crypto

PortSmash Hyper-Threading Vuln Steals Decrypt Keys

PortSmash Hyper-Threading Vuln Steals Decrypt Keys

A new side-channel vulnerability has been found called PortSmash that uses a timing attack that to steal info from other processes running in the same CPU core with SMT/hyper-threading enabled.


Utilizing this attack, researchers were able to steal the private decryption key from an OpenSSL thread running in the same core as their exploit.crypto

For those that dont know, SMT/Hyper-threading is when one physical CPU core is split into two virtual logical cores that can be used two run two separate process threads at once.

This method can increase performance as the two threads will utilize idle CPU resources more efficiently to execute instructions faster.

A side channel timing attack is when an attacker analyzes how fast a thread executes particular instructions and utilizes that info to work backwards to discover what data was used as input.

The PortSmash vulnerability was discovered by researchers Billy Bob Brumley, Sohaib ul Hassan, Cesar Pereida Garcia, and Nicola Tuveri from the Tampere University of Technology in Finland as well as Alejandro Cabrera Aldaya from the Universidad Tecnologica de la Habana CUJAE in Cuba.

An advisory was made to the OSS-Sec mailing list and their research has been submitted as a paper titled “Port Contention for Fun and Profit” as a IACR eprint, which is currently awaiting moderation before it’s released.

In an email with the researchers, Nicola Tuveri explained to us that port contention was used to measure how long it took OpenSSL to perform an operation.

Using these measurements, the researchers were able to work backwards to recover a private key.

“Shortly and simplifying, with SMT and two threads per core, a process running on one thread will have its own instructions and data, but will share some hardware resources with a process running on the colocated thread.

Instructions will be decoded independently in simpler micro-operations and pipe-lined in the CPU to the corresponding Execution Units. (Execution Units are the actual silicon areas that are specialized to handle specific operations: i.e, there are a few EU dedicated to integer additions/subtraction, separate ones for integer multiplication, other for floating point arithmetic, etc.)

Every core has a complete set of EUs to support the whole instruction set, and threads on the same core share access to the EUs.

EUs are grouped together in bundles each accessible through a port: microops from the two threads are issued to the available ports, and another micro-component, the core scheduler, optimizes for fairness and performance when the same microop can be issued to different equivalent EUs behind different ports.

These ports are the object of the discussed port contention. Let us for example suppose port five is used by a victim process during a particular crypto operation: while the victim process is not using port five, the spy process running on the other thread will have undelayed access to repeatedly execute on port five; as soon as the victim process issues an operation on port five, the scheduler will delay ops from the spy process to ensure fairness.

The spy process can therefore measure the delay in the execution of its operations for port five, and determine when the victim process is using the same port.

This is the signal that can then be processed to ultimately recover a private key.” – stated Nicola Tuveri.

While the researchers have only tested this vulnerability against Intel Skylake and Kaby Lake processors, they also expect it to work on AMD Ryzen processors.

“We verified it on Intel Skylake and Kaby Lake, but just because we did not have access to different machines with SMT,” Nicola Tuveri told CBNN. “We expect it to work also on AMD Ryzen, but left this to future work.”

The researchers shared a proof-of-concept exploit that only targets OpenSSL. The team chose to target OpenSSL because they are familiar with the code base and because it is so widely used, but that the “PortSmash technique is not tied to a particular software.”

Therefore, it is only a matter of time until diligent researchers and attackers port the PoC to steal info from other apps.

Fixes for this attack have already been added to OpenSSL 1.1.1 and for those who need an older version, patches are available for versions >= 1.1.0i.

Protecting yourself from the PortSmash vulnerability

The only way to mitigate this attack is to disable SMT/Hyper-threading on a computer, which OpenBSD has already done by default since this summer when another timing attack was released called TLBleed.

“We recommend disabling SMT/Hyper-threading as a countermeasure. OpenBSD, for instance, already disables it by default since this summer.”

CBNN

No Comments

  1. https://husgatan.se/viewtopic.php?f=8&t=117522
    https://forum.battlezone.lv/showthread.php?tid=20656
    http://www.opteragame.com/forum/viewtopic.php?f=3&t=635134
    http://www.promnet.ru/forum/viewtopic.php?f=45&t=613862
    https://psromania.ro/index.php?/topic/135424-511962/

