2018 started off with some pretty big news; Intel and to a lesser extent, AMD, were affected by a number of branch prediction security holes. Spectre and Meltdown have led to a number of software and hardware changes (though hardware changes are not possible with older chips), some of which will decrease performance. It appears that the end of 2018 has revealed a major new security issue named Portsmash. This vulnerability exploits a hallmark of modern processor design: Simultaneous Multi-Threading (SMT).
At its core, SMT is a pretty smart technology. Allow a CPU core to work more efficiently by processing two different jobs at once. This is done in simple terms by filling up the CPU’s idle time. Tests have shown that SMT gains about thirty per cent performance on average. The first mainstream desktop CPU to utilise the technique was the Intel Pentium 4, way back in 2002.
Portsmash is a new “side-channel” vulnerability (similar to Spectre and Meltdown) where CPUs can be tricked into leaking data from internal processes. The technique was discovered by a team of academics from the Tampere University of Technology in Finland and Technical University of Havana in Cuba.
The insides of CPUs are pretty safe. Data is usually encrypted during processing, and locked down such that malicious agents can’t get to it. Portsmash changes this by deliberately running malicious code in SMT and slowly leaking parts of the data out. This occurs over time, and allows hackers to reconstruct what the original encrypted data was. However, this means running the same processes again and again. This is a scenario that’s not inconceivable if you’re talking about large data centres.
The researchers have released a proof-of-concept attack that affects Intel CPUs. While there’s yet to be a similar release for AMD’s chips, it might be that Ryzens and their offshoots are also affected. However, AMD’s implementation of SMT might be more secure, or does not have the same kind of vulnerability as Intel’s. Time will tell.
Bill Brumley is one of the five researchers who uncovered the exploit. He said that “Our attack has nothing to do with the memory subsystem or caching.”
Brumley further explained that “The nature of the leakage is due to execution engine sharing on SMT (e.g. Hyper-Threading) architectures. More specifically, we detect port contention to construct a timing side-channel to exfiltrate information from processes running in parallel on the same physical core.”
Brumley is also calling for the end to SMT as a concept in CPU design. Indeed, Portsmash isn’t the first exploit to use SMT as the channel by which secured data is extracted. Last year, a similar issue affecting Intel’s Hyperthreading was discovered (TLBleed). The issue was serious enough that OpenBSD turned off Hyperthreading by default when it detected an Intel CPU.
Is this the end of SMT? Will people be happy with losing thirty per cent of their computer’s performance in one hit? Or is there a way to make SMT secure and immune to such attacks?