Slashdot Mirror
Hyperthreading Considered Harmful
cperciva writes "Hyper-Threading, as currently implemented on Intel Pentium Extreme Edition,
Pentium 4, Mobile Pentium 4, and Xeon processors, suffers from a serious
security flaw. This flaw permits local information disclosure, including
allowing an unprivileged user to steal an RSA private key being used on the
same machine. Administrators of multi-user systems are strongly advised
to take action to disable Hyper-Threading immediately.
I will be presenting this attack at
BSDCan 2005 at 10:00 AM EDT on May 13th, and at the conclusion of my talk
I will also releasing a paper describing the attack and possible mitigation
strategies."
to give their hyper-threading processors some Ritalin.
Doesn't Linux handle HT the same way it handles SMP? So even if there was a hole in HT, hardware-wise, software wise you would be just as protected as you would be on an SMP system?
Marques Johansson
Shit, did anyone see that blur???
Yeah, I think that was Intel's server market going right out the window at Mach 10...
I am counteracting the harmful effects of hyperthreading by eating a high-fiber diet. So far, I haven't had any problems.
You see? You see? Your stupid minds! Stupid! Stupid!
Not all multi-user systems are designed to be secure against the best hackers around, and there is often bad cost/benefit at following all security recommendations as soon as you hear about them.
Give us some more facts, so that we can think for ourselves.
Too bad there aren't any details, only an announcement for... tomorrow. I'd like to know how inherent this issue is in the CPU and to which extent the OS can be made to protect against it. Also, assuming he contacted Intel about it.. are they working on it?
:-)
I do have to say it's commendable that he spent 3 months on this for free. Now that's commitment
see a Text Widget
just going straight to giving up all your private info. Thought this was a step forward. Now that I can open 25 windows of Macromeda products at one time, I find out that my key has gone to some random guy. Better go back to the slow old days.
Not much to read yet. Seems more like a publicity stunt by the author. This could have been posted *after* the details have been published.
I'm curious to see how an exploit can be made out of this. Is it possible to assign one of the virtual CPUs to a "sniffer" for a prolonged period?
Can someone tell me what this "Sig" box is for??
I read about this last night here at KernelTrap. They offer more info, evidently having talked to Colin...
Wouldn't it have made more sense for /. to wait a couple of hours before posting this? At least then there would the remote possibility that responses would be made after RTFA!
Ooooo, I'm SCARED!
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
Jason? Is that you? (or your evil geeky twin brother?)
Recompile your kernel with hyper-threading disabled. Simple question: Why do I have to wait until this guy does his conference presentation to find out what the exploit is, how it is implemented? I have to admit that this is one time when RTFA didn't work. Anyone have any more information?
Always do right. This will gratify some people and astonish the rest. -- Mark Twain
is it a problem with the kernels use of it , that artical is rather vauge on the details. I have a xeon server running linux and will consider disabling the use of hyper threading for now ,but i cant justify doing that on the long term till more info is at hand.
if anyone has any more info on this i would be glad to hear it .
The only things certain in war are Propaganda and Death. You can never be sure which is which though
...I'm glad I'm stuck with a 1-gig Pentium III.
You can hold down the "B" button for continuous firing.
On MTS (IBM mainframe OS used at universities in the 70's/80's and probably into the 90's) there was a bug where when process switching, the FP registers of the last process to run were stored in a world-readable page of memory. The RPI ACM used this to create an inter-process communication program -- actually a 'chat' program (MTS had no inter-process communication other than files at the time).
... you read that Hyperspace is considered harmful. I exepected TFA to be about gamma rays and aliens ... how disappointing :/
With Moore's Law still holding up, isn't it a little early to be using up names like "Extreme Edition?" So, I'd like to propose my own corollary to Moore's Law:
"The microprocessor industry will run out of hyperbole long before they run out of transistors."
The only acceptable defense of scientific results is to say that they were the product of the Scientific Method.
Traitor!!
Amazing- first time a major security violation doesn't have Microsoft all over it.
