Hertzbleed exposes x86 vulnerability

The latest hardware-based zero-day examined.
20 June 2022

Researchers have proved that the new breed of x86 processors from both Intel and AMD are vulnerable to remote attack that can allow the attacker to remove cryptographic keys on servers previously thought to be safe.

The discovery comes in the form of “Hertzbleed” – a new method that can turn a common and well understood power side-channel attack into a more serious remote timing attack.

We’ve known that power side-channel attacks can exploit data-dependent variations in a CPU’s power consumption for some time, and that if unmitigated, such attacks can be used to remove keys from the server.

But the new research from a team of six researchers (led by Yingcheng Wang of UT Austin) proves that x86 processors can be vulnerable to the Hertzbleed attack because their dynamic frequency scaling is dependent on the data being processed at any moment.

That means that, on the x86 processors, you can run the same program at different CPU frequencies. So, if a threat actor knows what they’re doing, they can use a chosen-ciphertext attack against the processor’s Supersingular Isogeny Key Encapsulation (SIKE), and extract keys through remote timing.

That’s a possibility despite SIKE being used as “constant time” in x86 processors, which is what makes the Hertzbleed attack method so important.

It’s true that threat actors would really have to know what they were doing, and that this is a newly-discovered vulnerability in the x86 processors. But now that it’s out there in the world, the likelihood is that threat actors will get quickly up to speed with the vulnerabilities of the x86 processors and turn the remote timing attack into a much more widely known phenomenon.

What is the actual impact of the Hertzbleed discovery?

The ability of threat actors to use power side-channel attacks and turn them into remote timing attacks means that current industry guidelines on how to write time-constant code need to be rewritten (because the attack works even with SIKE is being used as constant time).

There’s a degree of Chicken Little about the subsequent conclusion, but it will send an uneasy shudder down the spines of high-security users of x86 processors. This vulnerability was entirely undiscovered until researchers probed it, and the researchers acted with exemplary responsibility. Any superstitious developer will be wondering what other vulnerabilities have yet to be discovered – and whether the people who discover them will be quite as ethical as the Hertzbleed researchers.

Initially, when the researchers made their findings known to Intel in the third quarter of 2021, the company requested that they not go public with the information about the newly-discovered vulnerability. It later emerged that this was because Intel was following an established policy within the tech industry. Its security advisory notice said “Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.”

Sure enough, Intel tried to replicate the researchers’ work on its own machines, and found that all Intel chips were vulnerable to the new form of attack. That went further than the initial researchers, who only experimentally confirmed the issue on a given subset of Intel machines, including desktop and laptop models from the 8th to the 11th generation Core microarchitecture.
Intel has since acknowledged the work of the researchers and their responsibility in swiftly reporting it to the company. It has subsequently – again, in line with the policy of Coordinated Disclosure – released a set of Frequency Throttling Side Channel Software Guidance for Cryptography Implementations, and recommends selecting instructions whose execution time is data-independent in order to mitigate timing side-channel attacks using cycle differences.
AMD, meanwhile, was not informed of the newly-discovered vulnerability until the first quarter of 2022. It is understandable then that as yet, AMD has not confirmed that the vulnerability applies to all of its processors, but it has acknowledged the vulnerability is present on a range of its machines, including:

Desktop

  • AMD Athlon™ X4 processor
  • AMD Ryzen™ Threadripper™ PRO processor
  • 2nd Gen AMD Ryzen™ Threadripper™ processors
  • 3rd Gen AMD Ryzen™ Threadripper™ processors
  • 7th Generation AMD A-Series APUs
  • AMD Ryzen™ 2000 Series Desktop processors
  • AMD Ryzen™ 3000 Series Desktop processors
  • AMD Ryzen™ 4000 Series Desktop processors with Radeon™ graphics

Mobile

  • AMD Ryzen™ 2000 Series Mobile processor
  • AMD Athlon™ 3000 Series Mobile processors with Radeon™ Graphics
  • AMD Ryzen™ 3000 Series Mobile processors or 2nd Gen AMD Ryzen™ Mobile processors with Radeon™ graphics
  • AMD Ryzen™ 4000 Series Mobile processors with Radeon™ graphics
  • AMD Ryzen™ 5000 Series Mobile processors with Radeon™ graphics

Chromebook

  • AMD Athlon™ Mobile processors with Radeon™ graphics

Server

  • 1st Gen AMD EPYC™ processors
  • 2nd Gen AMD EPYC™ processors

The likelihood that it will eventually be concluded that the vulnerability affects all AMD processors seems high. In fact, it would look like an outlier if any AMD processor was tested and found not to be vulnerable to Hertzbleed.

AMD, like Intel, has released advice to developers to mitigate this “medium” level new attack. It says that hiding, masking, and key rotation may be effective against it if applied on the software code of the algorithm.

The researchers have published the source code of their Hertzbleed experiments, so developers can examine it for themselves.