How does TLBleed abuse the Hyper-Threading feature in Intel chips? (original) (raw)
TLBleed exploits Intel's HTT feature to leak data via side-channel attacks. Learn about how TLBleed obtains sensitive memory information from expert Michael Cobb.
A new side-channel attack called TLBleed abuses the Hyper-Threading feature of Intel chips. Researchers say there is a high success rate of TLBleed exploits, but Intel currently has no plans to patch it. How does TLBleed work, and what are the risks of not patching it?
At the start of 2018, researchers found that nearly every computer chip manufactured in the last 20 years contained security flaws that, if exploited, would enable attackers to extract data stored in the memory of other running programs -- data previously considered completely protected. These vulnerabilities, named Spectre and Meltdown, were caused by design flaws in features introduced into chips to increase their performance: speculative execution and caching. Each vulnerability was assigned a Common Vulnerabilities and Exposures identifier: CVE-2017-5753 and CVE-2017-5715 for Spectre, and CVE-2017-5754 for Meltdown. Vendors have been working hard to patch these flaws and harden their software against future exploitation.
A new side-channel attack against Intel chips called TLBleed, however, doesn't rely on speculative execution. Instead, it takes advantage of a different performance-enhancing feature on Intel chips called Hyper-Threading Technology (HTT) to leak data. According to researchers at Vrije Universiteit Amsterdam, HTT can be exploited to steal data signing keys with near perfect accuracy. HTT first appeared in 2002 and makes one physical core appear as two processors to the operating system by duplicating certain sections of the processor to enable the concurrent scheduling of two processes per core. This results in two threads that run at the same time on the same core sharing infrastructure within that core, such as its memory caches. HTT utilizes a memory cache known as a translation lookaside buffer (TLB) to cache recent translations between virtual memory addresses to physical memory addresses used during processor reads from and writes to memory.
The researchers discovered that, rather than by determining where in memory a program is reading from and writing to, they could instead determine when it is reading and writing and then they could figure out how the other thread running on the same core operates. By using artificial intelligence and machine learning techniques to analyze the timing of TLB hits, the researchers could establish when a program executes a sensitive operation, such as a cryptographic function, and reconstruct the result from the captured TLB signal.
To launch a TLBleed attack, a hacker would need to install malware on the target machine or already be logged into it. In these scenarios, there are far easier methods to extract data from the device, so TLBleed is not perceived as great a threat as Spectre or Meltdown. Both the researchers and Intel have downplayed the threat posed by TLBleed, but it still does allow one application to gain access to sensitive memory information from other applications. Therefore, a virtual machine running on a public cloud platform could be snooped on by neighboring users. Because of this, OpenBSD has decided to disable HTT by default.
Intel has stated that it is not going to patch the vulnerability because TLBleed doesn't demonstrate a side-channel attack against its side-channel hardened cryptographic primitives, and the company has declined to pay the researchers the bug bounty it offers on side-channel flaws in its chips. Intel has not even requested a CVE number. Even though Intel may not intend to patch this vulnerability, a CVE number would aid in alerting IT departments to the potential dangers of TLBleed and help them to keep track of any updates. Interestingly, leaked benchmarks show Intel is dropping Hyper-Threading from its i7 chips. Whether this is due to security or performance considerations is unclear.
Ask the expert: Want to ask Michael Cobb a question about application security? Submit your questions nowvia email. (All questions are anonymous.)
Dig Deeper on Application and platform security
- Intel's rise and fall: A timeline of what went wrong By: Sean Kerner
- second-level address translation (SLAT) By: Rahul Awati
- Plundervolt By: Ben Lutkevich
- Google unveils 'Downfall' attacks, vulnerability in Intel chips By: Rob Wright
Related Q&A from Michael Cobb
How to protect port 139 from SMB attacks
Keeping port 139 open is perfectly normal -- but only for good reason. Without the proper protections, it can present a major security risk.Continue Reading
Port scan attacks: What they are and how to prevent them
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ...Continue Reading
Stateful vs. stateless firewalls: Understanding the differences
Stateful firewalls are the norm in most networks, but there are still times where a stateless firewall fits the bill. Learn how these firewalls work ...Continue Reading