Remember when the 600mhz (right speed?) Xeon's had a very very small problem that had a like 1% chance of causing the system to crash? (kinda vague I know...) All those owners had the option of getting 850mhz Xeon's in exchange. (250mhz was a big deal back then). Maybe you should go pickup one of the chips and hope the company does something similar w/ this problem.
Get Paid to search
'till 15:00 UTC today for the _full_ disclosure.
Before the full disclosure, can't say anything..
If anyone can hear me, slap some sense into me But you turn your head, and I end up talking to myself
question 4 in his list:
I get a slight hunch that is not as serious as it sounds. the cliche use of that tilte is an indication too.
Now lets read the reast of the article...
This space is intentionally staring blankly at you
Did anyone else notice the Intel advert for "Hyper Threading Linux" at the top of the google ads on the article page?
I wonder how much revenue he'll get from this announcement?
And I note that if you are a SCO user, you always had disabled hyper threading anyway. Not sure what to make of that.
Note to ACs: I won't mod you up, even if you are being funny or insightful. So take a chance! It's not real life!
I guess I need to shut off hyperthreading on our app server before the users who can't sort an Excel spreadsheet have a chance to expliot the vulnerability.
Please disregard the above post, I read EST when the paper is in EDT. I am eagerly awaiting this paper though.
*shouldn't post to slashdot this early in the morning*
The point is that most servers system don't allow you to execute system calls which you could exploit.
You need at least root/administrator privileges to get stuff from the OS memory.
So before you can exploit the system you must have access to the system it self.
It is an "local" kind of "root exploit" if you can read from the system memory of other processes if the claim is true.
If true that should eclipse for good the DivBug of lore. Can't wait for exploits to appear. But then - brainwashed people buying PIV Intels will get whatever they deserve. [grin]
Select Windows. Then press F8.
My guess is that this is a timing attack. While thread 1 generates an RSA key, thread 2 times itself performing various instructions. If thread 1 is using the FPU to do a multiply, the FPU won't be available for thread 2 right away, so there will be a measurable delay. Thread 2 can then determine when thread 1 is running multiplies.
If my hunch is correct, an OS could fix this by allowing a process to enter a "secure mode" which would force the other thread on the same CPU to be idle when that process was scheduled.
Sunlit World Scheme. Weird and different.
...it appears Windows XP Starter Edition may be the most secure option after all...
This space is intentionally staring blankly at you
Some of these "security risks" that people propose are just ridiculous. I mean, I know there are a tiny amount of people who actually follow these risks religiously, and do everything they can to fix them, but they are basically paranoid freaks. Unless your the DOD or have some super top scret evidence, then this means SHIT to you. Lets face it, a trojan, worm or whatever isn't going to use this obscure method of capturing and RSA key that may or may not work. It would take the work of, well, one of those paranoid freaks. And why would someone target your PC unless you had some really valuable information. They wouldn't.
Sorry, for the incoherent rambling, Im just fucking sick of these "Oh no, new vulnerability" things popping up all the time. The NATURE of computers is that they are INHERINTLY insecure, just as DRM will always be worked around.
Hyperthreading is teh suck because I found a flaw.
I'm not going to tell you how it works until I get a chance to stand up in front of a buch of people and sound smart. In the meantime you can disable HT.
I can write.
The flaw affects BSD's and OpenServer for sure.
I'm unemployed, so give me money to find more flaws.
Intel rocks!
Yup...that's pretty much it. Or did I miss something?
Be Safe! Sleep with a Marine. Semper Fi!
I'd sooner guess that by presenting a paper at a conference, he's hoping to turn this into a job offer. There are any number of stories about black-hats mending their ways, and getting security jobs. Here's someone trying to start out as a white-hat, doing things the right way to begin with. Seems to me that if he's on the mark, he's a better risk for a job offer than a reformed black-hat.
The living have better things to do than to continue hating the dead.
