“Our technique can choose among several configurations to target different configurations to target different ports in order to adapt to different scenarios, thus offering a very fine spatial granularity,” the researchers wrote in the paper. “Additionally, PortSmash is highly portable and its prerequisites for execution are minimal, i.e., does not require knowledge of memory cache-lines, eviction sets, machine learning techniques, nor reverse engineering techniques.”
In an email, Billy Bob Brumley, a professor at the Tampere University of Technology in Finland and one of the authors of the paper, said he expects that chips beyond the Skylake and Kaby Lake architectures are similarly vulnerable with slight modifications to the attack code. “We strongly suspect AMD Ryzen architectures which feature SMT are vulnerable, but we leave that for future work,” he wrote. “(The real reason is we don’t have the [hardware] to test it on at the moment, so we have to wait.)”
Brumley said the most likely real-world scenario for maliciously exploiting the vulnerability is in so-called infrastructure as a service environments, in which a cloud provider hosts all the trappings of an on-premises data center, including the servers, storage and networking hardware, and the virtualization or hypervisor layer.
“Personally speaking, I feel remote login scenarios are the biggest targeted threat,” Brumley wrote. “Here, a [malicious] user with credentials logs in (e.g. via SSH), compiles the exploit code, and runs it to extract information from other processes running in parallel.”
Brumley said the exploit was written in x64 assembly code that runs locally on a vulnerable computer. He said he knows of no evidence the results can currently be reproduced using JavaScript downloaded from a website. Given the ability of Spectre to be exploited in JavaScript, it remains a possibility. The researchers’ proof-of-concept exploit is available here.
In a statement, Intel officials wrote:
This issue is not reliant on speculative execution, and is therefore unrelated to Spectre, Meltdown or L1 Terminal Fault. We expect that it is not unique to Intel platforms. Research on side-channel analysis methods often focuses on manipulating and measuring the characteristics, such as timing, of shared hardware resources. Software or software libraries can be protected against such issues by employing side channel safe development practices. Protecting our customers’ data and ensuring the security of our products is a top priority for Intel and we will continue to work with customers, partners and researchers to understand and mitigate any vulnerabilities that are identified.
Hyperthreading under the gun
PortSmash is the second processor attack that targets hyperthreading. TLBleed disclosed in June also used hyperthreading to determine a private encryption key. The researchers developing that attack ran a program calculating cryptographic signatures using the Curve 25519 EdDSA algorithm implemented in libgcrypt on one logical core and their attack program on the other logical core. They were able to determine the 256-bit encryption key used to calculate the signature with a combination of two milliseconds of observation, followed by 17 seconds of machine-learning-driven guessing and a final fraction of a second of brute-force guessing. The side channel in that case was provided by the translation lookaside buffer.