Hertzbleed: A New Side-Channel Attack

Hertzbleed is a new side-channel attack that works against a variety of microprocressors. Deducing cryptographic keys by analyzing power consumption has long been an attack, but it’s not generally viable because measuring power consumption is often hard. This new attack measures power consumption by measuring time, making it easier to exploit.

The team discovered that dynamic voltage and frequency scaling (DVFS)—a power and thermal management feature added to every modern CPU—allows attackers to deduce the changes in power consumption by monitoring the time it takes for a server to respond to specific carefully made queries. The discovery greatly reduces what’s required. With an understanding of how the DVFS feature works, power side-channel attacks become much simpler timing attacks that can be done remotely.

The researchers have dubbed their attack Hertzbleed because it uses the insights into DVFS to expose­or bleed out­data that’s expected to remain private.

[…]

The researchers have already shown how the exploit technique they developed can be used to extract an encryption key from a server running SIKE, a cryptographic algorithm used to establish a secret key between two parties over an otherwise insecure communications channel.

The researchers said they successfully reproduced their attack on Intel CPUs from the 8th to the 11th generation of the Core microarchitecture. They also claimed that the technique would work on Intel Xeon CPUs and verified that AMD Ryzen processors are vulnerable and enabled the same SIKE attack used against Intel chips. The researchers believe chips from other manufacturers may also be affected.

Tags: , ,

Posted on June 20, 2022 at 6:23 AM34 Comments

Comments

Anonymous June 20, 2022 7:22 AM

It’s “hertzbleed” (from the unit of frequencies), not “hartzbleed” (from some mixture on quartzbleed and the well known heartbleed, as I first guessed when seeing the title)…

Q June 20, 2022 7:23 AM

crypt(inputs) {
outputs = do_crypto(inputs);
nanosleep(rand()*99999);
return outputs;
}

John June 20, 2022 7:38 AM

hmm….

Computers are secure??!!

I wonder how secure bank cards really are?

Easy to clone? Easy to reprogram?

What is the real protocol?

John

Ted June 20, 2022 9:04 AM

The good news is that this attack is admittedly hard outside a tightly controlled lab environment. Two of the academic researchers spoke about this issue on Intel’s Chips and Salsa video series.

You can see a transcript of the video on YouTube. Here’s a small excerpt. (Note: I’ve edited it slightly for readability.) From about minute 10:30:

CRob: … how challenging would this be to execute this attack in a real network in a real environment?

Chen Liu: … that’s a good question so yeah … it really takes quite a long time to recover a secret key from the cryptography algorithm … the reason is that there is uh the signal to noise ratio

…this is mainly because the signal … is coming from the average power consumption of the victim program running in a certain time window and the time window is much much longer than a typical cryptography workload

…so in order to get a signal the attacker needs to repeat the program over and over during the window for like for tens hundreds or even millions of times to get enough signal

The fact that they ran this attack against SIKE, a post-quantum cryptography candidate, is kind of interesting though.

https://community.intel.com/t5/Blogs/Products-and-Solutions/Security/Chips-Salsa-Episode-19-June-2022-Security-Advisories-Hertzbleed/post/1392094

Trevor June 20, 2022 9:07 AM

A lot of side channel attacks these days seem related to dynamic power management. Would these likely be invalidated if the processor (or is) randomly added jitter and occasionally high power spikes? Or is this unlikely to add enough noise to be practical?

Clive Robinson June 20, 2022 9:30 AM

@ John,

Re : Computers are secure?

First define what you mean by “secure”…

@ ALL,

This is another “work to time domain” side channel attack.

Not a new idea but a newish and easier way to do it.

The basic physics are simple,

1, Work requires energy over time.
2, No work process is 100% efficient.
3, The inefficiency becomes the most dangerous polution of all “heat”.

Heat or the increase in atomic vibration is highly destructive if not conducted, radiated, or convected away.

Like all movments of energy it can carry information impressed / modulated upon it.

In this case the “sensor” to the increase in heat is part of the CPU chip and as such it has a faster, finer, or both response to heat change than a sensor on the chip package or heat sink or ambiant temprature in the system case. All of which have been used before.

The problem for an attacker is that heat energy is a very ineffective communications medium. So you need a transducer to convert the change in heat energy to something that conducts or radiates much more effectively and with better bandwidth and channel charecteristics than heat and the standard channels it travels through.

The basic energy choices are,

1, Acoustic vibrations
2, Electrical charge conduction
3, The E or H fields of EM radiation.

But the choice of transducer is a Hobson’s Choice of what is built into the system.