This is the same guy who calculated the 1 Quadrillionth hexadigit of Pi (no, not digit. It is in base 16). His project was called PiHex. According to his currently short but illustrious trackrecord, along with this current announcement, he is destined for being a big-name IT security guru.
My web domain.
I think the FreeBSD team is being overly cautious about this issue. They now have disabled HTT by default on all of there release trees stating the reason is because information leakage is possible. This is not ture when anyone can just change the crypto method they are using to something like an RSA method using a FFT(Fast Fourier Transform). There are other methods possible too such as just forcing the HT sibling to go idle for a period of time which would allow the crypto program to run without leaking any information.
-DR
Are you talking about Connect?
God, memories dialing into the NIM, getting the 'Call cleared...' message every night when it kicked everyone off, spamming 'acm acm acm acm' at the prompt so you could get back on before anyone else... the good old days.
I want to delete my account but Slashdot doesn't allow it.
I'd be willing to bet he's right. He is currently awaiting a doctorate from the University of Oxford, which is commonly held as the finest academic institution in the world.
(I'm not biased by having spent the past 7 years there)
Anyone working on MultiCore CPU's on a single chip yet?
:-)
Is there a way to access registers on one core directly from another without a supervisor bit requirements?
Vector based systems I have been familair with use a sharded memory context exception handler for that sort of thing.
I think multicore CPU instruction sets are going to be interesting to look at as soon as I get my hands on one.
One more 4U chassis to add to the rack of equipment in my living room.
-hack
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
Most machines let you disable it in the BIOS, which would have to be the simplest way of turning it off possible.
the reason comes tomorrow. Oh, and you should also give me all your cash today because it is obsolete, more details to come tomorrow.
Yes. While I am a "full-disclosure is better than not" guy, you (or others like you) would be screaming even louder about how "irresponsible" this guy would be if he had released the "reason" today (said "reason," BTW is a proof-of-concept exploit, one that malicious jerks will probably adapt to their desires after it's released).
Oh yes sysadmins, disable hyperthreading because some poster on slashdot said so. This is just too gay.
Not as asinine as clueless AC posts like yours, modded up as "insightful" by equally clueless people who happen to have moderation points today. The guy is awaiting his doctorate at one of the world's most prestigious universities, has an excellent track record, and has chosen a conservative but less-controviersial approach in disclosing this issue.
All of which you would have known, if you'd bother to read TFA rather than spouting off nonsense here.
The Future of Human Evolution: Autonomy
If he gets it, that means he found a job in three months technically without looking for a job. Not a bad strategy for people who can pull it off (but people like this tend to _not_ be unemployed, unless they got hit by a beancounter somewhere).
But wait, a security issue that doesn't affect Microsoft? The sky is falling...
Microsoft has issued a patch in response to this "significant" security threat
You can download RIDDILIN.EXE to address the hyper-thread exploit from their update site...
Bill Gates assures me in a very personal email, installing this patch will fix the flaw, send me $5 for every other person who installs it... and Intel's stock will go up too. It's win-win...
Everyone should do it...
As we all know, this includes Linux :-)
Disclosure timeline
Why wasn't Intel notified over the past SEVEN MONTHS ?
Why pre-announce a vulnerability?
This sounds like an attempt to build himself up at the cost of others who use these processors - assuming this is a real vulnerability.
My laptop has an HT processor, and I am absolutely unconcerned about this vulnerability, since he said it only relates to servers
Let me pre-announce a few more entries for his "disclosure timeline":
Ken
I have 2 Dell 6650s, loaded with 4 HT Xeons and 32Gb RAM each. However, I had to disable HT on them as the license for the application I'm running allows 8 cpus only; when it detected "16" cpus across the 2 servers, it refused to start. So this news actually makes me feel better about the fact that `top` only shows 4 cpus on each box :o)
$ strings FTP.EXE | grep Copyright
@(#) Copyright (c) 1983 The Regents of the University of California.
