security PortSmash - New CPU Vulnerability affects Intel, possibly AMD

[rcmaehl]

Source:

ZdNet

 

TL;DR:

A new vulnerability in Hyperthreaded CPUs allows to access data it shouldn't. 

 

Quotes/Excerpts:

Quote

A new vulnerability that can allow attackers to leak encrypted data from the CPU's internal processes...PortSmash...discovered by a team of five academics. Researchers say PortSmash impacts all CPUs that use a Simultaneous Multithreading (SMT) architecture, a technology that allows multiple computing threads to be executed simultaneously on a CPU core. In lay terms, the attack works by running a malicious process next to legitimate ones using SMT's parallel thread running capabilities. The malicious PortSmash process than leaks small amounts of data from the legitimate process, helping an attacker reconstruct the encrypted data processed inside the legitimate process. Researchers say they've already confirmed that PortSmash impacts Intel CPUs which support the company's Hyper-Threading (HT) technology. His team also published proof-of-concept (PoC) code on GitHub that demonstrates a PortSmash attack on Intel Skylake and Kaby Lake CPUs. The PoC steals an OpenSSL (<= 1.1.0h) P-384 private key from a TLS server by successfully exploiting PortSmash, but the attack can be modified to target any type of data. PortSmash definitely does not need root privileges." "We leave as future work exploring the capabilities of PortSmash on other architectures featuring SMT, especially on AMD Ryzen systems," PortSmash is tracked in the CVE vulnerability tracking system with the CVE-2018-5407 identifier.

 

My Thoughts:

While this doesn't affect non-SMT/Hyperthreaded CPUs, that's still 54/71 Consumer grade processors within Skylake alone. Intel really seems to like their Hyper-Threading, then again, so does AMD.

[kuzko]

This attack needs : frequency scaling and turbo boost off... it's a  poor attack with pretty weak bases considering most of HT intel SKUs come with those enabled.

In case you want to run the code : https://github.com/bbbrumley/portsmash

Also, as a guess, due to the "small bits of exfiltrated data at a time" nature of the attack, cryptography with Perfect Forward Secrecy (industry standard nowadays) might remain pretty unaffected.

[KuJoe]

Thank god it relies on HT being enabled, I thought I was going to have a rough weekend at work. 

[rcmaehl]

4 minutes ago, kuzko said:

This attack needs : frequency scaling and turbo boost off... it's a  poor attack with pretty weak bases considering most of HT intel SKUs come with those enabled.

In case you want to run the code : https://github.com/bbbrumley/portsmash

You have a good point. Although combining this attack with temporary privilege escalation or a dirty write would make this more feasible. 

[avg123]

Who even names these vulnerabilities??

Meltdown, Spectre...and now PortSmash

[KuJoe]

23 minutes ago, avg123 said:

Who even names these vulnerabilities??

Meltdown, Spectre...and now PortSmash

I'm 99% sure they pick names based on available domains. 

[Arika]

Why is this any different than any of the other hyperthreading vulnerabilities? It seems to just be the exact same exploit

[Amazonsucks]

Glad i have had HT off for two years.

[Trik'Stari]

Sadly hilarious that my I5-4690K is more secure than my I7-7700K

[mr moose]

Oh good, another half dud reason for ignorant fanboys to wax lyrical about the need to promote AMD over Intel regardless of whether its actually better or not. 

 

 

[Dylanc1500]

36 minutes ago, mr moose said:

Oh good, another half dud reason for ignorant fanboys to wax lyrical about the need to promote AMD over Intel regardless of whether its actually better or not. 

 

 

Pff, T.I. All the way, they have Cyrix blood inside them.

 

 

deep... deep...deep inside...

[Coaxialgamer]

Just a bit of insight :

I wouldn't necessarily conclude that all SMT Cpus are affected, which is why the jury is still up for AMD. 

