At the end of the last year, Meltdown and Spectre simply shook the entire world. Almost all the chips that were made until now are supposedly vulnerable to these side-channel attacks that would allow a hacker easily steal critical system information. Now, another similar vulnerability is discovered. It’s time for “PortSmash”!
What PortSmash is
PortSmash is also a vulnerability like the previous Meltdown and Spectre that affects almost all the processors in the world having SMT/hyper-threading. It’s a side-channel attack that’s capable of stealing information with a perfectly timed attack.
SMT/Hyper-threading is a very common technique that modern processor manufacturers use for increasing the performance. It divides the physical cores into 2 virtual logical cores, giving a boost in the calculation power. SMT/hyper-threading allows the usage of idle CPU power more efficiently for executing instructions faster.
However, this method is the reason for PortSmash’s presence in the world! The vulnerability was discovered by a group of researchers – Cesar Pereida Garcia, Sohaib ul Hassan, Billy Bob Brumley and Nicola Tuveri from the Tampere University of Technology in Finland and Alejandro Cabrera Aldaya from the Universidad Tecnologica de la Habana CUJAE in Cuba.
How PortSmash works
PortSmash is a side-channel attack. In this type of attack, the attacker analyzes how a thread executes particular instructions and uses that information for working backward to find out what data was used as input.
Here’s a short breakdown of how the attack works from Nicola Tuveri.
“Shortly and simplifying, with SMT and 2 threads per core, a process running on one thread will have its own instructions and data, but will share some hardware resources with a process running on the colocated thread.
Instructions will be decoded independently in simpler microoperations and pipelined in the CPU to the corresponding Execution Units. (Execution Units are the actual silicon areas that are specialized to handle specific operations: e.g., there are a few EU dedicated to integer additions/subtraction, separate ones for integer multiplication, other for floating point arithmetic, etc.) Every core has a complete set of EUs to support the whole instruction set, and threads on the same core share access to the EUs. EUs are grouped together in bundles each accessible through a port: microops from the two threads are issued to the available ports, and another microcomponent, the core scheduler, optimizes for fairness and performance when the same microop can be issued to different equivalent EUs behind different ports.
These ports are the object of the discussed port contention. Let’s for example suppose port 5 is used by a victim process during a particular crypto operation: while the victim process is not using port 5, the spy process running on the other thread will have undelayed access to repeatedly execute on port 5; as soon as the victim process issues an operation on port 5, the scheduler will delay ops from the spy process to ensure fairness. The spy process can thus measure the delay in the execution of its operations for port 5, and determine when the victim process is using the same port.
source: https://www.bleepingcomputer.com/news/security/new-portsmash-hyper-threading-cpu-vuln-can-steal-decryption-keys/
This is the signal that can then be processed to ultimately recover a private key.”
Pretty scary, right?
Affected processors
According to Tuveri, the vulnerability is currently verified on Intel Skylake and Kaby Lake lineup. They also believe that the vulnerability can also work on the AMD Ryzen lineup.
The researchers also shared a proof-of-concept exploit targeting only OpenSSL. The reason behind is OpenSSL is widely used and the attack isn’t hardware-dependent.
Protection from PortSmash
The only way available of avoiding this attack is by disabling SMT/hyper-threading completely. OpenBSD has already performed the action where they disable SMT/hyper-threading by default.
Intel, on their latest 9th Gen processors, also disabled hyper-threading. This allows protection from Meltdown v3 and L1 Terminal Fault vulnerabilities. Thus, they also successfully defend against PortSmash.
Interestingly, a very few games take the advantage of the SMT/hyper-threading, so disabling
However, SMT/hyper-threading isn’t going to go away completely. There are a number of huge investments in SMT/hyper-threading for improving their enterprise applications.
For the consumers, it’s better to go for processors with no SMT/hyper-threading.