[humor]
What is this x86 hyperthreading that you speak of fearing? My venerable (read:ancient) 64-bit Sparc II scoffs at your toy x86. Ofcourse, the aforementioned Sparc is only 1/2 the speed of your P3, but it stills scoffs.
[/humor]
Seriously, the SPARC architecture is an open specification that, unfortunately, does not get enough respect. It has been 64-bit since almost forever, something that is only now becoming common in the x86 world. I noticed that the flaws were noted on SCO-ware running on x86. I wonder what other Unix/unix-like varients are affected. IIRC, Sun claims that their x86 and Sparc code base are a single tree. I wonder if the fix for all the affected OSes will required scads of architecture unique kernel hacking versus keeping a single tree.
Some of the most effective hacks/espionage come from exploiting "secondary channels" for information.
For example, I know of one hack from the good old days that involved placing a password across a page boundary. The OS compared the password to a plain text version character-by-character, so faulted if the characters up to the page boundary were all correct. Observing the disk access light (or the time to reject the password) provided character-by-character cracking.
Of course, password checking is now more sophisticated, but so is cryptanalysis. I think people that use encryption for real are well aware that there's an exposure in doing so on any time-shared system, or any system that can be observed in any way by a potential cryptanalyst.
I would guess, based on the sparse information presented here, that this is the nature of the attack. If - and that's a big if - you can cause an adversary to be scheduled in just the right way, you may be able to capture part or all of a private key by observing timing artifacts of the hyperthreading implementation.
This may be good security research, but unless I were protecting state secrets, I'd wait and evaluate the risk relative to other security risks that we find acceptable. I would also guess that the exposure is minimal compared to other high-tech and low-tech potential information leaks.
I'm a graduate of the University of Cambridge, which is *even more* commonly regarded as being the finest academic institution in the world. (It regularly tops the league tables here in the UK). Those guys and gals from the other place aren't a patch on us Tabs, especially in the sciences.
"I discovered a security flaw, details to follow, please give me money"
Help me take back Slashdot. When did 'News for Nerds' become 'FUD and Conspiracy Theories for Extremist Nutjobs'?
...RSA is vunerable to timing attacks (why we have blinding in software). It's a wonder noone has thought about this earlier though, I remember reading about the military considering virtual machines (i.e. one physical machine could be on both classified/unclassified systems). One of the reasons they didn't was the ability to tap/signal through spinlocks and other timing data. I always thought this was a "well-known but too unlikely to be interesting" weakness, but I guess not. Maybe I should have published a paper myself.
Live today, because you never know what tomorrow brings
However, a workaround might be to permit HT only for multiple threads within the same process. That would still give some speedups to compute-intensive processes that are written to take advantage of threading.
Perhaps even better: processes[threads] belonging to the same user
That's a joke. Fenland Polytechnic (aka Cambridge Uni) doesn't even offer a proper science course. They have Natural Sciences - designed to ensure that after 3-4 years you STILL have no specific knowledge and are only fit for PhD at a crappier university or a job in the city.
Tabs! Those who don't know their arse from the elbow.
I'd make the case for Edinburgh, but it only beats other places in certain specialist areas, and this pissing contest has gone too far anyway!
This is only tangentially related to the security issue, but I found that disabling hyperthreading on a cluster of dual Xeons running Linux greatly improved performance with a distributed memory (MPI) numerical model. Short summary: even if you only run your model on physical CPUs, hyperthreading will apparently bounce jobs around in a somewhat random way. Not sure if it's a hardware issue or a software (Linux) issue.
Here is a link which goes into detail
A squid eating dough in a polyethylene bag is fast and bulbous, got me?
i'm goin back to a notepad and a playstation...all i need is the original Descent, Gran Turismo 2, and Metal Gear Solid and I'll be happy for the rest of my existence.
It takes just a moment and an action to destroy. It takes some time and thought to create.
...through the Star Gate?
I drank what? -- Socrates
Cause if it's not, you're gonna look like such a doofass ;-)!
My lame blog.