In the past, researchers have used,

1, Fan acoustic noise.
2, Fan electrical noise.
3, Fan EM noise.
4, Xhange in system clock crystal frequency.
5, System EM noise
6, when turned on the Spread Spectrum signal of certain motherboards EMC reduction systems.
7, Software “loops” and similar.

Obviously the better transducers give an attacker more information bandwidth and less latency, but as woth fan noise may be of very limited range. Whilst the “Delta F” of the system clock gets impressed on network timing so can be detected from the other side of the world.

Mostly the bandwidth is fractions of a Hertz and the signals observed fractions of that. The change in XTAL frequencg giving only one or two bits reliably in an hour.

However, as we go for “lighter, faster, more efficient” Smart Devices, not only does the bandwidth of existing channels go up, new IO and thermal managment devices can be used as new transducers to help “libetate information”…

So expect to see more of these types of side channel attacks in the future.

Ted June 20, 2022 10:14 AM

I may have made an error in my previous comment. Chen Liu was an Intel security researcher. The Hertzbleed academic researchers speak later in the episode. 🥲

From their paper:

Intel committed to awarding us a bug bounty. Cloudflare and Microsoft deployed a mitigation to CIRCL and PQCrypto-SIDH, respectively.

Clive Robinson June 20, 2022 10:59 AM

@ Trevor,

Would these likely be invalidated if the processor (or is) randomly added jitter and occasionally high power spikes? Or is this unlikely to add enough noise to be practical?

Back last century the Smart Card industry was the place where power spectrum side channel attacks “were happening”.

The industry tried variations on what you suggest and they all failed for various reasons (I can go into them but it would be a very long post).

In short the longer you “average” the better the “signal to noise ratio” you as an attacker get, whilst the defenders see their noise average ever lower (halves as samole average doubles).

Ross J. Anderson, decided to try “unclocked logic” which would have the effect of making the signal to difficult to average. By kind of making it Chaotic like a double or tripple armed pendulum.

As I pointed out, to Ross the trouble with “unclocked logic” is that like the effect in single arm/rod pendulums Christian Huygines had observed centuries before, you could by adding a little energy get things to synchronise in what in electronics is called “injection logic”. Back in the 1980’s I’d quite a bit of experience using EM Radiation not just to do “injection locking”, but also getting “cross modulation” to carry information out of a computer system without having to make electrical or other physical connections to it. Worse I’d worked out how to “fault inject” by amplitude and frequency modulation of the EM carrier.

A researcher in Belgium who’s name I’m ashamd to say I’ve forgoton, was kind enough at Ross’s behest to send me a preprint of a paper where they were using pulses of EM energy using “pico inductors” to actively flip memory bits from outside the chip package. It was a logical follow on from earlier research using IR laser diodes on unpackaged chips.

As our host @Bruce has observed in the past,

“Attacks always get better, they never get worse”

As I’ve noted there are three fundemental ways to get side channel attacks to work better or further,

1, Upp the energy in the signal.
2, Reduce the energy of the noise.
3, Repeate/amplify the signal via a transducer that has the effect of 1, 2, or both.

Pays your money takes you choice…

However just the otherday we were talking about manufacturing spread, causing unique ID’s in the analogue circuitry of BlueTooth/WiFi chips analogue sections (modulator).

Such analogue circuitry as an EM signal modulator, makes an excelent “transducer” to carry out sensitive information as a “side channel”…

For reasons I’ve mentioned in the past I’d start your “stop watch” to see when the first academic paper (probably by a PhD student at the likes of Usnix) on it comes out.

Clive Robinson June 20, 2022 11:32 AM

@ Bruce,

Perhaps it is time you wrote a piece on the fundemental problem behing these time based side channel attacks, which is,

“The need at the crypto algorithm level to do things strictly in sequence”.

The average block cipher uses Fiestel Rounds, that all have to be done in a fixed order sequence. This makes certain parts of such time based attacks completely trivial. Like glancing at a clock you know where the hands / display is going next, the only thing you have to do is synchronize your thinking to them it’s trivial.

So the question arises why are we designing algorithms to work in the strict sequence order, especially when with a little thinking it’s probably not necessary.

Take the addition or multiplication algorithms most were taught at school. Although we tend to do them in a fixed ordered sequence it takes only a moments thought to realise that much of them can be done in “any order” and it’s only the “carry” that has –sometimes– to be done in order.

If we designed cryptographic algorithms so the base logic functions could be done in any order, then we could do just that.

That is as long as they all got done they could be randomized all the time.

