Researchers from the University of Texas, the University of Illinois Urbana-Champaign and the University of Washington have found a new vulnerability affecting all modern AMD and Intel CPUs.
Dubbed “Hertzbleed,” the new family of side-channel attacks takes its name from the ability to use frequency side channels to potentially extract cryptographic keys from remote servers.
“Hertzbleed takes advantage of our experiments showing that, under certain circumstances, the dynamic frequency scaling of modern x86 processors depends on the data being processed,” the researchers wrote.
Because of this, the security experts defined Hertzbleed as a real and practical threat to the security of cryptographic software.
“We have demonstrated how a clever attacker can use a novel chosen-ciphertext attack against SIKE to perform full key extraction via remote timing, despite SIKE being implemented as ‘constant time.’”
In terms of affected devices, both Intel and AMD released advisories stating that either all (Intel) or several (AMD) processors were susceptible to Hertzbleed attacks.
The companies are also tracking Hertzbleed in the common vulnerabilities and exposures (CVE) system under CVE-2022-23823 (Intel) and CVE-2022-24436 (AMD), both of them categorized as ‘medium’ threats, with a CVSS Base Score of 6.3.
Despite the acknowledgment, the researchers said they do not believe Intel and AMD will deploy microcode patches to mitigate Hertzbleed.
“However, Intel provides guidance to mitigate Hertzbleed in software. Cryptographic developers may choose to follow Intel’s guidance to harden their libraries and applications against Hertzbleed.”
Alternatively, the paper describes a workaround to patch the vulnerability but warns it has an extreme system-wide performance impact.
“In most cases, a workload-independent workaround to mitigate Hertzbleed is to disable frequency boost,” reads the paper.
“In our experiments, when frequency boost was disabled, the frequency stayed fixed at the base frequency during workload execution, preventing leakage via Hertzbleed.”
This is not a recommended mitigation strategy, however, as it will very significantly impact performance on most systems.
“Moreover, on some custom system configurations (with reduced power limits), data-dependent frequency updates may occur even when frequency boost is disabled.”
The Hertzbleed paper, already available as a preprint, will be published at the 31st USENIX Security Symposium, taking place in Boston between August 10–12 2022.