SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#911878

Simultaneous multithreading processors may leak information through cache eviction analysis techniques

Overview

Operating systems on hardware platforms supporting simultaneous multi-threading (Hyper-Threading technology in particular) are potentially vulnerable to information leakage to local users. Proof of concept papers and code demonstrating successful attacks against cryptographic keys are in public circulation.

I. Description

Hyper-Threading (HT) Technology allows two series of instructions to run simultaneously and independently on a single processor. With Hyper-Threading Technology enabled, the system treats a physical processor as two "logical" processors. Each logical processor is allocated a thread on which to work, as well as a share of execution resources such as cache memories, execution units, and buses.

Information could potentially be deduced by local users using programs capable of shared memory cache eviction analysis. Proof of concept code using timing and cache eviction analysis techniques have demonstrated that cyptographic keys can be deduced on Intel processors with Hyper-Threading technology (HTT) . It is likely that similar techniques could be employed on other processor architectures that support simultaneous multithreading.

This vulnerability is applicable to many operating system platforms running on a hardware platform that supports simultaneous multithreading (Intel HTT in particular).

Colin Percival has released a paper "Cache Missing for Fun and Profit" that demonstrates shared access to memory caches provide a potential covert channel between threads, and also permit a malicious thread to monitor the execution of another thread, potentially allowing for theft of cryptographic keys.

Vendors have started providing patches and configuration information to disable simultaneous multithreading/HTT support.

Warning: On dual-core (multiple CPU) systems this could have the undesirable effect of disabling all but one of the CPUs. For single core (CPU) systems this workaround may still impact the performance of the server (depending on load).

Organizations need to assess whether the performance impact of disabling simultaneous multithreading/HTT support is worthwhile relative to the risk of successful compromise of sensitive information.

II. Impact

Sensitive information, including cryptographic key material, may be leaked to other local users on the affected system.


The paper describing this issue and its corresponding proof-of-concept exploit make assumptions about the relative quiescence of the target system. At this stage it is unclear how viable the analysis techniques outlined in the above paper would be on busy systems.

Single user workstations and systems where users do not have the ability to run their own programs are unlikely to be affected by this specific issue.

III. Solution

We are not aware of an all encompassing short term solution to this issue.


Workarounds

Disabling of simultaneous multithreading/HTT support at the operating system or BIOS level may reduce the likelihood of successful attack using the methods outlined in Colin's paper, however it may not mitigate against other similar types of attackes.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Unknown24-May-2005
ConnectivaUnknown24-May-2005
Cray Inc.Unknown24-May-2005
DebianUnknown24-May-2005
EMC CorporationUnknown24-May-2005
EngradeUnknown24-May-2005
F5 NetworksNot Vulnerable26-May-2005
FreeBSDVulnerable24-May-2005
FujitsuUnknown24-May-2005
Hewlett-Packard CompanyUnknown24-May-2005
HitachiUnknown24-May-2005
IBMUnknown24-May-2005
ImmunixUnknown24-May-2005
Ingrian NetworksUnknown24-May-2005
IntelUnknown24-May-2005
Juniper NetworksNot Vulnerable2-Jun-2005
Mandriva Inc.Unknown24-May-2005
Microsoft CorporationUnknown24-May-2005
MontaVista SoftwareUnknown24-May-2005
NEC CorporationUnknown24-May-2005
NetBSDUnknown24-May-2005
NokiaUnknown24-May-2005
NovellUnknown24-May-2005
OpenBSDUnknown24-May-2005
Openwall GNU/*/LinuxUnknown24-May-2005
QNXUnknown24-May-2005
Red Hat Inc.Vulnerable5-Aug-2005
SCOVulnerable24-May-2005
SequentUnknown24-May-2005
SGIUnknown24-May-2005
Sony CorporationUnknown24-May-2005
Sun Microsystems Inc.Vulnerable3-Jun-2005
SuSE Inc.Unknown24-May-2005
TurboLinuxUnknown24-May-2005
UnisysUnknown24-May-2005
WRSUnknown24-May-2005

References


ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:09.htt.asc
http://www.daemonology.net/hyperthreading-considered-harmful/
http://www.daemonology.net/papers/htt.pdf
http://cr.yp.to/antiforgery/cachetiming-20041111.pdf
http://jvn.jp/cert/JVNVU%23911878/index.html

Credit

Colin Percival is credited with bringing the issue to the attention of vendors and the wider community.

This document was written by Robert Mead and Chad Dougherty.

Other Information

Date Public:2005-05-13
Date First Published:2005-05-23
Date Last Updated:2005-08-05
CERT Advisory: 
CVE-ID(s):CAN-2005-0109
NVD-ID(s):CAN-2005-0109
US-CERT Technical Alerts: 
Metric:8.30
Document Revision:22

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2005 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader