Attackers Can Syphon Crypto Keys with Newly Discovered Attack

A team of researchers including Ph.D. student Yingchen Wang and professor Hovav Shacham from The University of Texas at Austin has found that a common feature of modern computer processors can make even carefully written encryption software reveal its secrets when probed by an attacker. The new attack technique, dubbed Hertzbleed, upends decades of guidance for how to write encryption software and may lead to widespread patching as developers come to terms with its implications.

They described the attack technique in a peer-reviewed paper released last week and accepted for presentation at the Usenix Security Symposium in August. The work was also highlighted in New Scientist and Ars Technica.

The new attack technique takes advantage of a thermostat-like mechanism that processors use to run programs as quickly as possible without overheating. When the processor is using more power than its cooling system can dissipate, this mechanism slows down the processor; when the processor is using less power, this mechanism speeds it up. The adjustment happens hundreds of times per second. The team showed that a remote hacker can use changes in how long a processor takes to do certain operations, which correlates with these changes in speed, to steal sensitive information.

As a case study of the new attack's effectiveness, the researchers showed how an attacker could extract secret keys from two implementations of SIKE, an encryption algorithm designed to withstand even predicted code-breaking abilities of future quantum computers, and a candidate for standardization by the U.S. government.

The researchers alerted the companies who developed the SIKE software they examined—Microsoft and Cloudflare—as well as chipmaker Intel last year. Microsoft and Cloudflare released patches to secure their SIKE software against Hertzbleed. Intel acknowledged that all its processors are affected, but declined to release any patches.

It's not clear yet what impact this type of attack may have on ordinary computer users, as SIKE is not widely used outside of the research community. But the team is evaluating other pieces of software to see if they are vulnerable and encourages other software developers to test their programs.

The software routines responsible for encryption, in popular programs like Web browsers, are especially challenging for programmers to write: not only must they produce the right answer, they must also always take exactly the same time to produce it, regardless of the secret value they operate on. Otherwise, as decades of research have shown, attackers can take advantage of the timing variations to learn the secrets the software operates on. To prevent such attacks, programmers writing encryption modules have followed a restrictive rulebook for "constant-time" programming, trying to make sure that each operation on secret information always takes the same amount of time to complete. When processors operated at a fixed speed, that was sufficient to protect the information, but now that they change speed dynamically, that's no longer the case.

"Hertzbleed throws the rulebook for how programmers write constant-time code out the window," Wang, the UT Ph.D. student said. "We look forward to working with the community to rewrite it and help keep users safe."

The team, which also includes Riccardo Paccagnella, Elizabeth Tang He, and Christopher Fletcher from the University of Illinois Urbana-Champaign and David Kohlbrenner from University of Washington, will present their findings at the Usenix Security Symposium.