Intel CPU interconnects can be exploited by malware to leak encryption keys and other info, academic study finds

Chip-busting boffins in America have devised yet another way to filch sensitive data by exploiting Intel's processor design choices.

Doctoral student Riccardo Paccagnella, master's student Licheng Luo, and assistant professor Christopher Fletcher, all from the University of Illinois at Urbana-Champaign, delved into the way CPU ring interconnects work, and found they can be abused for side-channel attacks. The upshot is that one application can infer another application's private memory and snoop on the user's key presses.

"It is the first attack to exploit contention on the cross-core interconnect of Intel CPUs," Paccagnella told The Register. "The attack does not rely on sharing memory, cache sets, core-private resources or any specific uncore structures. As a consequence, it is hard to mitigate with existing side channel defenses."

Side-channel attacks, like the 2018 Spectre and Meltdown vulnerabilities, exploit characteristics of modern chip microarchitecture to expose or infer secrets through interaction with a shared computing component or resource.

In a paper [PDF] to be presented at USENIX Security 2021 in August – "Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical" – Paccagnella, Luo, and Fletcher recount how they managed to figure out the workings of Intel's ring interconnect, or bus, that passes information between CPU cores.

Armed with that understanding, they found they could leak cryptographic key bits from RSA and EdDSA implementations, which are already known to be vulnerable to side-channel attacks. They also showed they could monitor keystroke timing, which prior research has shown can be used to reconstruct typed passwords.

Digging into Mount Doom

The challenge faced by the researchers was twofold: first, Intel hasn't provided much detail about how its CPU ring bus works. So significant reverse engineering was required.

Second, their attack relies on contention, which in this instance involves monitoring latency when different processes access memory at the same time. Such observation is difficult because there's a lot of noise that needs to be identified and filtered out, and the meaningful events, such as private cache misses (when a system seeks data in a cache that isn't there), aren't all that common.

"At a very high level, the idea is that one process’ memory accesses delay another process' memory accesses due to the limited bandwidth capacity of the shared ring interconnect," said Paccagnella.

"With knowledge from the reverse engineering, the attacker/receiver can set itself up such that its loads are guaranteed to be delayed by the victim/sender memory accesses, and use these delays as a side channel."

Basically, these repeated memory loads can cause delays that reveal secrets to the observer.

Paccagnella said the two attacks demonstrated involve a local attacker running unprivileged code on the victim's machine – such as malware hidden in a software library or application that snoops on other programs or users. He said a cloud-based scenario, where the adversary is an admin or co-tenant of a shared system, may also be possible but he and his colleagues prefer not to make that claim because the demonstration attacks were run in a non-virtualized environment and haven't been tested in other circumstances.

OK, so some basics

The cryptographic attack assumes that simultaneous multithreading (SMT) has been disabled, that the last level cache (LLC) has been partitioned to defend against multicore cache-based attacks, and memory sharing across security domains has been disabled. It also assumes the system is set up to clear the target's cache footprint to prevent cache-based preemptive scheduling attacks.

• Google looks at bypass in Chromium's ASLR security defense, throws hands up, won't patch garbage issue
• Thought you'd addressed those data-leaking Spectre holes on Linux? Guess again. The patches aren't perfect
• Meltdown The Sequel strikes Intel chips – and full mitigation against data-meddling LVI flaw will slash performance
• Foreshadow returns to the foreground: Secrets-spilling speculative-execution Intel flaw lives on, say boffins

The attacks were tested on Intel Coffee Lake and Skylake CPUs, client-class CPUs, and should work on server CPUs like Xeon Broadwell. It's unknown whether more recent Intel server chips with mesh interconnects are also susceptible. Likewise, the researchers haven't looked at how their technique would work on ARM CPUs, which rely on different interconnect technology.

Intel, which alongside the National Science Foundation helped support this research, isn't overly concerned about CPU bus-based meddling.

"Intel classified our attack as a 'traditional side channel' (like TLBleed, Portsmash, etc.)," said Paccagnella. "They treat this class of attacks differently than the class of 'speculative execution / transient execution attacks' (like Spectre, Meltdown, etc.). That is, they do not consider traditional side channel attacks as significant value for an attacker and they already published their suggested guidance on how to mitigate them in software here and here."

Part of Intel's advice involves relying on constant-time programming principles [PDF] as a defense against timing-based attacks.

The paper notes that such measures would offer a defense against the cryptographic attack, which depends on code not being in constant time. But Paccagnella suggests that's not a given.

"Truly constant-time code may be difficult to implement in practice," he said. "Further, additional hardware support will be needed to achieve 'domain isolation' on the ring interconnect."

The researchers plan to release their experimental code once they make their paper available on Sunday, March 7. ®