Researchers at the University of Illinois say that Intel’s processor is susceptible to side-channel attacks. It means that one application can infer another application’s private memory and filch data by spying on the user’s key presses.
“It is the first attack to exploit contention on the cross-core interconnect of Intel CPUs,” doctoral student Riccardo Paccagnella, part of the research team, told The Register. “The attack does not rely on sharing memory, cache sets, core-private resources or any specific uncore structures. As a consequence, it is hard to mitigate with existing side-channel defenses.”
The researcher team includes Licheng Luo, and assistant professor Christopher Fletcherrs besides Paccagnella. They will present their findings later in the year at the USENIX Security 2021 conference.
Intel Core i7 6700K CPU perspective view
Side-channel attacks are carried out by tapping into the vulnerabilities of modern chip microarchitecture when computers share resources or are interconnected for work. Unlike previous side-channel attacks, this attack does not rely on sharing memory, cache sets, etc. Instead, it relies on a component called CPU ring interconnect contention. This component facilitates communication across various CPU units – including cores, the last-level cache, system agent, and graphics unit – on modern Intel processors, such as the Skylake and Coffee Lake CPUs.
The attacks were tested on Intel Coffee Lake and Skylake CPUs, and it isn’t clear whether the attack vector will work on newer Intel Xeon’s.
To study the working of the attack, researchers were able to reverse engineer the various protocols that handle the communication on the ring interconnect. They then proceeded to decipher the conditions needed for the two processors to be attacked through the ring connection.
“Specifically, [the attack] abuses mitigations to preemptive scheduling cache attacks to cause the victim’s loads to miss in the cache, monitors ring contention while the victim is computing, and employs a standard machine learning classifier to de-noise traces and leak bits,” according to the researchers.
“The attacker needs to be able to already run unprivileged code on the machine under attack,” Paccagnella told a tech website Threatpost. “This may be possible by either fooling the user into downloading some code (e.g. a malicious app/malware) and run it, stealing the credentials of an unprivileged user of the same machine (and then, e.g., SSH-ing into it), or exploiting remote code execution vulnerabilities.”
In a paper – “Lord of the Ring(s): Side-Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical” – Paccagnella, Luo, and Fletcher elaborate on the workings of Intel’s ring interconnect that passes information between CPU cores.
Intel does not seem to be overly worried about its processor’s vulnerability. They even supported the researchers in their endeavor. In fact, it has clubbed their new attack vector alongside existing side-channel attacks. “We appreciate the ongoing work and coordination with the research community,” said Intel. “After reviewing the paper, we believe developers and system administrators can employ a number of security best practices that help protect against various types of side-channel attacks, including those found in this paper.”
“They treat this class of attacks differently than the class of ‘speculative execution / transient execution attacks’ (like Spectre, Meltdown, etc.). That is, they do not consider traditional side-channel attacks as a significant value for an attacker, and they already published their suggested guidance on how to mitigate them in software,” revealed Paccagnella.