New ‘Hertzbleed’ Remote Side-Channel Attack

Critical side-channel vulnerabilities in modern processors became well known in 2018 with Meltdown and Spectre vulnerabilities. And several more same type vulnerabilities followed.

Now the newest on this series is called Hertzbleed Attack. It is a a new family of side-channel attacks: frequency side channels. Hertzbleed takes advantage that, under certain circumstances, the dynamic frequency scaling of modern x86 processors depends on the data being processed.

Herzbleed

New ‘Hertzbleed’ Remote Side-Channel Attack Affects Intel, AMD Processors
https://www.securityweek.com/new-hertzbleed-remote-side-channel-attack-affects-intel-amd-processors

A team of academic researchers has identified a new side-channel method that can allow hackers to remotely extract sensitive information from a targeted system through a CPU timing attack. While Hertzbleed itself is not an actual serious vulnerability, two CVE identifiers did get assigned to it: CVE-2022-23823 and CVE-2022-24436.

Dubbed Hertzbleed, the new attack method was made public this week by researchers from the University of Texas at Austin, the University of Illinois Urbana-Champaign, and the University of Washington. In addition to a name, the attack has its own website, logo and paper describing Hertzbleed.

According to the researchers, Hertzbleed shows that power side-channel attacks can be turned into remote timing attacks, allowing attackers to obtain cryptographic keys from devices powered by Intel, AMD and possibly other processors.

“Under certain circumstances, periodic CPU frequency adjustments depend on the current CPU power consumption, and these adjustments directly translate to execution time differences (as 1 hertz = 1 cycle per second),” the researchers explained.

An analysis of these time differences can allow an attacker — in some cases even a remote attacker can observe the variations — to target cryptographic software and obtain valuable cryptographic keys. The attack was demonstrated against SIKE post-quantum key encapsulation mechanism that is used by companies such as Microsoft and Cloudflare.

Following information can be found at the official web site at https://www.hertzbleed.com/

Am I affected by Hertzbleed?

Likely, yes.

Intel’s security advisory states that all Intel processors are affected.
AMD’s security advisory states that several of their desktop, mobile and server processors are affected.
Other processor vendors (e.g., ARM) also implement frequency scaling in their products and were made aware of Hertzbleed. However, we have not confirmed if they are, or are not, affected by Hertzbleed.

Hertzbleed is tracked under CVE-2022-23823 and CVE-2022-24436 in the Common Vulnerabilities and Exposures (CVE) system.

The Hertzbleed is not a bug. The root cause of Hertzbleed is dynamic frequency scaling, a feature of modern processors, used to reduce power consumption (during low CPU loads) and to ensure that the system stays below power and thermal limits (during high CPU loads). Herzbleed is a side-effect of that operation.

Cryptographic implementations may be vulnerable to frequency throttling side channels when all the needed conditions are met. If one or more of these listed prerequisites is not satisfied, the cryptography implementation should not be impacted by this type of side channel.

When did you disclose Hertzbleed?

We disclosed our findings, together with proof-of-concept code, to Intel, Cloudflare and Microsoft in Q3 2021 and to AMD in Q1 2022. Intel originally requested our findings be held under embargo until May 10, 2022. Later, Intel requested a significant extension of that embargo, and we coordinated with them on publicly disclosing our findings on June 14, 2022.

Do Intel and AMD plan to release microcode patches to mitigate Hertzbleed?

No. To our knowledge, Intel and AMD do not plan to deploy any microcode patches to mitigate Hertzbleed. However, Intel provides guidance to mitigate Hertzbleed in software. Cryptographic developers may choose to follow Intel’s guidance to harden their libraries and applications against Hertzbleed. For more information, we refer to the official security advisories (Intel and AMD).

