What are side-channel attacks affecting processors and what are the situations in which they could be a problem.
We often hear about cyber attacks that exploit known security vulnerabilities or problems zero-day which are known only to cybercriminals. In this second case the attackers can cause serious damage as they have the possibility to launch targeted attacks against specific individuals, such as high-profile companies or well-known professionals, before a corrective patch is even available.
The attacks side-channel (literally “lateral attacks“) are a type of cyber attack that exploits information about the behavior of a system gathered during its operation. Instead of launching a direct, frontal attack, the logic of side-channel attack aims to crack the system with a violation that starts “sideways”, through a secondary channel.
Communication channels or information inserted into the system by developers or producers are often used unintentionally: by pressing the right “keys”, it is possible gain access to resources which should not be exposed in any way.
Side-channel attacks on processors they can be used to extract sensitive information, such as cryptographic keys or user authentication data. An example of aggression of this type is based on the analysis of Execution time of certain operations. This type of attack can be leveraged to identify sensitive information for use in subsequent stages of the attack.
Some examples of side-channel attacks
Meltdown e Spectre are universally considered as the progenitors of side-channel attacks: it was the work initially carried out with these two types of aggression that prompted researchers, in later times, to investigate and identify new loopholes in the processors, previously unnoticed.
In the absence of corrective patches, an attacker who interacts with the mechanisms of branch prediction of the CPU or measure the execution time of instructions, it can recover personal data e confidential informationincluding passwords and decryption keys.
Meltdown takes advantage of a processor feature that allows programs to access the kernel memory of the operating system, which is usually protected and isolated from the rest of the system. Using a side-channel technique called “out-of-order execution“, Meltdown forces the processor to execute program instructions non-sequentially, opening access to areas of memory that should have remained off-limits.
Spectre, on the other hand, exploits a vulnerability in the mechanisms of jump prediction (branch prediction) followed by the processor during the execution of the various instructions. The technique branch target injection it is used to “convince” the processor to execute the program’s instructions in a different way than expected: in this way the attacker can access the contents of the memory used by the system and by the running programs.
Over time, more have been discovered vulnerability in processors such as ZombieLoad, PortSmash which is based on the analysis of the Execution time of the instructions, PowerHammeran attack based onanalysis of energy consumptionCacheOut, Retbleed which undermines the defenses implemented against Spectre.
In April 2023, a new type of side-channel attack was successful against CPU Intel: This time the EFLAGS register is targeted (we talked about registers in the article on how a processor works). Also in this case a flaw is exploited in the transient execution that is, in the technique used by processors to optimize performance and which involves the parallel execution of several instructions at the same time. This speeds up the execution of programs, but can also create security vulnerabilities, as the execution of an instruction can affect the internal state of the processor in unpredictable ways.
Too much attention around side-channel attacks?
When at the beginning of 2018 the news of the discovery of the underlying vulnerabilities of Meltdown e Spectre seemed to suddenly open a chasm in terms of safety. In fact, in hindsight, side-channel-level attacks CPU have led to a number of attacks extremely small: this is due to the fact that these are difficult attacks to execute because they require a very deep knowledge of the architecture and operation of the processor, as well as a set of sophisticated tools and techniques to collect and analyze the necessary data.
Furthermore, in general, side-channel attacks also require thephysical access or privileged to the attacked system, which means that they are not always applicable in all situations. For example, a side-channel attack might require you to install a malicious software on the target system, physical access to the machine or manipulation of the CPU firmware.
Finally, side-channel attacks are often “noisy”, i.e. generate a large volume of data which must be analyzed and interpreted to obtain useful information. For this reason, apart from the theoretical value and the great value of the discoveries conducted by researchers, attackers prefer other, much more effective and “secure” forms of attack to side-channel attacks: one of them, the exploitation of security vulnerabilities operating system, web browser and installed applications, especially those that exchange data over the network.
The vulnerabilities behind side-channel attacks in CPUs are also not only difficult to exploit but also complex to solve for several reasons. First, these vulnerabilities are often the result of design compromises made for performance purposes: fixing the vulnerabilities or otherwise applying the so-called workaround can lead to a significant drop in processor performance.
Second, any solutions to address these vulnerabilities often require changes to the processor architecture or software, which is a time-consuming and costly process for CPU manufacturers. Finally, the problems of type side-channel they can affect not only the processor but also other system components, such as memory, the memory controller and I/O devices: this makes it more difficult to identify and fix these vulnerabilities effectively.
The patch The resolution of vulnerabilities that favor side-channel attacks may not be essential: their effective application also depends a lot on the context in which the system is used. On end-user PCs and workstations the risks are minimal while more attention should always be paid to the scope server and at the level of data center.
However, modern browsers have implemented it mitigations for side-channel vulnerabilitiessuch as the use of process isolation, which prevents a single process from accessing sensitive information in other parts of the system: it is obviously always essential to keep the browser in use updated to protect the system from possible attacks.