OK it would add a small performance hit to the algorithm but… Provided the randomization was done effectively it would increase the attackers work factor enormously because they would get not srquential signals they could relatively easily average, they would get random permutation signals they could not average.

Something algorithm designers should have a think about.

David Leppik June 20, 2022 11:38 AM

It seems to me that more and more of this computing needs to be done on cryptographic chips rather than on general-purpose CPUs. Not that this will fix things automatically, but it keeps chip designers from being tempted to do things that make side-channel attacks more likely, such as speculative execution and variable clock speeds.

At the same time, this might not be easy, since more and more general computation needs to be cryptographically secured. You can’t just open up the security chip for anyone to run any program; it needs to be limited to the specific set of operations that can be tested against attacks. Not just side-channel attacks, but DOS and the like.

Winter June 20, 2022 1:49 PM

@David Leppik

… but it keeps chip designers from being tempted to do things that make side-channel attacks more likely, such as speculative execution and variable clock speeds.

Actually, constant time cryptography is already a thing:
ht-tps://research.redhat.com/blog/article/the-need-for-constant-time-cryptography/

As are constant power processing units for cryptography
ht-tps://www.researchgate.net/publication/221107721_Multiple-Valued_Constant-Power_Adder_for_Cryptographic_Processors

Ted June 20, 2022 6:46 PM

@Trevor, Clive, David Leppik, Winter, All

Congratulations! All your suggested mitigations align with the those listed in Intel’s paper. Note: Intel has it’s own paper. Here are a few of the eight mitigations they list in Table 4:

  • Existing traditional power side-channel mitigations (e.g., masking, key refresh)
  • Add randomness to the reactive limit

In their tests, they use the AES-128 algorithm.

You might also enjoy the following on Hertzbleed:

https://ellipticnews.wordpress.com/2022/06/14/hertzbleed-attack/

What does this mean for ECC in general? At the moment the timing channel does not seem to be fine-grained enough to attack constant-time elliptic curve systems in use.

https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/jAj_8Hreqc0/m/y72n4mMvAQAJ

To protect SIKE one needs to include a public-key validation step in the decapsulation function that rejects malformed, invalid public keys that produce such long series of zeroes. The countermeasure is now included in the SIDH library

SpaceLifeForm June 20, 2022 7:18 PM

@ Ted

The good news is that this attack is admittedly hard outside a tightly controlled lab environment.

No, that is False. It is spin.

The attacker can do the attack slowly in off-hours, when there is little network traffic, when the server may have moved into power saving mode.

But, then the attacker wakes up the server. And the Hertz change.

As I said, when “Constant Time” is not.

It is very important to understand that the attacker will be using chosen ciphertext.

https://en.m.wikipedia.org/wiki/Chosen-ciphertext_attack

So, during off-hours, the attacker, using the chosen ciphertext, can get the server to leak.

It will certainly take many nights, possibly over months, but eventually the private key will leak, one bit at a time.

Erdem Memisyazici June 20, 2022 7:57 PM

@Anonymous

“It’s “hertzbleed” (from the unit of frequencies), not “hartzbleed” (from some mixture on quartzbleed and the well known heartbleed, as I first guessed when seeing the title)…”

Thanks for pointing this out.

Ted June 20, 2022 8:04 PM

@SpaceLifeForm

So, during off-hours, the attacker, using the chosen ciphertext, can get the server to leak.

What do you think about this statement from Intel?

Also note that cryptographic implementations that are hardened against power side-channel attacks are not vulnerable to this issue.

Intel also released guidance for cryptographic implementations with regards to INTEL-SA-00689.

lurker June 20, 2022 8:09 PM

@Ted re “cryptographic implementations that are hardened against power side-channel attacks”

The software will just take longer to break, but break it will if the hardware is still leaking . . .

Ted June 20, 2022 8:41 PM

@lurker

but break it will if the hardware is still leaking . . .

I mean technically it’s CPU frequency throttling in response to a workload.

SpaceLifeForm June 20, 2022 8:42 PM

@ Ted

Beware the oracle

Rabbit holes can go deep, but underneath, there is an oracle that will leak one bit at a time.

hxtps://intensecrypto.org/public/lec_06_CCA.html

hxtps://blog.cryptographyengineering.com/2012/05/19/how-to-choose-authenticated-encryption/

SpaceLifeForm June 20, 2022 9:12 PM

@ lurker

how long would it take to exfiltrate a key if the cpu is bolted down at constant speed and constant power?

Infinite comes to mind.