That's going to be hard to patch. As more HW becomes untestable for NP-complete problems like security holes, reconfigurability (field reprogrammability) might become a necessary security measure. Of course, that creates another avenue for attack. Intractability is a harsh (multi)taskmaster.
--
make install -not war
"which is commonly held as the finest academic institution in the world."
Only in Oxford.
Everywhere else its pretty clear its Cambridge.
Hmm, slows things down on occasion, opens your system to attack.. its a feature! go figure.
I am glad I am stuck with a Pentium 2 350 MHz :(
/. is good for you.
Only similarity is in the abbreviation.
--- Abnormally normal.
Alan Turing went to Cambridge and earned a fellowship there. That is also where he conceived the idea of the Turing machine - the basis of all programmable computers.
Where you get your education is immaterial. More important is what you do with it.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Hyper Transport has nothing to do with Hyper Threading. Hyper Threading means processor support for several (usually two) execution threads at once. Hyper Transport is a bus technology to interconnect pocessors, RAM, motherboard chips, PCI bus and the like.
AMD's Hyper Transport is similar to Intel's Hyper Threading, but in my books, superior.
That's like saying that the computers from Apple Computers are similar but superior to the computers from Apple Records. Notice how Apple Records makes no computers? Just because they start with the same word does not mean two things are the same.
The point is that the people who are capable of crafting an exploit for this or any similarly obscure security flaw are also capable of 1) packaging their exploit in such a way that far, far less capable people can perform it and 2) disseminating their packaged exploit very widely. A mega-corp wrote WinXP so that any rube can run it; why would a tricky in-CPU exploit be different?
I'm curious since AMD's Hyper Transport is similar to Intel's Hyper Threading, but in my books, superior.
Hyper Transport is a bus protocol. Hyper Threading is a means of maximising the use of the execution units on a CPU.
The only similarity is that they both start with the same letters. As such, I'm afraid that calling Hyper Transport "superior" makes you sound like a fanboy.
You're a fool and a troll and I'd hazard that this guy would pass the opportunity to work with someone of your intellect.
Hyper Threading Causes me problems anyway.
December 31, 2004: FreeBSD Security Officer Team notified.
February 27, 2005 - March 18, 2005: Other security teams contacted.
Why notify FreeBSD and then wait 2 or 3 months before notifying other possibly affected vendors (at least other BSDs)?
This is really not a mature attitude.
{{.sig}}
well, i can certainly blame it on marketing. keeping consumers in a daze without knowing wtf they're getting is kinda pissing me off lately. i see by definition the words are different, but still, i'm only relaying what i've been told as a consumer. frankly, the idea of intel and amd going head to head and constantly "one-upping" each other is stupid. thanks for clearing the confusion up. i'll be sure to keep using my 486 with Hot Tounging technology.
-- Game Developers: Stop porting badly-textured games from crappy console systems!
He's 23, and he's getting a PhD; I wouldn't call that lack of ambition.
About time you updated your knowledge with a bit of "2 pints of lager and a packet of crisps" and "Teachers".
My paper is available here.
Have fun reading, I'm going back to the conference.
Tarsnap: Online backups for the truly paranoid
The paper from the talk has now been released, I've mirrored it in case the site gets hit.
http://www.daemonology.net/papers/htt.pdf
Cache Missing for Fun and Profit
after reading his paper at http://www.daemonology.net/papers/htt.pdf i think his point is that with htt enabled it's possible to have a covert channel between threads/processes with _shared memory_. that's not specific for htt and page-sharing threads - several months ago i wrote a covert channel implementation for arbitrary processes over a (non-htt) pentium 4 l2 cache that _do not share_ any memory pages. i am not going to make that code public.
disclaimer: this post is just supposed to be a small "fuck you, we were already using that technology and we even have a superior implementation!" to the so-called security expert community.
In at work, we also disabled hyperthreading on several Linux Java servers with dual Xeons and performance improved pretty dramatically.
