Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

PortSmash - New CPU Vulnerability affects Intel, possibly AMD

rcmaehl
 Share

Source:

ZdNet

 

TL;DR:

A new vulnerability in Hyperthreaded CPUs allows to access data it shouldn't. 

 

Quotes/Excerpts:

Quote

A new vulnerability that can allow attackers to leak encrypted data from the CPU's internal processes...PortSmash...discovered by a team of five academics. Researchers say PortSmash impacts all CPUs that use a Simultaneous Multithreading (SMT) architecture, a technology that allows multiple computing threads to be executed simultaneously on a CPU core. In lay terms, the attack works by running a malicious process next to legitimate ones using SMT's parallel thread running capabilities. The malicious PortSmash process than leaks small amounts of data from the legitimate process, helping an attacker reconstruct the encrypted data processed inside the legitimate process. Researchers say they've already confirmed that PortSmash impacts Intel CPUs which support the company's Hyper-Threading (HT) technology. His team also published proof-of-concept (PoC) code on GitHub that demonstrates a PortSmash attack on Intel Skylake and Kaby Lake CPUs. The PoC steals an OpenSSL (<= 1.1.0h) P-384 private key from a TLS server by successfully exploiting PortSmash, but the attack can be modified to target any type of data. PortSmash definitely does not need root privileges." "We leave as future work exploring the capabilities of PortSmash on other architectures featuring SMT, especially on AMD Ryzen systems," PortSmash is tracked in the CVE vulnerability tracking system with the CVE-2018-5407 identifier.

 

My Thoughts:

While this doesn't affect non-SMT/Hyperthreaded CPUs, that's still 54/71 Consumer grade processors within Skylake alone. Intel really seems to like their Hyper-Threading, then again, so does AMD.

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

This attack needs : frequency scaling and turbo boost off... it's a  poor attack with pretty weak bases considering most of HT intel SKUs come with those enabled.

In case you want to run the code : https://github.com/bbbrumley/portsmash

Also, as a guess, due to the "small bits of exfiltrated data at a time" nature of the attack, cryptography with Perfect Forward Secrecy (industry standard nowadays) might remain pretty unaffected.

Gaming Laptop :  MSI (worst brand ever in EU) GT70 0NC 48FR - I7 3610QM - 670M 3GB GDDR5 - 12GB 1600MHZ - raid0 2 x 64GB sandisk SSD - 750 Gb Hitachi 7200/min

Galaxy s3 GTI9300 international - Archidroid v2.5.3 (git) - 1600Mhz PegasuQ on ArchiKernel .

Link to comment
Share on other sites

Link to post
Share on other sites

4 minutes ago, kuzko said:

This attack needs : frequency scaling and turbo boost off... it's a  poor attack with pretty weak bases considering most of HT intel SKUs come with those enabled.

In case you want to run the code : https://github.com/bbbrumley/portsmash

You have a good point. Although combining this attack with temporary privilege escalation or a dirty write would make this more feasible. 

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

Why is this any different than any of the other hyperthreading vulnerabilities? It seems to just be the exact same exploit

🌲🌲🌲

Judge the product by its own merits, not by the Company that created it.

Link to comment
Share on other sites

Link to post
Share on other sites

Sadly hilarious that my I5-4690K is more secure than my I7-7700K

Ketchup is better than mustard.

GUI is better than Command Line Interface.

Dubs are better than subs

Link to comment
Share on other sites

Link to post
Share on other sites

Oh good, another half dud reason for ignorant fanboys to wax lyrical about the need to promote AMD over Intel regardless of whether its actually better or not. 

 

 

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites

Link to post
Share on other sites

36 minutes ago, mr moose said:

Oh good, another half dud reason for ignorant fanboys to wax lyrical about the need to promote AMD over Intel regardless of whether its actually better or not. 

 

 

Pff, T.I. All the way, they have Cyrix blood inside them.

 

 

deep... deep...deep inside...

Link to comment
Share on other sites

Link to post
Share on other sites

Just a bit of insight :

I wouldn't necessarily conclude that all SMT Cpus are affected, which is why the jury is still up for AMD. 

 

SMT is just a concept. Actual implementations and design decisions change considerably (intel themselves have said they basically have to re-engineer HT for every architecture). 

Just look at HT on the p4 vs modern skylake. 

 

Intel being affected does not, for example, imply that AMD, IBM, SPARC etc are affected, and it might even be architecture specific within intel itself. 

AMD Ryzen 7 3.8ghz at 1.3V Corsair vengeance LPX 8GB 2800mhz @ 3200mhz CAS 16 + 2*4GB micron ballistics @ 3200mhz cas 16 ;Gigabyte ga-ab350-Gaming 3; cooler master nepton 240M ; CF r9 290x tri x + r9 290 tri x ; CX750M PSU ; SPEC 03 case with 9 120mm fans ; windows 10 64 bit 

Link to comment
Share on other sites

Link to post
Share on other sites

Hey kids, want to buy some Pot............. 

..... 

...... 

..... 

... Smash? 

AMD Ryzen 7 3.8ghz at 1.3V Corsair vengeance LPX 8GB 2800mhz @ 3200mhz CAS 16 + 2*4GB micron ballistics @ 3200mhz cas 16 ;Gigabyte ga-ab350-Gaming 3; cooler master nepton 240M ; CF r9 290x tri x + r9 290 tri x ; CX750M PSU ; SPEC 03 case with 9 120mm fans ; windows 10 64 bit 

Link to comment
Share on other sites

Link to post
Share on other sites

how does shit like spectre, meltdown, and portsmash even get made? Does some asshole(s) make them?