    http://footholds.active.ws/__media__/js/netsoltrademark.php?d=bofilm.ru – 323518 241583 http://telearagua.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 287172 726578 http://maxinemillerstudios.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 898674 446195 http://alteccapital.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 966290 536379 http://ih8glhec.biz/__media__/js/netsoltrademark.php?d=bofilm.ru – 657171 85043 http://recyclingratecertification.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 874616 55469 http://kadambari.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 125017 729519 http://www.bigdoggie.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 328429 869882 http://clickxchange.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 13607 558554 http://ehrhardtlaw.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 41293 453378 http://latexpornfetish.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 922877 553323 http://projectgrad.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 570163 573074 http://www.live1live.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 357015 251422 http://painandhealth.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 502160 408359 http://www.kuklaistanbul.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 209965 900034 http://ufcjunkie.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 670766 838063 http://dwarftales.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 169924 135130 http://guaranteedsale.biz/__media__/js/netsoltrademark.php?d=bofilm.ru – 963268 651637 http://crusherbuilders.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 688388 521221 http://getmoreengagement.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 504332 650976 http://kordaptix.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 452387 595933 http://www.artistterms.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 263636 893661 http://yellowpages.pjstar.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 518250 243356 http://www.mindforhealth.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 393001 551448 http://mclarennation.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 544987 527670 http://bazelton.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 830395 118697 http://uk.filmcrewpro.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 783952 343777 http://bituven.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 972350 960656 http://blog.shutterpoint.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 756773 482549 http://epvpo.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 459413 437968 http://virtualbountyhunter.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 786540 985753 http://www.freshfire.ca/__media__/js/netsoltrademark.php?d=bofilm.ru – 372257 72332 http://csi-trigger.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 810350 889932 http://countrysidehotels.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 390301 516880 http://www.canadagoosejacket.biz/__media__/js/netsoltrademark.php?d=bofilm.ru – 140980 718198 http://missuniverseisrael.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 699926 296773 http://diversityperformancefactor.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 97451 337538 http://wpthemess.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 708005 551914 http://piratalondon.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 686145 32264 http://www.garysinesefoundation.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 850619 283383 http://ww1.gpspilot.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 743893 907310 http://ww2.wrestlingnewsdesk.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 52122 817162 http://bybstore.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 216393 984803 http://jmshades.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 618319 490649 http://hartron.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 498340 588145 http://sbomag.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 632800 772742 http://theequitableclassicstrategies.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 10308 890934 http://zachveach.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 124096 327995 http://cantechtape.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 417117 734401 http://foresideholdingsllc.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 573242 732861 http://theoptionline.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 185471 63478 http://businesscycle.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 555525 853949 http://www.longtermdisabilitylawblog.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 375065 601269 http://naselearning.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 548802 100206 http://hotellocators.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 859280 624829 http://zombietacticalstore.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 223800 45078 http://www.qorikancha.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 382431 932578 http://www.mt-daapd.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 749356 157756 http://henryscheinbrand.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 125810 386805 http://petitec.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 921901 613468 http://markrobinsonlecture2011.cocodot.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 715587 618813 http://parentstelevisioncouncil.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 151586 430253 http://usvs.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 835381 777383 http://www.hearingseminars.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 610460 406069 http://martinlutherkennedy.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 861558 409779 http://eisbruck.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 98990 601993 http://www.cybertesis.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 205725 845408 http://hishiya.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 400232 347039 http://hellomotoq.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 273047 696365 http://chargergirls.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 202922 998705 http://herokon-online.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 222522 317745 http://echodiamond.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 858934 955284 http://blog.meracord.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 933937 353631 http://studyzone.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 549124 634652 http://adamsplumbingandheating.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 871543 721075 http://fuqixinxi.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 628023 422770 http://localbusiness.petaluma360.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 747505 640764 http://sandiegoinvestmentmanagement.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 220850 816044 http://moverspleasanthill.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 175713 572793 http://urbanactionacademy.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 346061 246928 http://medref.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 721792 173468 944997bofilm.ru – 129705 316321 http://www.culinary-escapes.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 38226 623222 http://www.chinesemedicinetools.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 890907 437161 http://media.www.chicagoflame.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 979896 946563 http://eneighborhoodsmail.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 165298 103324 http://francineconnolly.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 910582 170260 http://mercurycool.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 935170 277666 http://huntingtonathome.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 578535 434565 http://loyaltynation.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 652606 637216 http://istanalagu.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 268889 428678 http://broadbandinvestmentgroup.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 807150 651018 http://www.kneeblades.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 135987 735816 http://www.photosource-enhanced.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 125934 729178 http://yellowpages.sj-r.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 891771 969633 http://www.scorpionssc.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 670596 930303 http://mccagueborlack.mobi/__media__/js/netsoltrademark.php?d=bofilm.ru – 277171 797926 http://adventuresincheese.info/__media__/js/netsoltrademark.php?d=bofilm.ru – 407251 957530 http://landmarkatlakevillageeast.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 970973 218150 http://helpmebooks.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 15507 428677 http://paperjamz.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 890340 692318 http://www.capstoneinvestments.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 10012 653503 http://www.isobizchat.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 16902 8615 http://www.artsgate.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 457751 410800 http://interinc.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 196473 956751 http://www.wildwaterkingdom.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 840685 443336 http://www.chaoticsoftware.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 581321 213787 http://kenly95truckstop.mobi/__media__/js/netsoltrademark.php?d=bofilm.ru – 859729 672808 http://www.alketab.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 623600 2505 http://shopadvanceautoparts.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 229106 357802 http://bainbridgeislandroofing.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 802752 428475 http://www.luluscafeinsa.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 754300 679728 http://www.aimtruancy.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 509391 573994 http://www.westmichigan.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 252086 501381 http://togetherforevertimecapsule.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 749025 716753 http://expeditemg.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 85303 265863 http://americancapital-agencycorp.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 599787 288582 http://beccaandcoherty.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 388072 285537 http://www.evoluzione.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 581436 423830 http://areabank.net/__media__/js/netsoltrademark.php?d=bofilm.ru – 259125 897065 http://jphphd.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 371451 218834 http://chinobroek.org/__media__/js/netsoltrademark.php?d=bofilm.ru – 472838 221649 http://support.instantpresenter.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 529379 47016 http://pdfthai.com/__media__/js/netsoltrademark.php?d=bofilm.ru – 513967 502652

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.