Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Side Channel Attacks. Show all posts

Intel and AMD CPU Trageted by the New 'Hertzbleed' Remote Side-Channel Attack

A group of academic researchers has found a potential side-channel method that uses a CPU timing hack to allow attackers to remotely retrieve critical information from a target network. The problem, which has been dubbed Hertzbleed by a team of researchers from the University of Texas, the University of Illinois Urbana-Champaign, and the University of Washington, is induced by dynamic voltage and frequency scaling (DVFS), power and thermal management feature used to conserve power and reduce the amount of heat generated by a chip.  

"Periodic CPU frequency adjustments depend on current CPU power usage under particular situations, and these adjustments immediately translate to execution time variations (since 1 hertz Equals 1 cycle per second)," the researchers stated. An intruder can exploit cryptographic software and get crucial cryptographic keys by analyzing these temporal differences – in some circumstances, even a remote attacker can detect the variances.

SIKE, or Supersingular Isogeny Key Encapsulation, a post-quantum key encapsulation technology utilized by firms like Microsoft and Cloudflare, was used to demonstrate the assault. In reaction to the discoveries, both AMD (CVE-2022-23823) and Intel (CVE-2022-24436) have released independent advisories, with the latter stating that Hertzbleed affects all Intel processors due to unauthorized access. 
There are no patches available. 

Intel has issued two customer advisories in response to the Hertzbleed attacks. All of Intel's chips are affected, as per the chipmaker. While no CPU firmware changes have been released, the company has provided cryptography recommendations for software developers to "harden its libraries and applications from frequency throttling information leaking."

Hertzbleed has been the subject of an AMD alert; several desktops, mobile, Chromebook, and server processors have been identified as being affected by the bug, as per the company. AMD has also recommended that software developers implement defenses.

It's not the first time that new data theft techniques from Intel chips have been discovered. Two Hertzbleed co-authors showed an "on-chip, cross-core" side-channel attack targeting Intel Coffee Lake and Skylake CPUs' ring interconnect in March 2021. The researchers stated, "The message is that current cryptography engineering approaches for writing constant-time code are no longer sufficient to guarantee constant-time execution of software on newer, variable-frequency CPUs."

Multi-GPU Systems are Vulnerable to Covert and Side Channel Assaults

 

A team led by Pacific Northwest National Laboratory (PNNL) academic researchers has published a research paper explaining a side-channel assault targeting architectures that depend on several graphics processing units (GPUs) for resource-intensive computational operations. 

Multi-GPU systems are employed in high-performance computing and cloud data centers and are shared between multiple users, meaning that the protection of applications and data flowing through them is critical. 

“These systems are emerging and increasingly important computational platforms, critical to continuing to scale the performance of important applications such as deep learning. They are already offered as cloud instances offering opportunities for an attacker to spy on a co-located victim,” the researchers stated in their paper. 

Researchers from Pacific Northwest National Laboratory, Binghamton University, University of California, and an independent contributor, used the Nvidia Ampere-generation DGX -1 system containing two GPUs attached using a combination of custom interconnect (NVLink) and PCIe connections for their demonstrations. 

The researchers reverse-engineered the cache hierarchy, demonstrating how an assault on a single GPU can hit the L2 cache of a connected GPU and cause a contention issue on a linked GPU. They also showed that the malicious actor could “recover the cache hit and miss behavior of another workload,” essentially allowing for the fingerprinting of an application operating on the remote GPU. 

In reverse engineering the caches and poking around the shared Non-Uniform Memory Access (NUMA) configuration the team unearthed "the L2 cache on each GPU caches the data for any memory pages mapped to that GPU's physical memory (even from a remote GPU)." 

Additionally, the researchers demonstrated proof-of-concept side-channel assaults where they recovered the memorygram of the accesses of a remote victim and used it to fingerprint applications on the victim GPU and to spot the multiple neurons in a concealed layer of a machine learning model. 

To precisely spot applications based on their memorygram, the academics designed a deep learning network to accurately identify applications based on their memorygram and say that this can be used as a base for future attacks that not only identify a target application but also infer information about it.

“This attack can be used to identify and reverse engineer the scheduling of applications on a multi-GPU system (simply by spying on all other GPUs in a GPU-box), identify target GPUs that are running a specific victim application, and even identify the kernels running on each GPU,” the researchers added.

While GPUs do have some defenses to thwart side-channel attacks on a single GPU, they are not designed to mitigate this new type of assaults, which are conducted from the user-level and do not require system-level features necessary in other assaults.

