Hertzbleed

[DusaN]

Hertzbleed Attack

www.hertzbleed.com

Hertzbleed is a new family of side-channel attacks: frequency side channels. In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure.

Hertzbleed takes advantage of our experiments showing that, under certain circumstances, the dynamic frequency scaling of modern x86 processors depends on the data being processed. This means that, on modern processors, the same program can run at a different CPU frequency (and therefore take a different wall time) when computing, for example, 2022 + 23823 compared to 2022 + 24436.

Hertzbleed is a real, and practical, threat to the security of cryptographic software. We have demonstrated how a clever attacker can use a novel chosen-ciphertext attack against SIKE to perform full key extraction via remote timing, despite SIKE being implemented as “constant time”.

zanimljivi detalji

Am I affected by Hertzbleed?​

Likely, yes.

Intel’s security advisory states that all Intel processors are affected. We experimentally confirmed that several Intel processors are affected, including desktop and laptop models from the 8th to the 11th generation Core microarchitecture.

AMD’s security advisory states that several of their desktop, mobile and server processors are affected. We experimentally confirmed that AMD Ryzen processors are affected, including desktop and laptop models from the Zen 2 and Zen 3 microarchitectures.

Other processor vendors (e.g., ARM) also implement frequency scaling in their products and were made aware of Hertzbleed. However, we have not confirmed if they are, or are not, affected by Hertzbleed.

Do Intel and AMD plan to release microcode patches to mitigate Hertzbleed?​

No. To our knowledge, Intel and AMD do not plan to deploy any microcode patches to mitigate Hertzbleed. However, Intel provides guidance to mitigate Hertzbleed in software. Cryptographic developers may choose to follow Intel’s guidance to harden their libraries and applications against Hertzbleed. For more information, we refer to the official security advisories (Intel and AMD).

Is there a workaround?​

Technically, yes. However, it has a significant system-wide performance impact.

In most cases, a workload-independent workaround to mitigate Hertzbleed is to disable frequency boost. Intel calls this feature “Turbo Boost”, and AMD calls it “Turbo Core” or “Precision Boost”. Disabling frequency boost can be done either through the BIOS or at runtime via the frequency scaling driver. In our experiments, when frequency boost was disabled, the frequency stayed fixed at the base frequency during workload execution, preventing leakage via Hertzbleed. However, this is not a recommended mitigation strategy as it will significantly impact performance. Moreover, on some custom system configurations (with reduced power limits), data-dependent frequency updates may occur even when frequency boost is disabled.

 

[PPC]

A jel imaju ovi tvoji postovi neku poentu dalju od sujete jer si bio "oboren" u temi sa upucavanjem kablova?

Jel treba sad da ulazimo u preplitanje detalja slenga i semantike u temi o CPU exploitima?

Dear Jebus.

Ja reportovao ovo kao apsolutni time waste, nadam se da ce moderacija obrisati jer je BUKVALNO waste.

 

[Sass Drake]

Evo, pogledaj datume. Ako hoces bas da budes bukvalista, ne, nije "svaki dan" ali skoro pa i da jeste.

Intel : Security vulnerabilities, CVEs

Security vulnerabilities related to Intel : List of vulnerabilities affecting any product of this vendor

www.cvedetails.com

Exploiti ovog tipa su hardverske prirode, a ne softverske kao što su većina na tom linku. To što je dotični softver naisao Intel ne znači da je propust u samom procesoru.

 

[PPC]

I Spectre i Meltdown su bili "hardverske" prirode pa su zakrpljene softverom. Intel vec ima software guide za mitigaciju Hertzbleed-a. Ceo clanak je primarno napisan alamisticki. Ne razumem o kakvom "system wide performance loss" pricaju ako je potrebno samo ugasiti turbo boost da bi ste hardverski otklonili "rupu" (kao sto 90% ljudi koji overclockuju CPU vec setuju, recimo). Turbo boost je primarno fukcija za ustedu struje, ne funkcija za benefit u performansama. Na kraju samog clanka lepo i kazu da smo svi sasvim sigurno "pogodjeni" (affected) ali da smo tek mozda "u riziku" (vulnerable). Tako je bilo otp sa Spectre i Meltdown. Na prste mozgu da se nabroje malware programi koji su se iz njih izrodili i koji ih zaista koriste. Razlicitih ransomware software-a ima bar pet puta toliko i naneta steta je sasvim sigurno proporcionalna, hw ili sw, na kraju i nije toliko bitno.

