Is hyperthreading dangerous? [LWN.net]

Hyperthreading (or symmetric multi-threading) is a hardware technique used to squeeze more performance out of modern processors. A hyperthreaded processor appears, in many ways, to be a set of two independent processors. These two processors share the same hardware, however, with only the processor registers and other state-dependent information being kept separate. Only one of the two CPUs can actually be executing at one time. Hyperthreading helps performance because processors often stall, waiting for memory accesses. When one processor in a hyperthreaded set must wait, the other can be executing. Hyperthreading thus enables greater utilization of the processor hardware; the resulting performance gains are said to be anywhere from 5% to 30%, depending on the workload.

One of the resources shared by hyperthreaded processor sets is the memory cache. This sharing has its advantages: if processes running on the two processors are sharing memory, that memory need only be fetched into the cache once. That kind of sharing happens often; shared libraries are one obvious example. The shared cache also makes moving processes between hyperthreaded processors an inexpensive operation, so keeping loads balanced across the system is easier.

The sharing of caches between hyperthreaded processors is also, however, the cause of a vulnerability identified in a heavily trailered report by Colin Percival. The core of the problem is that, by measuring the latency of specific memory accesses, a process can tell whether a given memory location was represented in the processor cache or not. A hostile process can load the cache with its own memory, wait a bit, then run tests to see which locations have been evicted from the cache. From that information, it can make inferences about which memory locations were accessed by the sibling processor in the hyperthreaded set.

Two cooperating processes, running at different privilege levels, could make use of the cache to set up a covert channel for communication. In a highly secured system, these two processes might not be able to talk to each other at all normally. With a covert channel in place, information can be leaked from a privileged level to one less privileged, leading to all kinds of dreadful consequences - for somebody. Most systems, however, are not overly concerned about this sort of covert channel; there are easier ways to deliberately leak information.

Mr. Percival, however, also shows how the vulnerability can be exploited to obtain information from processes which are not cooperating. In particular, he claims that it can be used to steal keys from cryptographic applications. A number of crypto algorithms have data-dependent memory access patterns; an attacker who can watch memory accesses can, for some algorithms, derive the key which was being used. The exploit discussed in the report attacks the OpenSSL key signing algorithm in this way.

The paper makes a number of recommendations on steps which can be taken to mitigate this problem. The simplest is to simply disable hyperthreading; on Linux systems, it is a simple matter of configuring out hyperthreading support or booting with the noht option. Alternatively, the kernel could take care not to schedule potentially unfriendly processes on the same hyperthreaded set. Removing access to a high-resolution clock would make the necessary timing information unavailable, thus defeating such attacks. Cryptographic algorithms could be rewritten to avoid data-dependent memory access patterns. Processors could be redesigned to not share caches between hyperthreaded siblings, or to use a cache eviction algorithm which makes it harder to determine which cache lines have been removed.

The Linux scheduler could certainly be changed to defeat attempted cache-based attacks on hyperthreaded processors, but the chances of that happening are small. There are numerous obstacles to any sort of real-world exploit of this vulnerability. The attacker must be able to run a CPU-intensive program on the target system - without being noticed - and ensure that it remains on the same hyperthreaded processor as the cryptographic process. The data channel is noisy at best, and it will be made much more so by any other processes running on the system. Timing the attack (knowing when the target process is performing cryptographic calculations, rather than doing something else) is tricky. Getting past all these roadblocks is likely to keep a would-be key thief busy for some time.

In other words, there are almost certainly more effective ways of attacking cryptographic applications. Closing this particular hole is unlikely to be worth the trouble, extra complexity in the kernel, and performance impact it would require. So this vulnerability, despite all the press it has obtained, will probably not lead to any changes to the kernel in the near future. Anybody who is truly worried about this problem will be best off simply turning off hyperthreading for now. In the longer term, authors of cryptographic code may find that they need to add avoidance of data-dependent memory access patterns to their arsenal of techniques.

(Log in to post comments)

Is hyperthreading dangerous?

