Hyperthreading crypto key vulnerability

So I guess everyone else has seen this already, but (for reasons stated in my previous post) I missed it until the latest RISKS Digest dropped onto my doormat. Anyway, it’s a nice example of a covert channel, and I was flailing around unsuccessfully for a nice example when I spoke about them in one of my Operating Systems lectures this year (poor preparation on my part), so I should bear this in mind for the future.

Security researcher Colin Percival recently (13 May) announced a security vulnerability caused by the combination of the Hyperthreading and shared cache features of Intel Pentium 4 processors. By carefully measuring the time required for instructions to execute in one thread while the other thread is performing a cryptographic calculation, the secret key can be determined.

(My emphasis.)

Here’s the paper (PDF).

Insightful comment at the end of the RISKS post:

The RISK here is a classic example of relying on underlying abstractions (the hardware memory model) to behave in an ideal manner, rather than understanding their implementations. Many security flaws result from the adversary breaking the veil of abstraction to look at the soft, juicy parts inside. Even when the higher-level model is perfect (or formally verified), the mapping to implementation can hide a multitude of sins.

Indeed. We computer scientists just love abstraction – it’s a powerful conceptual tool which allows us to build very powerful; but when you actually have to deal with reality, rather than some mathematically ideal space, everything suddenly gets very messy and the thick straight lines you drew between the layers turn into fuzzy fractals instead. Or something.

One Response to “Hyperthreading crypto key vulnerability”

  1. Pete Hughes
    June 1st, 2005 | 2:10 pm

    Andy, this book “Malicious Cryptography: Exposing Cryptovirology” contains some very good information on the use of subliminal and side channel attacks..