 

SMT is just a concept. Actual implementations and design decisions change considerably (intel themselves have said they basically have to re-engineer HT for every architecture). 

Just look at HT on the p4 vs modern skylake. 

 

Intel being affected does not, for example, imply that AMD, IBM, SPARC etc are affected, and it might even be architecture specific within intel itself. 

[Coaxialgamer]

Hey kids, want to buy some Pot............. 

..... 

...... 

..... 

... Smash? 

[Granular]

As always, the sage wizards of OpenBSD were right.

[mxk]

how does shit like spectre, meltdown, and portsmash even get made? Does some asshole(s) make them?

[vorticalbox]

10 hours ago, mxk. said:

how does shit like spectre, meltdown, and portsmash even get made? Does some asshole(s) make them?

Because you have to weigh cost, performance snd security and usually when designing a system security is normally the one that is lacking.

[Nowak]

Time to turn my 8086K into an 8600K guys!

[RejZoR]

I have frequency scaling and turbo boost enabled. Meaning this "vulnerability" won't work. And 99% of people run Intel CPU's this way anyway. I have my CPU overclocked and I still run both. In fact all my CPU controls are on AUTO as it runs at same voltages I've used manually.

[mr moose]

12 hours ago, mxk. said:

how does shit like spectre, meltdown, and portsmash even get made? Does some asshole(s) make them?

They don't get made.  Because CPU's are so complicated (beyond the ability of any human to hold in their mind at one time)  it is impossible to conceive all the possible issues that might arise from the end product.    It would be like trying memorize all the networks of the US power grid including monitoring and control hardware/software and being able to predict where the next power outage might be.  They can go a fair way in making it as secure as possible (by putting in things like circuit breakers)  but they cannot perfectly account for everything. 

 

 

[Mira Yurizaki]

Ars Technica noted that:

Quote

OpenSSL developers have since released an update that makes PortSmash infeasible. While details weren’t immediately available, they likely involve changes in the way OpenSSL uses, or interacts with, SMT.

 

...

 

Another approach the authors recommend is for applications to use port-independent code, which “can be achieved through secret-independent execution flow secure coding practices, similar to constant-time execution.”

Meaning software can mitigate this problem.

 

On 11/4/2018 at 1:07 PM, mxk. said:

how does shit like spectre, meltdown, and portsmash even get made? Does some asshole(s) make them?

Processors have quintillions upon quintillion ways of being executed. It's impossible even with automated testing to poke at every single input and evaluate every single output to validate the processor is safe in a reasonable amount of time.

 

And even then, the processor likely doesn't know any better. In this case, the researchers found the keys by determining how long it took for an instruction stream to process. A processor isn't going to "oh, I think someone is observing this" and react to it. It doesn't care. Also as noted, unless the attacker was also aware of the clock speed of the processor, those processing times are moot because they would be frequently changing due to processor adjusting the clock speed on the fly for power saving reasons.

[yolosnail]

Maybe this is why Intel released the 9700K without HT

[TetraSky]

So... Someone explain that one to me. Do you need to download and install something for this to even be possible or is it a remotely installed kind of thing without the user knowing?
They didn't really say anything of that nature in that article.(Unless I missed it, which is very possible)

If we need to install something that's "infected" with this, how is it different from any plain old trojan, other than the fact it takes the information from the CPU instead of the OS? Which would mean, don't install everything you find online, as usual?

[2FA]

5 minutes ago, TetraSky said:

So... Someone explain that one to me. Do you need to download and install something for this to even be possible or is it a remotely installed kind of thing without the user knowing?
They didn't really say anything of that nature in that article.(Unless I missed it, which is very possible)

If we need to install something that's "infected" with this, how is it different from any plain old trojan, other than the fact it takes the information from the CPU instead of the OS? Which would mean, don't install everything you find online, as usual?

This would effectively just be a payload with method of delivery determined by the attacker. It doesn't really do anything except for reading data it shouldn't.