Links to more information:

Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86
https://www.hertzbleed.com/hertzbleed.pdf

Frequency Throttling Side Channel Software Guidance for Cryptography Implementations
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/frequency-throttling-side-channel-guidance.html

Software Developer Guidance for Power Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00698.html

Frequency Scaling Timing Power Side-Channels
https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1038

9 Comments

  1. Tomi Engdahl says:

    Hertzbleed is a new family of side-channel attacks: frequency side channels. In the worst case, these attacks can allow an attacker to extract cryptographic keys from remote servers that were previously believed to be secure. All intel cpus and several of AMD desktop, mobile and server processors are affected. https://www.hertzbleed.com

    Reply
  2. Tomi Engdahl says:

    New Hertzbleed side-channel attack affects Intel, AMD CPUs https://www.bleepingcomputer.com/news/security/new-hertzbleed-side-channel-attack-affects-intel-amd-cpus/
    A new side-channel attack known as Hertzbleed allows remote attackers to steal full cryptographic keys by observing variations in CPU frequency enabled by dynamic voltage and frequency scaling (DVFS).

    Reply
  3. Tomi Engdahl says:

    Hackers can steal crypto keys on Intel, AMD CPUs via ‘Hertzbleed’ vulnerability
    The researchers noted that the result of the research could be applied to all modern CPUs as the majority possess the Dynamic Voltage Frequency Scaling (DVFS).
    https://cryptoslate.com/hackers-can-steal-crypto-keys-on-intel-amd-cpus-via-hertzbleed-vulnerability/

    Reply
  4. Tomi Engdahl says:

    https://cryptoslate.com/hackers-can-steal-crypto-keys-on-intel-amd-cpus-via-hertzbleed-vulnerability/

    Intel and AMD react
    According to available information, the chip giants have no plans to deploy a firmware patch.

    The report advises users to disable the frequency boost feature. On Intel, it is known as “Turbo boost” and “Precision boost” on AMD. However, that could affect their system’s performance.

    Intel also revealed that it had shared the result of its investigations with other chip makers for similar assessments of their systems. It continued that the hours required to steal the cryptographic keys might be challenging to achieve except in a lab setting.

    https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/frequency-throttling-side-channel-guidance.html

    Reply
  5. Tomi Engdahl says:

    Hertzbleed Winkles Secret Keys out of Modern CPUs, But Microcode Fixes Aren’t on the Roadmap
    Building on the concepts of Heartbleed and Spectre, Hertzbleed is a functional attack against remote servers running on popular processors.
    https://www.hackster.io/news/hertzbleed-winkles-secret-keys-out-of-modern-cpus-but-microcode-fixes-aren-t-on-the-roadmap-4698080215a7

    Reply
  6. Tomi Engdahl says:

    https://hackaday.com/2022/06/17/this-week-in-security-pacman-hetzbleed-and-the-death-of-internet-explorer/

    There is a quirk in SIKE, also discovered and disclosed in this research, that it’s possible to short-circuit part of the algorithm, such that a series of internal, intermediary steps result in a value of zero. If you know multiple consecutive bits of the static key, it’s possible to construct a challenge that hits this quirk. By extension, you can take a guess at the next unknown bit, and it will only fall into the quirk if you guessed correctly. SIKE uses constant-time programming, so this odd behavior shouldn’t matter. And here the Hertzbleed observation factors in. The SIKE algorithm consumes less power when doing a run containing this cascading-zero behavior. Consuming less power means that the processor can stay at full boost clocks for longer, which means that the key exchange completes slightly more quickly. Enough so, that it can be detected even over a network connection. They tested against Cloudflare’s CIRCL library, and Microsoft’s PQCrypto-SIDH, and were able to recover secret keys from both implementations, in 36 and 89 hours respectively.

    There is a mitigation against this particular flaw, where it’s possible to detect a challenge value that could trigger the cascading zeros, and block that value before any processing happens. It will be interesting to see if quirks in other algorithms can be discovered and weaponized using this same technique. Unfortunately, on the processor side, the only real mitigation is to disable boost clocks altogether, which has a significant negative effect on processor performance.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*