crypto

PortSmash Hyper-Threading Vuln Steals Decrypt Keys

PortSmash Hyper-Threading Vuln Steals Decrypt Keys

A new side-channel vulnerability has been found called PortSmash that uses a timing attack that to steal info from other processes running in the same CPU core with SMT/hyper-threading enabled.


Utilizing this attack, researchers were able to steal the private decryption key from an OpenSSL thread running in the same core as their exploit.crypto

For those that dont know, SMT/Hyper-threading is when one physical CPU core is split into two virtual logical cores that can be used two run two separate process threads at once.

This method can increase performance as the two threads will utilize idle CPU resources more efficiently to execute instructions faster.

A side channel timing attack is when an attacker analyzes how fast a thread executes particular instructions and utilizes that info to work backwards to discover what data was used as input.

The PortSmash vulnerability was discovered by researchers Billy Bob Brumley, Sohaib ul Hassan, Cesar Pereida Garcia, and Nicola Tuveri from the Tampere University of Technology in Finland as well as Alejandro Cabrera Aldaya from the Universidad Tecnologica de la Habana CUJAE in Cuba.

An advisory was made to the OSS-Sec mailing list and their research has been submitted as a paper titled “Port Contention for Fun and Profit” as a IACR eprint, which is currently awaiting moderation before it’s released.

In an email with the researchers, Nicola Tuveri explained to us that port contention was used to measure how long it took OpenSSL to perform an operation.

Using these measurements, the researchers were able to work backwards to recover a private key.

“Shortly and simplifying, with SMT and two threads per core, a process running on one thread will have its own instructions and data, but will share some hardware resources with a process running on the colocated thread.

Instructions will be decoded independently in simpler micro-operations and pipe-lined in the CPU to the corresponding Execution Units. (Execution Units are the actual silicon areas that are specialized to handle specific operations: i.e, there are a few EU dedicated to integer additions/subtraction, separate ones for integer multiplication, other for floating point arithmetic, etc.)

Every core has a complete set of EUs to support the whole instruction set, and threads on the same core share access to the EUs.

EUs are grouped together in bundles each accessible through a port: microops from the two threads are issued to the available ports, and another micro-component, the core scheduler, optimizes for fairness and performance when the same microop can be issued to different equivalent EUs behind different ports.

These ports are the object of the discussed port contention. Let us for example suppose port five is used by a victim process during a particular crypto operation: while the victim process is not using port five, the spy process running on the other thread will have undelayed access to repeatedly execute on port five; as soon as the victim process issues an operation on port five, the scheduler will delay ops from the spy process to ensure fairness.

The spy process can therefore measure the delay in the execution of its operations for port five, and determine when the victim process is using the same port.

This is the signal that can then be processed to ultimately recover a private key.” – stated Nicola Tuveri.

While the researchers have only tested this vulnerability against Intel Skylake and Kaby Lake processors, they also expect it to work on AMD Ryzen processors.

“We verified it on Intel Skylake and Kaby Lake, but just because we did not have access to different machines with SMT,” Nicola Tuveri told CBNN. “We expect it to work also on AMD Ryzen, but left this to future work.”

The researchers shared a proof-of-concept exploit that only targets OpenSSL. The team chose to target OpenSSL because they are familiar with the code base and because it is so widely used, but that the “PortSmash technique is not tied to a particular software.”

Therefore, it is only a matter of time until diligent researchers and attackers port the PoC to steal info from other apps.

Fixes for this attack have already been added to OpenSSL 1.1.1 and for those who need an older version, patches are available for versions >= 1.1.0i.

Protecting yourself from the PortSmash vulnerability

The only way to mitigate this attack is to disable SMT/Hyper-threading on a computer, which OpenBSD has already done by default since this summer when another timing attack was released called TLBleed.

“We recommend disabling SMT/Hyper-threading as a countermeasure. OpenBSD, for instance, already disables it by default since this summer.”

CBNN

No Comments

  1. http://forums.inffobids.com/showthread.php?tid=294886
    http://xetaynguyen.com/member.php?u=87598
    http://kydaoquan.com/member.php?u=94328
    https://undertale.biz/showthread.php?tid=37436
    http://uhohmom.com/forum/viewtopic.php?f=4&t=79960