Hexy - a strategy game for iPhone/iPod Touch
The paper describes how he did it -- he's taking advantage of the fact that a processor with HyperThreading allows both threads to use the same cache, and specifically allows one thread's memory accesses to evict the contents of cache lines formerly carrying data accessed by the other thread into memory. (This, by the way, is by design -- HT processors are supposed to allow the thread to share execution resources, including functional execution units and caches, to maximize resource utilization. Cutting the cache in half to be doled out between the threads will make the processor perform more like a Celeron.)
The exploit is performed via prior knowledge of the data structures and algorithms in use by the victim thread. By being able to infer parts of the key from the layout of recent memory accesses performed by the other thread, the attacker is able to recover some of the key. The layout of accesses is inferred by timing memory accesses in a pattern designed to make the cache thrash and figuring out what relative addresses might have changed recently.
To say that this would be a difficult exploit on a multiuser system running many different threads from many different processes would be a great understatement. Under a controlled environment with a thread whose use of data structures and algorithms is known in great detail, it's feasible to pull it off. However, "in the wild" it's likely to be much, much more challenging.
The paper is now available at:
http://www.daemonology.net/papers/htt.pdf
Link from KernelTrap
I'm sure we'll have to wait for the final article, but if this is a problem with hyperthreading, does it affect athlon64? He doesn't say that it does, but he doesn't say that it doesn't either. So, I'm wondering if he even TRIED the exploit on an athlon64.
The attack uses the RDTSC instruction to find out how many clock cycles are taken to perform its operations.
There is a flag on x86 that can disable RDTSC for user-mode code. As far as I can see, it would be much, much harder to do a similar attack without a fairly accurate clock-counting instruction like this.
I'm not sure though - could someone who knows more about these things comment on how fine-grained the timing needs to be to detect cache misses? Can the bits be recovered slowly over a long period of time?
Yes, by all means, let's deride advanced education as being worthless and a foolish pursuit. It's much better to try to learn everything by yourself and reinvent the wheel rather than participating in a community environment of study.
...For Dummies books and only leave the house to stare in the window of the hot chick next door at 11PM.
Because, of course, who needs community? People are awful. I'd much rather stay in my mom's basement with my
+++ATH0
Those words aren't in the research paper.
The paper is here http://www.daemonology.net/papers/htt.pdf and I've skimmed it.
My takeaway is that if a process knows another thread is calculating an SSL key, it can get an advantage in figuring out the SSL key.
It won't "get" the actual key, but with sufficient "bits" of info, the calculation can be rendered fairly trivial.
I'm not familiar with these types of security reports, but let me say that to me, it sounds much like saying that with a careful analysis of the LEDs on the front of my IMSAI 8080 my private data may be revealed.
There seems to be so many other things that feed into this vulnerability (like, a minimal number of processes running, knowing the code is being executed, that the thread and the "cracker" software run on different "logical" CPUs at the same time, etc...) that this is a very, very, small issue - damn near purely theoretical.
If the author can say, "Run this code on your server, calculate an SSL key, and this piece of code will reveal your SSL key" then we have a real vulnerability. As I read it, the author is saying "Run this code, calculate an SSL key, and you may be able to infer a percentage of the bits that comprise your SSL key".
I will repeat, I only skimmed the paper, and I'm not familiar with these types of reports, but that is what I walked away with - if I am wrong, I invite the correction.
Ken
HT is good only when you have 2 different (from CPU point of view) tasks to run, using different core parts - for example, ray-tracing (lot of floating point) and xml parsing (lot of integer / string operations).
Give the CPU 2 similar threads and you are much better with disabled HT
Not sure for the explanation, but performance issues are a matter of fact.
I've tried HT on both the 3.0c [Northwood, 512k L2] and 2.8e [Prescott, 1M L2] P4 models, both with identical hardware otherwise [1Gb dual channel DDR400, 875P chipset, nvidia fx5200, 120Gb 7200RPM ATA133 WD disc]. It's really nice on the 2.8e, but you fall in the cache miss tar pit on the 3.0c. With HT turned on the 2.8e actually feels faster than the 3.0c ever did, especially under heavy load, and is nearly impossible to bring to its knees whatever I throw at it.
