A Technically Feasible Approach
."> Percival, reached via e-mail, said that because the attack can only be performed locally, its unlikely to become responsible for the equivalent of the next big Internet worm. But it still has the ability to cause harm to corporations as an attacker who has already entered a system, legitimately or not, can use it to gain much wider access to its data. "How the attack is used would depend entirely upon the environment. In the case of a multi-user server where users login via SSH, a legitimate user could log in, provoke the SSH daemon into performing a private key operation using the host key, and then steal that key and use it to impersonate the server in order to steal other users login credentials," he wrote in the e-mail. "Another attack could occur on shared servers which run HTTPS; this attack would allow one user of the server to steal the SSL certificates belonging to other users Web sites."However, "I do think that it demonstrates to hardware designers and those that are coming up with innovative information technology that quite often the behavior of they system can be just as important as behavior itself." If nothing else, he added, Percivals paper should make developers and designers more aware of software timing attacks and ways to guard against them. Percival outlines methods avoid them in his paper. Raising awareness is particularly important since, as Percivals paper points out, software timing attacks could potentially apply to any chip with multiple threads that also shares access to a cache. For its part, Intel tested several of its own chip product lines along with those from competitors in its labs and found that the same type of exploit could be applied so long as the chips had multiple threads sharing access to caches, High said. However, software timing exploits and in particular the type of attack described by Percival are considered to be highly technically challenging, Fleming said. Because of their degree of difficulty, the chance of a given company experiencing the type of attack could be fairly small. Intel argues other methods of attacks are easier and are therefore more likely to be used. "In order for this particular exploit to be launched in a system, the system has to already have been compromised," High said. "If your system has already been penetratedeither with malicious intent or notyoure already exposed to many less-complex attacks. This one would work, but its not that its an exclusive approach." But where theres a will, theres a way, Fleming said. "Im sure theres someone out there whos going to take this and try to develop an exploit for this," he said. "I dont think at this point its going to have quite the impact of (a more common method of attack such as) buffer overflowsthis is really an hardware attackI think theres a lot of potential here, but youve got to be a little smarter to run this thing. I dont see it as a big threat right now. I think its a new area to research, a new area to look into." Patches have already been issued for at least one operating system, the open-source FreeBSD OS. Meanwhile, High said that Intel has been working with operating system vendors, including Microsoft Corp. and Red Hat Inc., in order to address software timing exploits. Patches are expected out come out within months, he said. Click here to read more about a vulnerability in the Microsoft Jet Database Engine. Ernie Brickell, a security architect at Intel, suggested that cryptography companies could also play a role by modifying their software to separate mathematical computations necessary for cryptography from given keys. This would remove the ability to for an attacker to sniff out a key. Percival suggests other ways to avoid attack. The easiest is to turn off Hyperthreading, he writes, while processor makers can also change their designs. Intel researchers were still evaluating the final version of the paper on Friday. But the company had no immediate plans to change to its chips. "Usually these types of attacks are best addressed from a software standpoint," High said. "But we always look to make our processors and our products as strong as possible." Editors Note: This story was updated to include comments from Colin Percival. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
The approach would take some time. "It would probably be easier to do a social engineering experiment and just walk in there and steal the damn box," Fleming said.