Minerva Studio - Fotolia
How does TLBleed abuse the Hyper-Threading feature in Intel chips?
TLBleed exploits Intel's HTT feature to leak data via side-channel attacks. Learn about how TLBleed obtains sensitive memory information from expert Michael Cobb.
A new side-channel attack called TLBleed abuses the Hyper-Threading feature of Intel chips. Researchers say there is a high success rate of TLBleed exploits, but Intel currently has no plans to patch it. How does TLBleed work, and what are the risks of not patching it?
At the start of 2018, researchers found that nearly every computer chip manufactured in the last 20 years contained security flaws that, if exploited, would enable attackers to extract data stored in the memory of other running programs -- data previously considered completely protected. These vulnerabilities, named Spectre and Meltdown, were caused by design flaws in features introduced into chips to increase their performance: speculative execution and caching. Each vulnerability was assigned a Common Vulnerabilities and Exposures identifier: CVE-2017-5753 and CVE-2017-5715 for Spectre, and CVE-2017-5754 for Meltdown. Vendors have been working hard to patch these flaws and harden their software against future exploitation.
A new side-channel attack against Intel chips called TLBleed, however, doesn't rely on speculative execution. Instead, it takes advantage of a different performance-enhancing feature on Intel chips called Hyper-Threading Technology (HTT) to leak data. According to researchers at Vrije Universiteit Amsterdam, HTT can be exploited to steal data signing keys with near perfect accuracy. HTT first appeared in 2002 and makes one physical core appear as two processors to the operating system by duplicating certain sections of the processor to enable the concurrent scheduling of two processes per core. This results in two threads that run at the same time on the same core sharing infrastructure within that core, such as its memory caches. HTT utilizes a memory cache known as a translation lookaside buffer (TLB) to cache recent translations between virtual memory addresses to physical memory addresses used during processor reads from and writes to memory.
The researchers discovered that, rather than by determining where in memory a program is reading from and writing to, they could instead determine when it is reading and writing and then they could figure out how the other thread running on the same core operates. By using artificial intelligence and machine learning techniques to analyze the timing of TLB hits, the researchers could establish when a program executes a sensitive operation, such as a cryptographic function, and reconstruct the result from the captured TLB signal.
To launch a TLBleed attack, a hacker would need to install malware on the target machine or already be logged into it. In these scenarios, there are far easier methods to extract data from the device, so TLBleed is not perceived as great a threat as Spectre or Meltdown. Both the researchers and Intel have downplayed the threat posed by TLBleed, but it still does allow one application to gain access to sensitive memory information from other applications. Therefore, a virtual machine running on a public cloud platform could be snooped on by neighboring users. Because of this, OpenBSD has decided to disable HTT by default.
Intel has stated that it is not going to patch the vulnerability because TLBleed doesn't demonstrate a side-channel attack against its side-channel hardened cryptographic primitives, and the company has declined to pay the researchers the bug bounty it offers on side-channel flaws in its chips. Intel has not even requested a CVE number. Even though Intel may not intend to patch this vulnerability, a CVE number would aid in alerting IT departments to the potential dangers of TLBleed and help them to keep track of any updates. Interestingly, leaked benchmarks show Intel is dropping Hyper-Threading from its i7 chips. Whether this is due to security or performance considerations is unclear.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)