Linux Kernel Detected With New Side-Channel Vulnerability

 

The latest research work published by a group at the University of California, Riverside, demonstrates the existence of formerly unnoticed side channels in Linux kernels that can be used to attack DNS servers. 

As per the researchers, the problem with DNS stems from its design, which never prioritized security and made it incredibly difficult to retrofit robust security features into it. 

Although DNS security capabilities such as DNSSEC and DNS cookies are available, they are not generally used owing to backward compatibility, according to the researchers. However, the only way to make DNS more secured has always been to randomize UDP ports, known as ephemeral ports, intending to make it more difficult for an intruder to find them.

As a consequence, various DNS attacks have been reported in the past, including the recently revealed SAD DNS, a variation of DNS cache poisoning which allows an attacker to insert harmful DNS records into a DNS cache, routing all traffic to their server and then becoming a man-in-the-middle (MITM). Subsequently, a few of the researchers that first reported SAD DNS discovered side-channel vulnerabilities in the Linux kernel that had gone unnoticed for over a decade. 

The study focuses on two forms of ICMP error messages: ICMP fragment required (or ICMP packet too large in IPv6) and ICMP redirect. The Linux kernel analyzes the messages, as demonstrated by the researchers, utilizing shared resources that constitute side channels. 

Essentially, this means that an attacker might send ICMP probes to a certain port. If somehow the targeted port is correct, there will be some modification in the shared resource state which can be detected indirectly, validating the correctness of the estimate. An attack, for example, may reduce a server's MTU, resulting in fragmented future answers. 

According to the investigators, the newly found side channels affect the most popular DNS software, like BIND, Unbound, and dnsmasq operating on top of Linux. An approximate 13.85% of open resolvers are impacted. Furthermore, the researchers demonstrate an end-to-end attack against one of the most recent BIND resolvers and a home router that just takes minutes to complete. 

This unique attack can be avoided by configuring suitable socket options, such as asking the operating system not to accept ICMP frag required messages, which eliminates the side-channel; randomizing the kernel shared caching structure itself, and refusing ICMP redirects. As a result of the revelation of this new vulnerability, the Linux kernel has indeed been fixed to randomize the shared kernel structure for both IPv4 and IPv6.

Researchers Devise New Time And Power-Based Side-Channel Attacks that Affect AMD CPUs

 

A team of researchers from the Graz University of Technology and CISPA Helmholtz Center for Information Security. developed a novel side-channel exploit that targets AMD CPUs. 

Moritz Lipp and Daniel Gruss of the Graz University of Technology, along with Michael Schwarz of the CISPA Helmholtz Center for Information Security, established the new attack technique. They were first to uncover the Meltdown and Spectre vulnerabilities, which opened the door for numerous additional side-channel attack methods targeting commonly used chips. 

These side-channel exploits generally permit a malicious program installed on the targeted system to leverage CPU flaws to access potentially sensitive information in memory linked with other apps, such as credentials and encryption keys. 

Several of the side-channel assaults revealed in recent years have targeted Intel processors, but systems powered by AMD processors are not protected, as per the recently published research. 

“In contrast to previous work on prefetch attacks on Intel, we show that the prefetch instruction on AMD leaks even more information,” the researchers explained in the abstract of their paper. 

The study presented numerous attack scenarios, one of which researchers used a Spectre attack to disclose confidential material from the operating system and provided a novel way for building a covert channel to steal information. 

In addition, the research suggests having discovered the first "full microarchitectural KASLR (kernel address space layout randomization) break on AMD that works on all major operating systems." KASLR is an attack mitigation method, and the experts demonstrated how an intruder might defeat it on laptops, desktop PCs, and cloud virtual machines. 

AMD was notified about the results in mid-and late 2020, the vendor recognized them and gave a response in February 2021; the flaws have been assigned the CVE identifier CVE-2021-26318 and a medium severity grade by AMD. 

The chipmaker acknowledged that perhaps the problem affects all of its processors, but it isn't suggesting any additional mitigations since "the attacks discussed in the paper do not directly leak data across address space boundaries." 

Lipp feels that their most recent study covers several intriguing features of AMD CPUs that might spur further investigation into side-channel assaults. 

He further explained, “For instance, we use RDPRU as a timing primitive as the typically used rdtsc instruction has a lower resolution on AMD. This allows to distinguish events with only a slight timing difference. On the other hand, we use the reported energy consumption of the AMD driver to mount an attack. While this driver has now been removed from the Linux kernel, using this energy source could be interesting to mount other power side-channel attacks as we have shown on Intel with the PLATYPUS attacks.”