:)
Back on topic: This attack doesn't really shock me that much; covert channels are a fact of life in any multi-user machine, and anything that needs bulletproof security should be on isolated hardware. Attacking an RSA implementation by analyzing cache performance is a truly sweet hack though... my propeller-beanie spins in admiration.
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
Timing attacks are pretty hardware independent; they're more a trait of algorithms (requiring table lookups and hence cache hits and misses). Sure, one could create processors without data caches, but would one really want to?
The only real solution to such timing attacks is to disable multitasking; anything that can replace cache lines can disclose information. Hyperthreading may be a little "worse" in that it can make the cache contention a bit worse, but the problem exists with hyperthreading disabled.
For those who use VMware ESX server, note that you can prevent one virtual machine from using this attack on another virtual machine in the same physical system. You can set sched.cpu.htsharing=none in a VM's config file to effectively disable HT for this vm only. You can also try:
f
sched.cpu.htsharing=internal for an SMP VM to disallow it from sharing a package with vcpus from another VM, but allow the two vcpus from this VM to share. More is explained in the hyperthreading (8) man page and in the HT whitepapper: http://www.vmware.com/pdf/esx21_hyperthreading.pd
If you have only a single VM with untrusted users on a given box, you could set that VM to "none" sharing while allowing other VMs to continue to take advantage of HT.
I don't know how many Slashdotters use ESX, but you've got it admit it has some pretty cool features.
and there's no community possible on the web, none at all, absolutely.
Here's the much awaited paper from Colin:
http://www.daemonology.net/papers/htt.pdf
My lame blog.
And why it is just a claim is explained in posts above yours...in other words, it's a security issue which means you don't blab it until you have it nailed down and some sort of remediation possible.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Well, whatever you do, don't do aspected-oriented programming (that was Considered Harmful two weeks ago) on a Hyperthreaded CPU.
I'm pretty sure that will Destroy the Entire Universe (sm), or at least sour the milk a full week early.
Hey, I have nothing useful to contribute intellectually, but sniping is my hobby, so....Well, I just read the paper, and I applaud Colin on several levels. First off, the theory of the attack is rock-solid and well-written. Secondly, he describes very implementable OS work-arounds, crypto library fixes, and finally chip design corrections which will totally eliminate the security hole.
This is one of the best thought out, best written papers of its kind that I have read in my over thirty years of work in the engineering field.
About the word "if": If bullfrogs had wings, they wouldn't bounce around on their little green butts.
... see
http://www.daemonology.net/papers/htt.pdf
He describes an attack on the RSA secret key in an OpenSSL system. By knowing how OpenSSL performs modulus arithmetic, he is able to distinguish many bits of p and q in the modulus by observing L1 cache hits and misses in a simultaneously running process. Assembler code is provided...
I wonder why he doesn't use linux ...
~darkness_falls
This flaw permits local information disclosure, including allowing an unprivileged user to steal an RSA private key being used on the same machine There are NO unprivileged user on my Windows XP box, you insensitive clod!
Warning: Sig Fault. Dumping warp core.
No, MTS - Michigan Terminal System. Created at Michigan State I believe; ran there, Waterloo, RPI, and 8 or 10 other universities (maybe more). Used to run 100-175 users on a 370/3033 and later a 370/3091(?) 4-CPU system. At RPI, the main computing center (VCC, Voorhees Computing Center) was (and is) an old chapel, with 20' stained glass over the terminals.
VERY different than MVS.
Probably the only OS that came with a full PDP-8 simulator as a system command - and the PDP-8 simulator was used once to break the security of the OS. Really. A buffer-overrun attack.
During the Cryptographer's Panel at the RSA conference, Adi Shamir made a short reference to this vulnerability. He confirmed in subsequent e-mail that of course he had a working implementation, or he wouldn't have mentioned it in public, and that a presentation would be forthcoming at the Eurocrypt 2005 rump session next week in Denmark.
