Companies running servers based on certain Intel Corp. chips could come under attack from the inside, due to a new type of software timing attack.
A research paper released on Friday by Oxford University computer science student Colin Percival details a method by which an attacker could heist cryptography keys on servers running Intel processors with Hyperthreading.
Hyperthreading technology runs two threads or streams of data, making computer software view a single processor as two.
The exploit Percival details takes advantage of the threads shared access to memory caches within the processor to interpret data thats being processed and thus lift the keys. A software timing attack basically watches the behavior of a computer in an effort to expose protected information.
“We demonstrate that this shared access to memory caches provides not only an easily used high bandwidth covert channel between threads, but also permits a malicious thread (operating, in theory, with limited privileges) to monitor the execution of another thread, allowing in many cases for theft of cryptographic keys,” Percival writes in an abstract explaining the paper, which was posted to his Web site.
Percivals paper, based around his tests of a 2.8GHz Pentium 4 processor with Hyperthreading, outlines a new type of software timing attack that could be used to divine cryptographic keys on at least one type of specifically configured Intel-processor machine, Intel spokesman Howard High acknowledged.
Percival contends in the paper that the exploit should work on any type chip with a similar, multi-thread and memory cache design.
Intel, with which High said Percival shared a draft of the paper, has been working with operating system vendors to add safeguards against the type of attack, the Intel spokesman said.
Software timing attacks, and particularly the method discovered by Percival, could harbor somewhat dangers for companies, said Rick Fleming, chief technology officer at Digital Defense Inc., in San Antonio, Texas.
Instead of being executed from the outside, such an attack is more likely to be mounted from the inside, such as by a company employee attempting to winnow away cryptographic keys and use them to pilfer other data from a specific server.
A Technically Feasible Approach
Percival, reached via e-mail, said that because the attack can only be performed locally, its unlikely to become responsible for the equivalent of the next big Internet worm. But it still has the ability to cause harm to corporations as an attacker who has already entered a system, legitimately or not, can use it to gain much wider access to its data.
“How the attack is used would depend entirely upon the environment. In the case of a multi-user server where users login via SSH, a legitimate user could log in, provoke the SSH daemon into performing a private key operation using the host key, and then steal that key and use it to impersonate the server in order to steal other users login credentials,” he wrote in the e-mail. “Another attack could occur on shared servers which run HTTPS; this attack would allow one user of the server to steal the SSL certificates belonging to other users Web sites.”
The approach would take some time. “It would probably be easier to do a social engineering experiment and just walk in there and steal the damn box,” Fleming said.
However, “I do think that it demonstrates to hardware designers and those that are coming up with innovative information technology that quite often the behavior of they system…can be just as important as behavior itself.”
If nothing else, he added, Percivals paper should make developers and designers more aware of software timing attacks and ways to guard against them. Percival outlines methods avoid them in his paper.
Raising awareness is particularly important since, as Percivals paper points out, software timing attacks could potentially apply to any chip with multiple threads that also shares access to a cache.
For its part, Intel tested several of its own chip product lines along with those from competitors in its labs and found that the same type of exploit could be applied so long as the chips had multiple threads sharing access to caches, High said.
However, software timing exploits and in particular the type of attack described by Percival are considered to be highly technically challenging, Fleming said.
Because of their degree of difficulty, the chance of a given company experiencing the type of attack could be fairly small. Intel argues other methods of attacks are easier and are therefore more likely to be used.
“In order for this particular exploit to be launched in a system, the system has to already have been compromised,” High said. “If your system has already been penetrated—either with malicious intent or not—youre already exposed to many less-complex attacks. This one would work, but its not that its an exclusive approach.”
But where theres a will, theres a way, Fleming said.
“Im sure theres someone out there whos going to take this and try to develop an exploit for this,” he said.
“I dont think at this point its going to have quite the impact of (a more common method of attack such as) buffer overflows—this is really an hardware attack—I think theres a lot of potential here, but youve got to be a little smarter to run this thing. I dont see it as a big threat right now. I think its a new area to research, a new area to look into.”
Patches have already been issued for at least one operating system, the open-source FreeBSD OS.
Meanwhile, High said that Intel has been working with operating system vendors, including Microsoft Corp. and Red Hat Inc., in order to address software timing exploits. Patches are expected out come out within months, he said.
Ernie Brickell, a security architect at Intel, suggested that cryptography companies could also play a role by modifying their software to separate mathematical computations necessary for cryptography from given keys.
This would remove the ability to for an attacker to sniff out a key.
Percival suggests other ways to avoid attack.
The easiest is to turn off Hyperthreading, he writes, while processor makers can also change their designs.
Intel researchers were still evaluating the final version of the paper on Friday. But the company had no immediate plans to change to its chips.
“Usually these types of attacks are best addressed from a software standpoint,” High said. “But we always look to make our processors and our products as strong as possible.”
Editors Note: This story was updated to include comments from Colin Percival.