[plug] "Hyper-Threading, suffers from a serious security flaw,"

Open Source.Lives open.source.lives at gmail.com
Sat May 14 02:01:28 WST 2005


For those who used other open source OS...

Colin Percival, a FreeBSD committer and security team member, has
found a local exploit against the current implementation of Intel's
Hyper-Threading Technology. "Hyper-Threading, as currently implemented
on Intel Pentium Extreme Edition, Pentium 4, Mobile Pentium 4, and
Xeon processors, suffers from a serious security flaw," Colin
explains. "This flaw permits local information disclosure, including
allowing an unprivileged user to steal an RSA private key being used
on the same machine. Administrators of multi-user systems are strongly
advised to take action to disable Hyper-Threading immediately."

Colin will present the details behind the attack at BSDCan 2005 at
10:00 AM EDT on May 13'th. "At the conclusion of my talk I will also
be releasing a paper describing the attack and possible mitigation
strategies," Colin explains. The flaw affects all operating systems,
and for a secure multi-user environment essentially requires that
Hyper-Threading be disabled. More information can be found on Colin's
web page on the topic. The formentioned paper can be downloaded here
in pdf format.


Vendor statements
The following statements have been provided to me by vendors:

FreeBSD: This issue affects FreeBSD/i386 and FreeBSD/amd64, and is
addressed in advisory FreeBSD-SA-05:09.htt.

NetBSD: The NetBSD Security-Officer Team believes that workarounds
will be suitable for the majority of our users. Since this issue is a
complex one, the 'right' solution will require a larger discussion
which is only possible once this issue is public. This issue will be
addressed in advisory NetBSD-SA2005-001, which will provide a list of
workarounds for use until the 'final' conclusion is reached.

OpenBSD: OpenBSD does not directly support hyperthreading at this
time, therefore no patch is available. Affected users may disable
hyperthreading in their system BIOS. We will revisit this issue when
hyperthreading support is improved.

SCO: This affects OpenServer 5.0.7 if an update pack is applied and
SMP is installed; it also affects UnixWare 7.1.4 and 7.1.3 with
hyperthreading enabled, but hyperthreading is disabled in UnixWare by
default. This is covered by advisory SCOSA-2005.24.

(Other vendors are affected, but they haven't provided any statements.)

Q & A

   1. Do I need to worry about my home computer?

      Probably not. This security flaw is primarily a problem for servers.
   2. I have an Apple computer, do I need to worry about this?

      As far as I know, this flaw only exists on Intel processors. (Of
course, I don't know much about the CPUs used in Apple computers -- it
is entirely possible that someone else could construct a similar
attack there.)
   3. My vendor, <Insert Name Here> isn't mentioned on your list of
vendor statements! What should I do?

      Some vendors haven't provided statements to me. This may be
because they're too busy fixing the problem, or it may be due to
corporate policies which forbid such disclosures. Either way, if there
isn't a statement above, it's because I haven't received one. You may
wish to check back later.
   4. Where do you work?

      I'm unemployed. For the past three months, I've spent almost all
of my time working on this security flaw -- investigating how serious
it was, contacting all of the affected vendors, explaining how this
should be fixed, et cetera. I simply haven't had time to go out and
get a job -- and I decided that making sure that this issue was
properly reported and fixed was far more important than earning some
money.
   5. I think it's really great that you spent three months doing
unpaid work to improve the security of other peoples' computers. What
can I do to thank you for your efforts?

      Money is always good. In all seriousness, there is a
considerable amount of security-related work which I'd like to spend
time doing, but if I can't get any money I'm going to have to get a
Real Job instead. If you think you or your company could offer me some
funding to allow me to continue my work, please let me know.
   6. Why do you hate Intel so much?

      I don't hate Intel -- in fact, I think Intel makes great CPUs,
and I have an Intel processor in every computer I own. (Not that I
have anything against AMD; it just happened to work out this way.) But
as someone who works in the field of computer security, I don't play
political games: If I find a vulnerability, I'm going to report it and
work with vendors to fix it, regardless of what the problem is or who
it affects.
   7. I have a question which isn't on this list.

      Feel free to contact me with any questions about this security
flaw. I can't guarantee that I'll be able to reply to everyone -- I
have no idea how many emails I'll get -- but I will make an effort to
address every serious question I receive either via personal email or
on this web page.

Disclosure timeline
Late October, 2004: Initial discovery.

December 2004: Proof-of-concept exploit written and tested.

December 31, 2004: FreeBSD Security Officer Team notified of upcoming
security issue.

February 2005: First draft of paper completed.

February 27, 2005 - March 18, 2005: Other security teams and vendors
(including Intel) contacted.

May 13, 2005 @ 00:00 UTC: Official public disclosure that a security
flaw exists in Hyper-Threading.

May 13, 2005 @ 15:00 UTC: Full details to be released.



More information about the plug mailing list