Home>Blog>The Hacker News Headlines>New Hertzbleed Side-Channel Attack Affects All Modern AMD and Intel CPUs
The Hacker News Headlines

New Hertzbleed Side-Channel Attack Affects All Modern AMD and Intel CPUs

A newly discovered security vulnerability in modern Intel and
AMD processors could let remote attackers steal encryption keys via
a power side channel attack.

Dubbed Hertzbleed[1]
by a group of researchers from the University of Texas, University
of Illinois Urbana-Champaign, and the University of Washington, the
issue is rooted in dynamic voltage and frequency scaling (DVFS[2]), power and thermal
management feature employed to conserve power and reduce the amount
of heat generated by a chip.

“The cause is that, under certain circumstances, periodic CPU
frequency adjustments depend on the current CPU power consumption,
and these adjustments directly translate to execution time
differences (as 1 hertz = 1 cycle per second),” the researchers
said.

CyberSecurity CyberSecurity

This can have significant security implications on cryptographic
libraries even when implemented correctly as constant-time code[3]
to prevent timing-based side channels, effectively enabling an
attacker to leverage the execution time variations to extract
sensitive information such as cryptographic keys.

Both AMD (CVE-2022-23823[4]) and Intel (CVE-2022-24436[5]) have issued independent
advisories in response to the findings, with the latter noting that
all Intel processors are affected by Hertzbleed. No patches have
been made available.

“As the vulnerability impacts a cryptographic algorithm having
power analysis-based side channel leakages, developers can apply
countermeasures on the software code of the algorithm. Either
masking, hiding, or key-rotation may be used to mitigate the
attack,” AMD stated.

While no patches have been made available to address the
weakness, Intel has recommended[6]
cryptographic developers follow its guidance[7]
to harden their libraries and applications against frequency
throttling information disclosure.

This is not the first time novel methods have been uncovered to
siphon data from Intel processors. In March 2021, two co-authors of
Hertzbleed demonstrated[8]
an “on-chip, cross-core” side-channel attack targeting the ring
interconnect used in Intel Coffee Lake and Skylake processors.

“The takeaway is that current cryptographic engineering
practices for how to write constant-time code are no longer
sufficient to guarantee constant time execution of software on
modern, variable-frequency processors,” the researchers
concluded.

References

  1. ^
    Hertzbleed
    (www.hertzbleed.com)
  2. ^
    DVFS
    (en.wikipedia.org)
  3. ^
    constant-time code
    (www.intel.com)
  4. ^
    CVE-2022-23823
    (www.amd.com)
  5. ^
    CVE-2022-24436
    (www.intel.com)
  6. ^
    recommended
    (community.intel.com)
  7. ^
    guidance
    (www.intel.com)
  8. ^
    demonstrated
    (thehackernews.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.