Posted May 19, 2005 9:42 UTC (Thu) by filipjoelsson (subscriber, #2622) [Link]

Does this very theoretical exploit affect multicore systems too? I'm not sure I have this right, but I think they sharing cache too. Or is the (still very theorietical) exploit dependent on the feature that the hostile thread and the cryptographic one do not run at the same time?

In any case, I have the answer:
<TIC>This is the perfect exploit to close with security thorugh obscurity. We have to lessen the risque that the two processes happen to be in the same processor cache at the same time. This is best (depending on wether you share my definition of 'best') done by getting an 8-way SMP system, preferably dualcore. (Well, at least _I_ would prefer that, wouldn't you?) Thus the chance would be slim, at best, that the two processes would schedule to the same processor at the same time. (Now, all I need is to persuade my wife that this is necessary in the name of security.)</TIC>

Is hyperthreading dangerous?

Posted May 19, 2005 15:13 UTC (Thu) by khim (subscriber, #9252) [Link]

Does this very theoretical exploit affect multicore systems too?

Yes and no. Yes - it's possible to use the same technique for dual-core systems. But in reality it'll require way too much brute force. The problem with Hyper-Threading is size of L1 cache - it's too small. Multicore systems only share L2 cache (if even that) and it's much bigger so problem becomes pure theory.

Dual cores...

Posted May 26, 2005 13:30 UTC (Thu) by MarkWilliamson (guest, #30166) [Link]

IIRC, the initial dual-cores from AMD and Intel will not share any cache.
Intel's (initial) implementation in particular is basically two
independent CPUs on the same die. Even when shared L2 caches are
implemented, it seems that sharing an L2 cache will provide lower
bandwidth to this kind of exploit, which benefits hugely from the shared
L1 cache of the two hyperthreads.

Note that IBM's POWER4 shares caches across multiple cores and the POWER5
also has SMT...

Is hyperthreading dangerous?

Posted May 19, 2005 17:35 UTC (Thu) by hamjudo (subscriber, #363) [Link]

... is for the cryptography to occur on dedicated processors, designed to make obtaining access to embedded private keys very difficult and expensive.

If the cryptographic keys are mission critical, they must be backed up. The backups also have to be protected, even when stored off site. I think that the most significant benefit of a dedicated processor is that you can have a very different scheme for backing up the crypto hardware than for your other servers.

Somewhat OT: Is hyperthreading dangerous?

Posted May 27, 2005 20:38 UTC (Fri) by zakaelri (guest, #17928) [Link]

Albeit I may pay for it later, this is a great place where TPM (Trusted Computing) could be used. Within the TPM system, the chip responsible for key management is the only one that can ever "see" the keys being used.

Any time a key goes out, it's encrypted. So, you can send in an encrypted key, a datastream, and an encrypt/decrypt/sign/verify instruction... the chip does the magic required, and spits out whichever data was asked for.

Note: While Palladium is evil. I actually like TPM. (My ThinkPad has it, but I havn't had the opportunity to set it up yet).

To make a desparate attempt for on-topic-ness: I disliked HTT from the beginning. It didn't seem worth paying for... It makes more sense (to me) to fine-tune cache performance.

mergemem and timing vulnerabilities

Posted May 29, 2005 11:15 UTC (Sun) by anton (guest, #25547) [Link]

If one could only check whether full pages are merged, that would be
pretty hard to exploit (one would have to guess all of the page
correctly, i.e., usually the complete key or password).

Another potential attack path was using a timing attack based on how
long the merge attempt takes, or how much of the merge-attempted pages
is in the cache afterwards. That would bring the granularity down to
a word or a cache line, which makes guessing much more practical.

IMO, even that attack path could be blocked relatively easily (e.g.,
allow only merging corresponding pages from processes that run the
same binary, and were not tainted with ptrace or somesuch).

My impression was that too much emphasis was given to the
vulnerabilities in the mergemem announcements, and that may be one
reason why there was not much interest in it.