Researchers discovered a vulnerability in a component of modern computer processors that allows different areas of the chip to communicate with one another. To extract secret information, such as a cryptographic key, an attacker can observe how traffic from two different cores on a processor interferes with each other.
According to MIT researchers, a component of computer processors that connects different parts of the chip can be exploited by malicious agents seeking to steal secret information from programs running on the computer.
Thinking like a cyber-attacker can help organizations proactively identify potential security weaknesses and take steps to protect user data. To do this, organizations can follow these steps:
- Identify assets: Identify what user data is most valuable to the attacker, and focus on securing those assets.
- Identify attack vectors: Determine how attackers may access user data, such as phishing attacks, unsecured APIs, or exploiting vulnerabilities in software.
- Conduct penetration testing: Simulate attacks on the organization’s systems to identify weaknesses.
- Implement security measures: Implement security measures such as multi-factor authentication, encryption, and regular software updates to prevent attacks.
- Monitor activity: Regularly monitor network activity to detect any suspicious behavior, and respond promptly to any incidents.
- Train employees: Educate employees on how to identify and avoid phishing scams and other tactics attackers may use to gain access to user data.
By following these steps, organizations can better protect user data from cyber-attacks and ensure that their systems are secure.
A lot of current side-channel defenses are ad hoc – we see a little bit of leakage here and we patch it. We hope our approach with this analytical model pushes more systematic and robust defenses that eliminate whole classes of attacks at the same time.
Miles Dai
Modern computer processors contain a large number of computing units known as cores that share the same hardware resources. The component that allows these cores to communicate with one another is the on-chip interconnect. However, when multiple cores run concurrently, there is a chance that they will delay one another when they use the interconnect to send data across the chip at the same time.
A malicious agent could conduct a “side-channel attack” and reconstruct secret information stored in a program, such as a cryptographic key or password, by monitoring and measuring these delays.
MIT researchers reverse-engineered the on-chip interconnect to investigate how such an attack could be carried out. Based on their findings, they created an analytical model of how traffic flows between processor cores, which they used to design and execute surprisingly effective side-channel attacks. They then created two mitigation strategies that allow a user to improve security without physically altering the computer chip.
“A lot of current side-channel defenses are ad hoc – we see a little bit of leakage here and we patch it. We hope our approach with this analytical model pushes more systematic and robust defenses that eliminate whole classes of attacks at the same time,” says co-lead author Miles Dai, MEng ’21.
Probing processors
A modern processor is structured like a two-dimensional grid, with multiple cores arranged in rows and columns. Each core has its own cache where data is stored, as well as a larger cache shared by the entire processor. When a program on one core needs to access data in a cache on another core or in the shared cache, it must send the request and retrieve the data via the on-chip interconnect.
Though it is a large component of the processor, the on-chip interconnect remains understudied because it is difficult to attack, Dai explains. A hacker needs to launch the attack when traffic from two cores is actually interfering with each other, but since traffic spends so little time in the interconnect, it is difficult to time the attack just right. The interconnect is also complex, and there are multiple paths traffic can take between cores.
The MIT researchers designed programs that would intentionally access memory caches located outside their local cores in order to study how traffic flows on the interconnect. “We can understand what the rules are behind traffic flows on the interconnect by testing out different situations, trying different placements, and swapping out locations of these programs on the processor,” Dai says.
They discovered that the interconnect functions similarly to a highway, with multiple lanes in each direction. When two traffic flows collide, the interconnect employs a priority arbitration policy to determine which traffic flow will proceed first. More “important” requests, such as those from programs critical to the operation of a computer, take precedence.
Using this information, the researchers built an analytical model of the processor that summarizes how traffic can flow on the interconnect. The model shows which cores would be most vulnerable to a side-channel attack. A core would be more vulnerable if it can be accessed through many different lanes. An attacker could use this information to select the best core to monitor to steal information from a victim program.
“If the attacker understands how the interconnect works, they can set themselves up so the execution of some sensitive code would be observable through interconnect contention. Then they can extract, bit by bit, some secret information, like a cryptographic key,” Paccagnella explains.
Effective attacks
The researchers were surprised by how quickly the side-channel attacks worked when they used this model to launch them. They were successful in recovering complete cryptographic keys from two different victim programs.
They used their analytical model to design two mitigation mechanisms after studying these attacks. The system administrator in the first strategy would use the model to determine which cores are most vulnerable to attacks and then schedule sensitive software to run on less vulnerable cores. The administrator could reserve cores near a vulnerable program and run only trusted software on those cores for the second mitigation strategy.
Both mitigation strategies were found to significantly reduce the accuracy of side-channel attacks by the researchers. Because neither requires the user to make any changes to the physical hardware, Dai believes the mitigations would be relatively simple to implement.
Paccagnella hopes that their work will inspire other researchers to investigate the security of on-chip interconnects. “We hope that this work demonstrates how the on-chip interconnect, despite being such an important component of computer processors, remains an underutilized attack surface. In the future, as we design systems with improved isolation, we must not overlook the interconnect” He continues.