8086k

aorus pro z390

noctua nh-d15s chromax w black cover

evga 3070 ultra

samsung 128gb, adata swordfish 1tb, wd blue 1tb

seasonic 620w dogballs psu

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

10 hours ago, mxk. said:

how does shit like spectre, meltdown, and portsmash even get made? Does some asshole(s) make them?

Because you have to weigh cost, performance snd security and usually when designing a system security is normally the one that is lacking.

                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to comment
Share on other sites

Link to post
Share on other sites

I have frequency scaling and turbo boost enabled. Meaning this "vulnerability" won't work. And 99% of people run Intel CPU's this way anyway. I have my CPU overclocked and I still run both. In fact all my CPU controls are on AUTO as it runs at same voltages I've used manually.

AMD Ryzen 7 5800X | ASUS Strix X570-E | G.Skill 32GB 3733MHz CL16 | PALIT RTX 3080 10GB GamingPro | Samsung 850 Pro 2TB | Seagate Barracuda 8TB | Sound Blaster AE-9 MUSES Edition | Altec Lansing MX5021 Nichicon/MUSES Edition

Link to comment
Share on other sites

Link to post
Share on other sites

12 hours ago, mxk. said:

how does shit like spectre, meltdown, and portsmash even get made? Does some asshole(s) make them?

They don't get made.  Because CPU's are so complicated (beyond the ability of any human to hold in their mind at one time)  it is impossible to conceive all the possible issues that might arise from the end product.    It would be like trying memorize all the networks of the US power grid including monitoring and control hardware/software and being able to predict where the next power outage might be.  They can go a fair way in making it as secure as possible (by putting in things like circuit breakers)  but they cannot perfectly account for everything. 

 

 

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites

Link to post
Share on other sites

Ars Technica noted that:

Quote

OpenSSL developers have since released an update that makes PortSmash infeasible. While details weren’t immediately available, they likely involve changes in the way OpenSSL uses, or interacts with, SMT.

 

...

 

Another approach the authors recommend is for applications to use port-independent code, which “can be achieved through secret-independent execution flow secure coding practices, similar to constant-time execution.”

Meaning software can mitigate this problem.

 

On 11/4/2018 at 1:07 PM, mxk. said:

how does shit like spectre, meltdown, and portsmash even get made? Does some asshole(s) make them?

Processors have quintillions upon quintillion ways of being executed. It's impossible even with automated testing to poke at every single input and evaluate every single output to validate the processor is safe in a reasonable amount of time.

 

And even then, the processor likely doesn't know any better. In this case, the researchers found the keys by determining how long it took for an instruction stream to process. A processor isn't going to "oh, I think someone is observing this" and react to it. It doesn't care. Also as noted, unless the attacker was also aware of the clock speed of the processor, those processing times are moot because they would be frequently changing due to processor adjusting the clock speed on the fly for power saving reasons.

Link to comment
Share on other sites

Link to post
Share on other sites

Maybe this is why Intel released the 9700K without HT

Laptop:

Spoiler

HP OMEN 15 - Intel Core i7 9750H, 16GB DDR4, 512GB NVMe SSD, Nvidia RTX 2060, 15.6" 1080p 144Hz IPS display

PC:

Spoiler

Vacancy - Looking for applicants, please send CV

Mac:

Spoiler

2009 Mac Pro 8 Core - 2 x Xeon E5520, 16GB DDR3 1333 ECC, 120GB SATA SSD, AMD Radeon 7850. Soon to be upgraded to 2 x 6 Core Xeons

Phones:

Spoiler

LG G6 - Platinum (The best colour of any phone, period)

LG G7 - Moroccan Blue

 

Link to comment
Share on other sites

Link to post
Share on other sites

So... Someone explain that one to me. Do you need to download and install something for this to even be possible or is it a remotely installed kind of thing without the user knowing?
They didn't really say anything of that nature in that article.(Unless I missed it, which is very possible)

If we need to install something that's "infected" with this, how is it different from any plain old trojan, other than the fact it takes the information from the CPU instead of the OS? Which would mean, don't install everything you find online, as usual?

CPU: AMD Ryzen 3600 / GPU: Radeon HD7970 GHz 3GB with Noctua Fans / RAM: Corsair Vengeance LPX 2x8GB DDR4-3200
MOBO: MSI B450m Gaming Plus / NVME: Corsair MP510 240GB / Case: TT Core v21 / PSU: Seasonic 750W / OS: Win 11 Pro

Link to comment
Share on other sites

Link to post
Share on other sites

5 minutes ago, TetraSky said:

So... Someone explain that one to me. Do you need to download and install something for this to even be possible or is it a remotely installed kind of thing without the user knowing?
They didn't really say anything of that nature in that article.(Unless I missed it, which is very possible)

If we need to install something that's "infected" with this, how is it different from any plain old trojan, other than the fact it takes the information from the CPU instead of the OS? Which would mean, don't install everything you find online, as usual?

This would effectively just be a payload with method of delivery determined by the attacker. It doesn't really do anything except for reading data it shouldn't.

[Out-of-date] Want to learn how to make your own custom Windows 10 image?

 

Desktop: AMD R9 3900X | ASUS ROG Strix X570-F | Radeon RX 5700 XT | EVGA GTX 1080 SC | 32GB Trident Z Neo 3600MHz | 1TB 970 EVO | 256GB 840 EVO | 960GB Corsair Force LE | EVGA G2 850W | Phanteks P400S

Laptop: Intel M-5Y10c | Intel HD Graphics | 8GB RAM | 250GB Micron SSD | Asus UX305FA

Server 01: Intel Xeon D 1541 | ASRock Rack D1541D4I-2L2T | 32GB Hynix ECC DDR4 | 4x8TB Western Digital HDDs | 32TB Raw 16TB Usable

Server 02: Intel i7 7700K | Gigabye Z170N Gaming5 | 16GB Trident Z 3200MHz

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×