks the rule of executing encryption procedures at constant time intervals. Hertzbleed shows this in practice with SIKE as a relatively modern mechanism. key encapsulation, repeatedly tested for resistance to side-channel attacks. This was not so easy to do: although the change in the parameters of the processors can occur at fairly short intervals (thousandths of a second), millions of cycles are performed between these events. From the point of view of an observer, this is a very crude mechanism.
The study itself is divided into two parts. In the first, the authors study how DVFS works on a system with an Intel processor, loading it with basic computing tasks. In the second part, they construct an attack on the SIKE algorithm. The attack uses not only the features of DVFS, but also the subtleties of the algorithm itself. As a result, a chosen-ciphertext type attack occurs, when we have the opportunity to transfer data encrypted with an arbitrary encryption key to the attacked system. Under certain conditions, the researchers were able to achieve a steady state where the processor frequency increases and the instruction executes faster, depending on the inputs. By measuring the response time of the algorithm to the proposed input data, the authors of the work were able to reconstruct almost the entire encryption key, which was initially unknown (the rest of the key was chosen by brute force for speed).
Sounds impressive, but it’s worth talking about the serious limitations of side-channel attacks. On the one hand, actually used solutions were chosen for the attack CIRCL Cloudflare and PQCrypto-SIDH Microsoft, of which the SIKE algorithm is a part. On the other hand, a demonstration attack on them under controlled conditions took 36 and 89 hours, respectively, during which hundreds of millions of requests were sent to the attacked cryptographic solution.
The attack was tested on 8th to 11th generation Intel processors. The possibility of implementing the attack on AMD processors was also shown. At the end of last year, information about the attack was brought to Intel, AMD, Microsoft and Cloudflare. The vulnerability has been identified as CVE-2022-23823 for Intel and CVE-2022-24436 for AMD. Here it is still more correct to talk about the legitimate functionality of the processor, which is confirmed by the actions of vendors. Intel and AMD do not plan to release microcode updates for affected processors, instead offering to close the problem in software. Microsoft and Cloudflare updated the code of their cryptographic systems (at the same time slowing down their work by 5 and 11 percent, respectively). While the research was embargoed (at the request of Intel), an independent team of researchers demonstrated a similar attack and proposed changes directly to the SIKE algorithm.
The study turned out to be interesting. Its authors found a way to extract the encryption key using a new method of monitoring the operation of the processor, and the attack could theoretically be carried out remotely over the network. As noted in Intel, this class of attacks has great prospects, but specific work is hardly applicable in practice. The attack involves not only the features of DVFS, it also largely depends on the behavior of the SIKE algorithm (which was eventually changed). Therefore, one can understand processor manufacturers who are not inclined to resort to costly changes if the issue is closed by software. Another thing is that this is only one example of an attack on a specific “brick” of a cryptographic system. Perhaps in the future it will be possible to simulate a more dangerous attack, the only solution for which is to completely disable the dynamic frequency change system (in Intel’s terms, this is Turbo Boost) with a dramatic drop in performance. However, not a single hardware attack has so far been able to bring such a dangerous scenario.
What else happened:
At WWDC, Apple demonstrated a technology that allows you to refuse user verification using the Captcha method. The company proposed a mechanism that authorizes the user using some kind of Private Access Token, essentially an identifier for network requests that certifies that they come from a real user, and not from a robot. Google uses a similar method in its captcha, excluding requests like “show all the traffic lights in the picture” for those who are logged into the company’s services. The potential damage from the introduction of such technologies may be that for users who do not use the products of large vendors, the number of verification requests will only increase in the future.
As part of another set of patches from Microsoft last week, the Follina vulnerability in the Microsoft Support Diagnostic Protocol component was closed. We wrote about this issue in early June.
Researchers at Kaspersky Lab prepared router security review. The most frequently detected malware that exploits vulnerabilities in routers is the Mirai botnet. More than 500 vulnerabilities were found in network devices in 2020 and 2021.
Another study Kaspersky Lab provides illustrative examples of the resale of corporate data on the black market. The assortment of leaks includes not only account data, but also a large amount of logs, from which it is also possible to extract information suitable for further attacks.