    http://www.hamtwp.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 928295 794555 http://w.urbansprawlband.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 920948 905848 http://www.xpresstrack.eu/__media__/js/netsoltrademark.php?d=bofilm.ru – 703126 859267 http://www.vermontfishing.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 785484 835454 http://www.mazar.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 914896 373512 http://www.conferencebureauthailand.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 781580 749731 http://www.freefraudreport.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 134798 606505 http://world-economic-forum.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 126272 794535 http://www.compufix.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 166838 718877 http://www.iconofile.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 14915 694561 http://www.candycabinet.biz/__media__/js/netsoltrademark.php?d=bofilm.ru – 88824 119371 http://apolloalternativeassets.de/__media__/js/netsoltrademark.php?d=bofilm.ru – 358882 110799 http://www.i8system.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 474417 783488 http://www.bangaloreonline.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 328595 44668 http://www.allagashbrewing.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 861951 778210 http://www.fallabella.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 875811 153935 http://www.radiouniversidad.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 755454 453289 http://www.singingcello.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 666548 80761 http://www.stingcycles.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 708585 57126 http://www.pinkop.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 80239 156424 http://www.fareasthandycrafts.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 291927 748276 http://visu-key.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 211513 93634 http://www.beautifulword.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 981551 246707 http://www.cheviot.biz/__media__/js/netsoltrademark.php?d=bofilm.ru – 42957 520405 http://iowaselect.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 280980 589767 http://kencodistribution.us/__media__/js/netsoltrademark.php?d=bofilm.ru – 201376 472533 http://www.paros.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 597236 757504 http://www.asaig.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 983119 193640 http://wineclips.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 703644 122878 http://www.racegoddess.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 563776 861497 http://www.cavedad.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 801772 974278 http://www.fullyfashionednylons.eu/__media__/js/netsoltrademark.php?d=bofilm.ru – 556140 101247 http://www.treaching.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 502369 605318 http://bonchef.cn/__media__/js/netsoltrademark.php?d=bofilm.ru – 358966 375919 http://texasautos.info/__media__/js/netsoltrademark.php?d=bofilm.ru – 260483 675457 http://www.basucap.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 945418 646521 http://www.byrank.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 68496 862504 http://www.e-bloodpressure.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 33174 878196 http://wifiphoneoutlet.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 448374 15574 http://weberindustrial.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 783431 273087 http://gardentutoronline.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 46317 297882 http://www.promujer.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 487988 326928 http://monoslide.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 364990 69591 http://windowsmoviemaker.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 869984 82805 http://nationallitigationpowerhouse.biz/__media__/js/netsoltrademark.php?d=bofilm.ru – 449298 467354 http://webdiagnostics.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 963581 172982 http://why-pay-more.info/__media__/js/netsoltrademark.php?d=bofilm.ru – 551439 942414 http://cosmi.bz/__media__/js/netsoltrademark.php?d=bofilm.ru – 713170 525004 http://www.cosmeticmagic.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 88442 223343 http://www.ti-capital.eu/__media__/js/netsoltrademark.php?d=bofilm.ru – 730177 831331 http://zdomes.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 427332 440299 http://www.lpstucco.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 876361 145914 http://www.mentorkit.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 308376 410750 http://nwcollegeofconstruction.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 592247 211981 http://www.sierrausa.de/__media__/js/netsoltrademark.php?d=bofilm.ru – 934331 296347 http://www.get-different.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 143479 393875 http://www.adventurehiking.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 45576 134769 http://www.akashvani.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 209842 304448 http://inadamassagechairs.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 499621 971212 http://decisionfoundry360.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 488072 498073 http://www.tipcoeurope.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 188753 582814 http://jetinsystems.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 227089 839101 http://www.teligentcorp.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 301539 12341 http://takhles.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 867331 400833 http://www.ranchobelagonews.biz/__media__/js/netsoltrademark.php?d=bofilm.ru – 260279 418311 http://tk-80.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 217830 3167 http://ww17.goportugal.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 857352 963995 http://www.velocityindex.biz/__media__/js/netsoltrademark.php?d=bofilm.ru – 817696 755661 http://www.wanker.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 404211 726370 http://www.bookbug.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 439538 213602 http://www.civitasinitiative.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 920971 863568 http://anadigics.am/__media__/js/netsoltrademark.php?d=bofilm.ru – 866510 989950 http://vacationrentalrewards.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 689798 532442 http://kristy.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 403260 966845 http://interactives.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 688365 275359 http://primalbond.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 758599 426778 http://horsestall.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 727144 873960 http://www.threeforfifteen.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 252945 740996 http://www.ducktv.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 320692 900644 http://www.cybercampus.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 492232 468025 http://www.msc-direct.co.uk/__media__/js/netsoltrademark.php?d=bofilm.ru – 593913 443859 http://www.pathtohonor.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 958589 958208 http://www.hometownholidaysatverrado.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 777355 752966 http://www.hollywoodfirst.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 168895 846592 http://in2science.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 76403 785966 http://dollarcenter.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 326532 20617 http://vaegr.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 965656 883083 http://www.airlinereservationsonline.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 654665 935489 http://jacksonmay.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 220563 65606 http://www.englishsounds.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 809131 394258 http://dorothy-herman.info/__media__/js/netsoltrademark.php?d=bofilm.ru – 197053 679107 http://www.keepamericamoving.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 58736 120469 http://shadeed.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 200700 387629 http://www.kleinbiomedical.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 146026 772082 http://www.mscsupplier.eu/__media__/js/netsoltrademark.php?d=bofilm.ru – 955559 720761 http://acuityfin.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 13547 232865 http://www.kiriko.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 493692 692982 http://1chassis.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 797012 286062 http://outsourceresults.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 990523 202161 http://dahannowick.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 779829 53757 http://peopleonthemove.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 372007 206055 http://www.georgemag.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 208722 783967 http://dncaudit.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 704900 909815 http://jevenere.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 159928 868333 http://www.studentexpress.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 703322 446104 http://www.800steamer.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 871798 178545 http://www.familydollarstores.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 866778 774720 http://www.cinema1.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 214944 96028 http://www.proudconsulting.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 70076 808347 http://imagesecure.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 212999 842492 http://www.outdoorwedding.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 633060 971880 http://gabriellehamilton.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 809015 965304

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.