On Tuesday, researchers discovered a new vulnerability in microprocessors from Intel, AMD and other companies that targets the power-conservation mode on nearly all modern CPUs and can be exploited by remote attackers to steal cryptographic keys through a power-side channel attack.
A group of researchers from the University of Texas, the University of Illinois at Urbana-Champaign and the University of Washington named this attack Hertzbleed, which centers on dynamic voltage and frequency scaling (DVFS), the power and thermal management function used to conserve energy and reduce heat generated by the chip.
The researchers explained that in some cases, the CPU frequency is periodically scaled depending on the current CPU power consumption, and these adjustments translate directly into execution time differences (1 Hz = 1 cycle/second).
It is known that hackers can extract secret encrypted data from a chip by measuring the power consumed by the chip in processing these values. This is something that hardware manufacturers have actually known for a long time.
Fortunately, the means by which hackers can use power analysis attacks against microprocessors is limited because attackers have few viable ways to remotely measure power consumption when dealing with confidential material. Now, researchers have found how to power analysis attacks into another category of relatively less demanding side channel (side-channel) attacks.
Hertzbleed: Attacks against DVFS
The team found that dynamic voltage and frequency scaling (DVFS), a power and heat management feature added to every modern CPU, allows attackers to infer changes in power consumption by monitoring the time it takes for a server to respond to a specific crafted query. This discovery significantly reduces the amount of work required. Understanding how the DVFS feature works makes power-side channel attacks much easier to perform remotely with timing attacks.
The attack, known as Hertzbleed, exploits insight into DVFS to expose or compromise data that is expected to remain private. the vulnerability is tracked as CVE-2022-24436 for Intel chips and CVE-2022-23823 for AMD CPUs. researchers have demonstrated how the vulnerability technique they developed can be used to extract encryption keys from a server running SIKE (SIKE is an encryption algorithm used to establish a key between two parties over an insecure communication channel) from a server running SIKE.
The researchers said they successfully replicated the 8th to 11th generation core microarchitecture attack on Intel CPUs. They also claimed that the technique would run on Intel Xeon CPUs and verified that AMD Ryzen processors were vulnerable and enabled the same SIKE attack against Intel chips. The researchers believe that chips from other manufacturers could also be affected.
Hertzbleed is a new family of side-channel attacks: frequency-side channels, according to the research team member’s explanation. In the worst-case scenario, these attacks could allow an attacker to extract encryption keys from a remote server previously thought to be secure.
Experiments have shown that in some cases, the dynamic frequency scaling of modern x86 processors depends on the data being processed. That is, on modern processors, the same program can run at different CPU frequencies during computation.
Therefore, Hertzbleed is a real threat to cryptographic software security.
Intel, AMD have not yet issued microcode updates, but have recommended enhanced library/application development
Both Intel and AMD have issued independent advisories on the findings of this vulnerability attack.
Among other things, JerryBryant, senior director of secure communications and incident response at Intel, questioned the technical utility of this attack and wrote in a post, “While the issue is interesting from a research perspective, we do not believe this attack is feasible outside of a lab environment. It should also be noted that cryptographic implementations hardened against power-side channel attacks are less susceptible to this problem.”
Of course, Intel, for its part, has said that all Intel processors are affected by Hertzbleed, and has issued guidelines for hardware and software manufacturers.
While no patches have been provided to address the vulnerability, Intel has advised crypto developers to follow its guidance and enhance their libraries and applications to prevent frequency-limited information from being compromised.
For its part, AMD said, “Because this vulnerability affects cryptographic algorithms with side channel leakage based on power analysis, developers can apply countermeasures to the software code for this algorithm. Masking, hiding or key rotation can be used to mitigate the attack.”
Neither Intel nor AMD have reportedly released microcode updates to change the performance of the chips at this time. Instead, they are supportive of Microsoft and Cloudflare updating the PQCrypto SIDH and CIRCL encryption codebases, respectively. The researchers estimate that this mitigation adds 11% and 5% of the decapsulation performance overhead for PQCrypto SIDH and CIRCL, respectively.