Researcher: Attack Could Expose SSL Certs on Shared Servers

A security researcher has discovered a flaw in Intel processors that could allow a malicious user to steal data from other users on a shared computer, including details of SSL certificates. The attack documented by Colin Percival involves hyperthreading, a technique which boosts processor performance. Percival found that hyperthreading might enable timing attacks, complex operations that expose private information by measuring the amount of time required to perform cryptographic operations.

The research has prompted debate in the security community about whether such attacks are likely, and how best to respond. Percival says that the majority of systems are unaffected, but shared web hosting servers are "a very major target for this attack."

A thread is a stream of instructions a software program sends to the processor. Hyperthreading allows Intel Pentium 4 and Xeon chips to simultaneously process multiple streams of data, boosting an application's performance. The security issues involve the memory cache, where operating systems and applications store data for easy access by the processor. Intel's implementation of hyperthreading allows data from separate streams to be stored in the same memory cache.

In his research paper, Percival showed how a malicious user can use a timing attack to exploit the shared memory cache and retrieve sensitive data from a thread belonging to another user.

"This is a particular concern for web hosting companies," Percival says. "If users on a shared server are allowed to login over SSH, then they can steal the SSH host key, and if they are allowed to execute any code (e.g., cgi scripts) then they can steal the SSL certificates used by other sites on the same server."

Intel has acknowledged the flaw and is working with operating system vendors on workarounds. Percival says the only safe approach is to disable hyperthreading at the operating system level. Others believe the while an attack is theoretically feasible, it is unlikely because of the level of technical skill required.

"I'd be really surprised if somebody is actually able to get a real-world attack on a real-world pgp key usage or similar out of it," wrote Linux creator Linus Torvalds. "It's a fairly interesting approach, but it's certainly neither new nor HT-specific, or necessarily seem all that worrying in real life."

Timing attacks were first documented in 1995, and new ones continue to emerge. Earlier this week researcher D.J. Bernstein demonstrated a remote timing attack that was able to recover all 128 bits of a randomly-generated AES key in around a day, and doesn't require multithreading.

Percival insists the multithreading attack he has documented is not rocket science, just advanced math. "Assuming that the attacker was trying to steal an RSA private key (aka. an SSL certificate), the limiting factor for most people would probably be the mathematical understanding necessary to implement the final stage of the attack - that is, to take the observed bits of exponent and use them to factor the RSA modulus," Percival explained in an e-mail. "I expect that most advanced undergraduate students in computer science or mathematics would be able to transform the description given in my paper into a working attack within a few weeks; someone with an extensive understanding of the field could probably do it in a few days."

Percival is a member of the security team at FreeBSD. In 1998, at age 17, he gained notice by writing a program that used distributed computing to calculate pi to the five trillionth digit. He is also known for his Depenguinator, a program to remotely remove Linux from a system and install FreeBSD in its place.

Percival identifies advisories on the hyperthreading issue announced by several operating system vendors, and says Microsoft has been informed of the issue but has not responded as yet. An advisory from FreeBSD noted that "future work in cryptographic libraries and operating system schedulers may remedy this problem for many or most users, without necessitating the disabling of Hyper-Threading Technology."