![[Valid Atom 1.0]](valid-atom.png "Validate my Atom 1.0 feed")
A new side-channel attack takes aim at Intel’s CPU ring interconnect so as to glean sensitive data.
Intel processors are susceptible to a replacement side-channel attack, which researchers said can allow attackers to steal sensitive information like encryption keys or passwords.
Unlike previous side-channel attacks, this attack doesn't believe sharing memory, cache sets and other former tactics. This component facilitates communication across various CPU units – including cores, the last-level cache, system agent, and graphics unit – on modern Intel processors, like the Skylake and occasional Lake CPUs.
Riccardo Paccagnella, one among the researchers with the University of Illinois at Urbana-Champaign who discovered the attack, told Threatpost that the side-channel attack could give attackers the means to infer “key bits” from both vulnerable cryptographic implementations and from the precise timing of keystrokes typed by a victim user.
“The attacker must be ready to already run unprivileged code on the machine under fire ,” Paccagnella told Threatpost. “This could also be possible by either fooling the user into downloading some code and run it, stealing the credentials of an unprivileged user of an equivalent machine (and then, e.g., SSH-ing into it), or exploiting remote code execution vulnerabilities.”
In their research paper [PDF]: “Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical,” researchers said the attack is exclusive because it works in spite of some previous side-channel defenses.
“In this paper, we present the primary on-chip, cross-core side channel attack that works despite [previous] countermeasures,” said the team of University of Illinois at Urbana-Champaign researchers in their paper, which can be presented at USENIX Security 2021.
What is CPU Ring Interconnect?
Intel’s CPU architecture includes several unique clock domains – including a per-CPU core clock domain, a processor graphics clock domain and a hoop interconnect clock domain. The latter is an on-die “bus” that works to pass information between CPU cores, caches and Intel processor graphics. Researchers said, there are two challenges that make it “uniquely difficult” to leverage this channel in an attack. Firstly, little is understood about the ring interconnect’s functioning and architecture. Secondly, data which will be gleaned through ring contention is “noisy by nature” making it difficult to find out sensitive data.
“Not only is that the ring a contention-based channel—requiring precise measurement capabilities to beat noise—but also it only sees contention thanks to spatially coarse-grained events like private cache misses,” said researchers.
The Side-Channel Attack
In order to launch the attack, researchers were ready to reverse engineer of the varied protocols that handle the communication on the ring interconnect. From there, at a high level, they were ready to piece together the conditions needed for 2 processes to incur the ring contention. They then came up with various side-channel attacks that “leverage the fine-grained temporal patterns of ring contention to infer a victim program’s secrets.”
This allowed researchers to make two proof-of-concept (PoC) attacks. One attack extracts “key bits” from vulnerable RSA and Edwards-curve Digital Signature Algorithm (EdDSA) encryption algorithm implementations.
“Specifically, [the attack] abuses mitigations to preemptive scheduling cache attacks to cause the victim’s loads to miss within the cache, monitors ring contention while the victim is computing, and employs a typical machine learning classifier to de-noise traces and leak bits,” consistent with researchers.
The second attack, meanwhile, targets keystroke timing information, which researchers said are often wont to infer data like passwords. The attack stems from the very fact that keystroke events cause spikes in ring contention which will be detected by an attacker – even with obstacles like ground noise .
“We show that our attack implementations can leak key bits and keystroke timings with high accuracy,” said researchers, who published their experimental code for the attack on GitHub.
Intel for its part pointed to existing security best practices for mitigating against the side-channel attack: “We appreciate the continued work and coordination with the research community,” said Intel. “After reviewing the paper, we believe developers and system administrators can employ variety of security best practices that help protect against various sorts of side channel attacks, including those found during this paper.”
What Are Side-Channel Attacks?
Side-channel attacks extract sensitive information, like cryptographic keys, from signals created by electronic activity within computing devices as they perform computation. There are an array of techniques to launch side-channel attacks, including using caches, branch predictors or analog signals.
Intel and other CPU manufacturers have stepped up their defenses of such attacks. Many existing side-channel attacks are often mitigated by disabling simultaneous multi-threading (SMT) architecture utilized in CPUs; or disabling shared memory between processes in several security domains (by partitioning the last-level cache) so as to dam cross-core cache-based attacks.
However, researchers argue, this latest side-channel attack bypasses these existing defenses.
“The main novelty of our attack compared to previous ‘traditional side channel’ attacks is that our attack doesn't believe sharing memory, cache sets, core-private resources or any specific uncore structures,” Paccagnella told Threatpost. “As a consequence, it's hard to mitigate using existing ‘domain isolation’ techniques.”
While the Spectre and Meltdown side-channel attacks have garnered widespread attention, Intel said these are speculative execution attacks. This most up-to-date discovery, however, may be a different “traditional side-channel” attack, more almost like a side-channel attack like PortSmash. consistent with Intel, “traditional” side channels leverage “architecturally committed operations” so as to infer information. Meanwhile, speculative execution attacks cash in of operations “that only execute speculatively and thus aren't committed into the architectural state.”
Researchers also noted that AMD CPUs utilize different proprietary technologies referred to as Infinity Fabric/Architecture for his or her on-chip interconnect.
“Investigating the feasibility of our attack on these platforms requires future work,” said researchers. “However, the techniques we use to create our contention model are often applied on these platforms too.”
📢FOR MORE INFORMATION ON MY SOCIAL LINK 📢
👇👇👇👇👇👇👇👇
TELEGRAM = https://t.me/joinchat/SHO6YGuS0DMUSDR2
PINTEREST = https://pin.it/2dbEgSB
FACEBOOK = https://www.facebook.com/BioNick0/?scmts=scwspsdd
TWITTER = https://twitter.com/BioNick0?s=09
INSTAGRAM = https://instagram.com/bionick0?igshid=1zkwb8tb8cz0
YOUTUBE = https://youtube.com/c/AllpremiumWebSeries
POST NO.20 {MEGALINK}
࿇ ══━━━━✥ ❉ ✥━━━━══ ࿇.
༺⚜❝IG - @BIONICK0 ❞⚜
Telegram -- @BIONICK0
࿇ ══━━━━✥ ❉ ✥━━━━══ ࿇
0 Comments