BTW danas svaki vulnerability mora imati svoj logo i biti popularizovan od strane istrazivackog tima koji ga je pronasao. Alarmisticki tekstovi takodje ne skode.

 

[Sass Drake]

I Spectre i Meltdown su bili "hardverske" prirode pa su zakrpljene softverom. Intel vec ima software guide za mitigaciju Hertzbleed-a. Ceo clanak je primarno napisan alamisticki. Ne razumem o kakvom "system wide performance loss" pricaju ako je potrebno samo ugasiti turbo boost da bi ste hardverski otklonili "rupu" (kao sto 90% ljudi koji overclockuju CPU vec setuju, recimo). Turbo boost je primarno fukcija za ustedu struje, ne funkcija za benefit u performansama. Na kraju samog clanka lepo i kazu da smo svi sasvim sigurno "pogodjeni" (affected) ali da smo tek mozda "u riziku" (vulnerable). Tako je bilo otp sa Spectre i Meltdown. Na prste mozgu da se nabroje malware programi koji su se iz njih izrodili i koji ih zaista koriste. Razlicitih ransomware software-a ima bar pet puta toliko i naneta steta je sasvim sigurno proporcionalna, hw ili sw, na kraju i nije toliko bitno.

BTW danas svaki vulnerability mora imati svoj logo i biti popularizovan od strane istrazivackog tima koji ga je pronasao. Alarmisticki tekstovi takodje ne skode.

SpeedStep i SpeedShift su za uštedu energije. Turbo Boost je fabrički overklok.

 

[PPC]

"Fabricki overclock" je oksimoron jer overclock podrazumeva setovanja van fabrickih. Svaki procesor ima jednu fabricki propisanu najvisu mogucu frekvenciju i to je "turbo" i "overclock" samo u marketingu.

SpeedStep i SpeedShift dve iteracije iste stvari. Turbo boost je samo ekstenzija SpeedStepa koja marketinski bolje zvuci.

Sta radi SpeedStep/Shift, modifikuje frekvenciju procesora prema potrebi. Sta radi Turbo boost, modifikuje frekvenciju procesora prema potrebi. Problem u ovom eksploitu je u modularnom prilagodjavanju frekvencija.

 

[DusaN]

Da, i bez toga Turbo boost će umesto da recimo ide na 3,5-4GHz raditi stalno na 3GHz.

 

[PPC]

Ako ti mislis da je Turbo boost zaista neki "turbo" onda nemas ni bazicno poznavanje o materiji, izvini. Ceo koncept Turbo boosta postoji zarad marketinga i da se "pogode" odredjeni TDP rejtinzi za OEM proizvodjace. Nista u Turbo boostu nije turbo. Mozes da ugasis turbo boost i da zakljucas procesor na koliko god Ghz on moze da izbaci pod "turbo" modom i resio si problem. Trosices koji wat vise na idle i to je to. Tako svaki normalan overclocker setuje svoj CPU od pamtiveka.

 

[DusaN]

Da, u pravu si za desktop procesore.
Mogu li i serverski procesori da se isto tako overklokuju, pretpostavljam da su ipak oni logičnije meta, ne mi obični korisnici, nisu zaključani, imaju i ta "OC" podešavanja biosi tih ploča?

 

[PPC]

Generalno trebalo bi da mogu da se zakljucaju na najvisi takt, nije to neki poseban "OC" setting. Sve sto je fabrika propisala kao moguce po definiciji nije "OC".

Kod serverskih setup-a takav pristup ce da "boli" kompaniju jer ce dobiti dodatan trosak "bez potrebe" a taj trosak ce se skalirati mnogo vise nego kod privatnog korisnika. Kao sto sam na pocetku rekao, jurimo optimizacije izmedju brzine, pouzdanosti i bezbednosti a sve ove stavke se kose jedna sa drugom, nije lako to organizovati. Svaki dan potrebe su vece, svaki dan neko ce preuzeti rizik predikcije izvrsenja zarad boljih performansi, bolje prodaje, dominacije na trzistu... a ta predikcija ce uciniti sistem komplikovanijim i dodati jos jedan potencijalan vektor napada.