I was sore disappointed that the press didn't pick it up then, because I thought it was the most interesting item in any of the keynote talks at RSA (although the hash function flaw announcements came a close second).
Cache contention as a covert timing channel has been explored at least since 1983/84 (when I encountered an instance of it during a TCSEC project and was gently shooed away from exploring such a "sensitive" topic). The precision targeting of this particular attack is really slick.
The hyperthreading covert information leakage is unlikely to be a problem in Linux since Linux doesn't have true "threads". Each thread is represented by a process and the author states that multiple processes wouldn't be able to use the Processor L1 cache due to process switching overhead.
:-)
This exploit also uses a few "small" [sic] bits of handwaving:
1) Ability to syncronize the two separate processes. This was done for the author's example by using a debugger, "spy" to "know" when openssl was started and when it ended (p6).
2) quite another bit of handwaving with "On an otherwise quiescent system" (p6)
3) On a trusted OS, how did "trojans" and "spy" programs get loaded? On such systems, it is usually not the case that even compilers are availabe let alone the ability to load programs on demand.
On a trusted OS, a trojan might, at best, be loaded by a low-level browswer/download process. On a MLS, the user doing the downloading doesn't (or shouldn't) have administrative access to allow a trojan or a spy access to realtime functions like "process debugging", and "process scheduling" (perhaps including the "sched_yield" function.
It is quite likely that on a properly configured MLS system, web browsing would be done at a lowest level of priviledge, where only previously installed programs are allowed to run -- i.e. you can't download a trojan and have it be runnable. Anything downloadable to a writable partition has the "noexec" bit set. This is not user-changeable by a user with Mandatory Access Control's in place (often used with MLS to prevent privilege elevation).
4) It's unlikely that a MLS secure system with MAC (vs. Discretionary Access control, or DAC) would even be hooked up to the internet.
The whole bit describes an unlikely scenario in a MLS(usually MAC) system.
None of this means the author hasn't done his homework and there isn't a risk
of covert channels using this means, but in the real world, super secure systems shouldn't be running code that hasn't been rigorously examined and proven to some "Effective Assurance Level" (EAL).
The whole bit of caching could be extended to the Linux block cache, but in such a scenario, to provide true Level Separation, different priviledge levels likely wouldn't use the same block devices -- and hopefully, Processesors could have a bit as to whether to divide the cache/processor or to allow cache sharing (which would benefit performance for most apps).
Also, I might ask -- how would two different threads of the same process get two different levels of security clearance -- that just seems like dangerous programming and such a program would likely not be approved for most MLS systems.
It is a good paper, and it raises good issues to be aware of, but in practice it doesn't seem easily implemented.
However -- that stated -- there have always been known information leakage problems on multi-user computers. Simply measure latency in key echo's, network pings and program performance. All of these can be used to leak bits of information.
As for getting 310 bits out of 512...who's using 512 byte RSA keys these days? Bruce Schneier, in 1995 listed 1280-2048 bits for an RSA key.
Some symple preventive measures for now: 1) don't allow different threads in same process to have different security levels. 2) don't run untrusted programs on a "secure" system. 3) providing L2 cache separation _might_ be useful for some small number of government users trying to run an MLS on one machine, but it seems it'd be more assurance for them to use two separate processors in two separate machines physically separate machines running at different security levels.
Sorry if I've overlooked anything in my assessment. In no way did I mean to step on any toes.
-l
See?
Really, what's the point of these anymore? We need some essays about things that actually cause harm, not confusion or frustration.
Ingesting Ammonia Considered Harmful
Chemical Burns Considered Harmful
Improperly-Handled Chainsaws Considered Harmful
The Government Considered Harmful
etc. etc.
I am scientifically inaccurate.
Without the paper to judge, without any testimony from any security authority, and without any obvious remedy, what would be gained by starting to generate kernel hacks at this time?