Hardware makers have long known that hackers can extract secret cryptographic data from a chip by measuring the power it consumes when processing these values. Fortunately, the tools for exploiting microprocessor power analysis attacks are limited because the threat factor has few viable ways to remotely measure energy consumption when processing secret material. Now, a team of researchers has figured out how to turn power analysis attacks into a different category of side channel exploitation that is much less demanding.
DVFS targeting
The team found that Dynamic Voltage and Frequency Scaling (DVFS) – a power and heat management feature added to every modern CPU – allows intruders to detect changes in power consumption by tracking the time it takes a server to respond to specific carefully questions . Discovery significantly reduces what is required. By understanding how the DVFS feature works, lateral power channel attacks become much simpler timing attacks that can be done remotely.
The researchers named the attack Hertzbleed because it uses DVFS information to expose or eliminate data that is expected to remain private. The vulnerability is monitored as CVE-2022-24436 for Intel chips and CVE-2022-23823 for AMD processors. Researchers have already shown how the exploitation technique they developed can be used to extract an encryption key from a server running SIKE, a cryptographic algorithm used to create a secret key between two parties through an otherwise insecure channel. communication.
Advertising
The researchers said they successfully replicated their attack on Intel CPUs from the 8th to 11th generations of the Core microarchitecture. They also claimed that the technique would work on Intel Xeon processors and verified that AMD Ryzen processors were vulnerable and allowed the same SIKE attack used against Intel chips. Researchers believe that chips from other manufacturers may also be affected.
In a blog post explaining the finding, members of the research team wrote:
Hertzbleed is a new family of lateral channel attacks: lateral frequency channels. At worst, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously thought to be secure.
Hertzbleed takes advantage of our experiments to show that, under certain conditions, the dynamic frequency scaling of modern x86 processors depends on the data being processed. This means that, in modern processors, the same program can run at a different CPU frequency (and therefore require different wall time) when calculating, for example, 2022 + 23823 compared to 2022 + 24436.
Hertzbleed is a real and practical threat to the security of cryptographic software. We have shown how a smart intruder can use a new attack of selected encrypted text against SIKE to perform full key extraction via remote timing, despite the fact that SIKE is applied as “fixed time”.
Meanwhile, Intel Senior Director of Security Communications and Incident Response Jerry Bryant questioned the practicality of the technique. In a post, he wrote: “Although this topic is of interest from a research standpoint, we do not believe that this attack is practiced outside of the laboratory. Intel has also released instructions for hardware and software developers here.
Neither Intel nor AMD release microcode updates to change the behavior of the chips. Instead, they support the changes made by Microsoft and Cloudflare to the PQCrypto-SIDH and CIRCL cryptographic code libraries, respectively. The researchers estimated that mitigation adds a 5 percent decapsulation rate to CIRCL and 11 percent to PQCrypto-SIDH. The mitigation measures were proposed by a different group of researchers who independently discovered the same weakness.
AMD declined to comment before the embargo was lifted.
