A team of researchers from the University of Texas, University of Illinois, and University of Washington have disclosed information about a new family of side-channel attacks (CVE-2022-23823, CVE-2022-24436), codenamed Hertzbleed. The proposed attack method is based on the features of dynamic frequency control in modern processors and affects all current Intel and AMD CPUs. Potentially, the problem may also manifest itself in processors from other manufacturers that support dynamic frequency changes, for example, in ARM systems, but the study was limited to testing Intel and AMD chips. The source texts with the implementation of the attack method are published on GitHub (the implementation was tested on a computer with an Intel i7-9700 CPU).
To optimize power consumption and prevent overheating, processors dynamically change the frequency depending on the load, which leads to changes in performance and affects the execution time of operations (a change in frequency by 1 Hz leads to a change in performance by 1 clock cycle per second). During the study, it was found that under certain conditions on AMD and Intel processors, the change in frequency directly correlates with the data being processed, which, for example, leads to the fact that the calculation time of the operations β2022 + 23823β and β2022 + 24436β will be different. Based on the analysis of differences in the execution time of operations with different data, it is possible to indirectly restore the information used in calculations. At the same time, in high-speed networks with predictable constant delays, an attack can be carried out remotely by estimating the execution time of requests.
If the attack is successful, the identified problems make it possible to determine private keys based on an analysis of the computation time in cryptographic libraries that use algorithms in which mathematical calculations are always performed in constant time, regardless of the nature of the data being processed. Such libraries were considered protected from side-channel attacks, but as it turned out, the calculation time is determined not only by the algorithm, but also by the characteristics of the processor.
As a practical example showing the feasibility of using the proposed method, an attack on the implementation of the SIKE (Supersingular Isogeny Key Encapsulation) key encapsulation mechanism was demonstrated, which was included in the final of the post-quantum cryptosystems competition held by the US National Institute of Standards and Technology (NIST), and is positioned as protected from side channel attacks. During the experiment, using a new variant of the attack based on selected ciphertext (gradual selection based on manipulation of the ciphertext and obtaining its decryption), it was possible to completely recover the key used for encryption by taking measurements from a remote system, despite the use of a SIKE implementation with constant computation time. Determining a 364-bit key using the CIRCL implementation took 36 hours, and PQCrypto-SIDH took 89 hours.
Intel and AMD have acknowledged the vulnerability of their processors to the problem, but do not plan to block the vulnerability through a microcode update, since it will not be possible to eliminate the vulnerability in hardware without a significant impact on hardware performance. Instead, developers of cryptographic libraries are given recommendations on how to programmatically block information leakage when performing confidential calculations. Cloudflare and Microsoft have already added similar protection to their SIKE implementations, which has resulted in a 5% performance hit for CIRCL and an 11% performance hit for PQCrypto-SIDH. Another workaround for blocking the vulnerability is to disable Turbo Boost, Turbo Core, or Precision Boost modes in the BIOS or driver, but this change will result in a drastic decrease in performance.
Intel, Cloudflare and Microsoft were notified of the issue in the third quarter of 2021, and AMD in the first quarter of 2022, but public disclosure of the issue was delayed until June 14, 2022 at Intel's request. The presence of the problem has been confirmed in desktop and laptop processors based on 8-11 generations of Intel Core microarchitecture, as well as for various desktop, mobile and server processors AMD Ryzen, Athlon, A-Series and EPYC (researchers demonstrated the method on Ryzen CPUs with Zen microarchitecture 2 and Zen 3).
Source: opennet.ru