OpenBSD Journal

HT Considered Harmful.....Well, Not Really

Contributed by phessler on from the witty-headlines dept.

There has been plenty of press about the problem with Hyper-Threading, which is that one process can read the other processes cache. Sadly, most of these articles are Not Accurate. What can happen is not as dangerous as reading another processes memory, but is still a problem. Kinda.
What the vulnerability does, is with a certain set of pre-conditions, allows an attacker to time how long it takes for the victim process to read memory.

Preconditions: both processes are on the same CPU for the full amount of time of the process, the attacking process gets the first slice of time, and neither is put to sleep, or moved off the CPU. In theory, the attack will work on any two execution cores that share L1 cache memory.

This threat does NOT allow the attacker to read the actual values of memory, just the time it spends.

In OpenBSD in particular, this is downright boring. A very limited set of systems are vulnerable and its a local only attack regardless. There is a limited range of possible attacks, and is massivly more difficult on a real multiuser machine.

(Comments are closed)


Comments
  1. By djm@ (203.217.30.86) on

    Also (if I understand the paper correctly) the attack described in the paper targets the specific method of RSA key generation used by OpenSSL. It isn't clear how effectively the attack could be extended to the much more interesting and common operations of RSA encryption or signing.

    This is not to denigrate the paper in any way - it is a really cool attack which is far more practical than some of the heavily-hyped cryptographic results of recent memory.

    Comments
    1. By Colin Percival (24.87.209.6) cperciva@freebsd.org on

      The attack I demonstrated targets any OpenSSL RSA private key operation (signing or decryption), not the key generation.

  2. By James Herbert (62.254.0.48) lists@artyzan.net on

    Considering OpenBSD's kernel does not support HyperThreading, is the attack completely nullified?

    Comments
    1. By maestro_alubia (80.132.85.211) on

      I am not sure... but I thought that every OS that supports SMP (like latest OpenBSD) as well supports HT because HT is absolutely transparent for the OS (which thinks there are two physical CPUs).

      Comments
      1. By Anonymous Coward (83.147.128.114) on

        if your machine has an mpbios, it will work. most single cpu motherboards do not have an mpbios, so hyperthreading does not work there.

        Comments
        1. By Johan M:son (213.114.133.92) on

          There's so many stories about OpenBSD and HT flying about one's getting really dizzy. One story is that all boxes with a HT enabled Xeon will show two cpus when booting bsd.mp. Another story is as you say that with an MPBIOS HT will work for sure. Well when trying it all out on a Dell PE2650 with a HT enabled Xeon and MPBIOS it doesn't seem to work. Booting bsd.mp (3.6 and -current) it came up with only 1 CPU. So I guess it's more to it then just an MPBIOS and a HT Xeon.

          Comments
          1. By henning (209.5.161.201) on

            all it needs is a proper MPBIOS, really.

            Comments
            1. By Johan M:son (213.114.133.92) on

              Right, for varying definitions of "proper MPBIOS".

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]