Update: Intel CPUs Impacted By PortSmash Side-Channel SMT Exploit, AMD Likely Also Vulnerable
When it comes to impactful processor vulnerabilities, the two most well-known attacks announced the year are Spectre and Meltdown. The hardware and software industry scrambled to push out fixes to prevent these, and Microsoft is still working to minimize the performance impact of its mitigations.
Today, however, we're learning of yet another side-channel vulnerability, which is being dubbed PortSmash. In layman's terms, a side-channel vulnerability uses complex methods to sniff out encrypted data within a CPU or system memory in an effort to gain escalated privileges and access "protected" data.
PortSmash takes advantages of simultaneous multi-tasking (SMT) on the processor, allowing nefarious code to run alongside a legitimate thread. As ZDNet reports, at its core, "PortSmash process than leaks small amounts of data from the legitimate process, helping an attacker reconstruct the encrypted data processed inside the legitimate process." If you may recall, a similar attack vector was discovered in Intel SMT dubbed TLBleed.
A team of Finnish and Cuban researchers from the Tampere University of Technology and the Technical University of Havana initially discovered the PortSmash security vulnerability and say that they confirmed that HyperThreading-enabled Intel Skylake and Kaby Lake processors are susceptible to exploitation. The researchers say that no unauthorized system memory access is achieved via PortSmash.
"The nature of the leakage is due to execution engine sharing on SMT (e.g. Hyper-Threading) architectures," said research team member Billy Brumley. "More specifically, we detect port contention to construct a timing side-channel to exfiltrate information from processes running in parallel on the same physical core."
It should be noted that while PortSmash has been demonstrated on Skylake and Kaby Lake processors -- you can find a proof-of-concept on GitHub -- AMD processors may also be vulnerable. Brumley and his team have not yet tested AMD's Zen-based processors, but he told ZDNet that they will be looking specifically at Ryzen processors in the future and that it's highly likely that they are impacted.
Updated 11/2/2018 @ 2:01pm
Intel has provided the following statement regarding PortSmash:
Intel received notice of the research. This issue is not reliant on speculative execution, and is therefore unrelated to Spectre, Meltdown or L1 Terminal Fault. We expect that it is not unique to Intel platforms. Research on side-channel analysis methods often focuses on manipulating and measuring the characteristics, such as timing, of shared hardware resources. Software or software libraries can be protected against such issues by employing side channel safe development practices. Protecting our customers’ data and ensuring the security of our products is a top priority for Intel and we will continue to work with customers, partners and researchers to understand and mitigate any vulnerabilities that are identified.