HITB 2016 Amsterdam: Cache Side Channel Attacks 'very dangerous'

Cache side channel attacks rely on vulnerabilities in hardware not software says Anders Fogh
Cache side channel attacks rely on vulnerabilities in hardware not software says Anders Fogh

A security researcher has shown how Intel CPU's among others are vulnerable to cache side channel attacks at the the 7th Hack in the Box Amsterdam.

The possibility  of cache side channels attacks occurred to Anders Fogh, co-founder/ vice president of engineering, Protect Software GmbH, after one researcher brought up over twitter an oversight in a talk Fogh was about to give at Blackhat. The researcher's addition of side channel attacks, “threw my plans to the wind” said Fogh.

When his Row Hammer mitigation, which was running in the background, triggered, “it detected my cache side channel attack as a row hammer attack.”  He spent a year researching side channel attacks, and it was at the 7th HITB that he revealed his work.

Most think of security vulnerabilities as residing within software, but the notable point about the cache side channel attacks is that it exploits a vulnerability in hardware. Fogh said: “Usually we think if the software is written correctly, we think are safe”. This, added Fogh “is not about bug, this is about design decisions that are made when implementing the CPU” but not changed."

Cache side channels attacks are enabled by the micro architectural design of the CPU: “There are no compatibility problems here, its just a design that could have been changed but hasn't”.

These attacks are notoriously hard, but not impossible, to defeat because they are part of hardware design.

“No vendor has defeated cache side channel attacks in microcode so far” said Fogh; Intel “have been doing five or six generations of CPU without fixing these problems”.

But, Fogh later told SCMagazineUK.com, the reason they've probably been continuing with this flaw is, “Because it's a really good cache. It's fast. Its really really well designed when the parameters are designed for speed. Hats off to Intel.”  From a cyber-security perspective things change.

That speed and bandwidth is also what makes attacks more effective. Fogh noted that one can stream high definition video through the cache alone, proving how much bandwidth there is.

The attacks work on Intel CPUs such as Sandy Bridge, which Fogh researched on, but others too.

With them one can perform a “wide spectrum” of activities including open covert channels, steal crypto keys (RSA, EDCSA, AES), spy on keyboard and mouse and  break kernel ASLR.

Furthermore, these attacks do not respect privileges as Intel's L3 cache is share globally across all users and privilege levels: “They can be done cross cpu, cross core, cross vm, cross user, out of sandbox.”

These are, "dangerous critters", concluded Fogh, and, “quite powerful”, citing their stealth, low performance cost and effectiveness. He told SC that while he hasn't seen any Cache side channel attacks carried out in the wild,  these attacks are so stealthy that one might not even pick up on them.