If one uses “Constant Time” crypto coding, on a chip that has a locked in frequency, it would be very difficult.

Not saying impossible. There could be backdoors, especially microcode level.

Maybe this is a reason to separate the crypto from the comms.

Ted June 20, 2022 9:50 PM

Sorry @lurker. I had missed this comment for a sec…

thanks for the google-groups link;

Sure thing! I was happy to see it too! And to your comment on the M1 chip, it definitely reflects a thoughtful awareness of the many factors at play.

Clive Robinson June 20, 2022 11:41 PM

@ lurker, SpaceLifeForm, ALL,

how long would it take to exfiltrate a key if the cpu is bolted down at constant speed and constant power?

Is the wrong question, based on incorrect assumptions.

If you go back to physics you know,

1, The encryption is work
2, Work is inefficient
3, Energy can not be destroyed only moved / disipated over time.
4, The movment of energy or matter in time is a signal.
5, All Signals can be measured / observed.

If you bolt down speed and power, then for actual “productive work” to be done the signal has to appear in a different domain.

All signals exist in a “Shannon Channel” it’s as fundemental to life as thermodynamics.

So you need to ask,

“Which domain will the signal appear and which Shannon Channel will it appear in?”

If you doubt this have a think about the cosmic microwave signals still leaking information about the “big bang”.

There are two basic tricks to limiting signals

1, Limit the channel bandwidth.
2, Limit the signal energy.

Both limit the energy movement in some way but it remains detectable even in the pressence of noise.

In electrical circuits it is the movment of charge in a coherent way that gives us a signal.

Charge can be stored in “cells” or “reactive” components. It becomes disipated in resistive components via heat that can be conducted, radiated or convected into the more general environment in a process ultimately called entropy. Each of these three movment types have an associated Shannon Channel…

So any information impressed / modulated on the charge movment will get out into the general environment, it can not be avoided.

It’s a little like the “air bubbles under wall paper” problem, if you push it down in one place, it simply pops up in another.

You have to work out what channel the signal appears in and how to disipate it so it becomes part of the background noise that an opponent can not monitor sufficiently well to make it usefull.

Without going into tedious detail to detect a signal you have to be able to synchronize to it in some way.

Thus the best line of defence is to prevent synchronisation, which can be difficult.

In fact “constant speed” is “constant time” which alows for very accurate synchronization even in very high noise levels. Put simply a tuned circuit bassed on reactive components in theory has no loss, so any inphase signal constructively adds to the amplitude of the resonance, so eventually a usable synchronisation signal will be obtained.

Essentially that is what you do when you “average” the signal over many many events.

Once you have synchronisation, you can then use it to make the measurment process. Again averaging over a long enough period of time will give the “key” because it is both static and in many algorithms positian invariant.

It’s why making the algorithm such that the key bits are randomly variant in order stops the averaging process from working far better than trying to hide it under added faux noise, that gets averaged out to zero over time.

SpaceLifeForm June 21, 2022 1:32 AM

@ Ted, lurker

re: @hashbreaker

I looks like Daniel Bernstein and I are on the same page, and he knows way more crypto than me. So, I will take this as confirmation that I am not an idiot. Thank you Dan. I love 25519.

From the nist thread on google groups:

For example, if a server CPU is always running at its base clock speed,
then there’s no information flow from secrets to the clock speed, so
it’s useless for attacks to inspect the clock speed, whether directly or
indirectly via timings.

Some Random bits! Guaranteed Random. Nine. Nine. Nine.

https://timing.attacks.cr.yp.to/

lurker June 21, 2022 3:58 PM

@Clive Robinson

I asked if the processor is working at constant speed and constant power. Some of the time it is performing my crypto functions, some of the time it is crunching random numbers. Sure, that’s inefficient. That’s the price I pay. How does the attacker know what is being processed at any given time?

JonKnowsNothing June 21, 2022 4:45 PM

@lurker, @Clive

re: How to know what’s being run?

I also spent some time considering this and I think a partial answer is that unless you can mimic 100% of the pathway all the time there will be some fluctuation.

Using a car as example:

  • If I drive on the road and push the gas pedal to 65mph 3,000rpm, there is an energy signature for this: engine, tires, wind resistance.
  • If I’m parked an rev the engine to the equivalent of 65mph 3,000rpm, there is going to be a noticeable difference in signal output.
  • If I’m in a wind tunnel with traction dynamometer I may get close to the RL effect but the RL effect isn’t 100% replicated because RL roads have bumps and cross winds and other factors affecting the output.

ymmv I’m getting 26mpg… but only when the car is in motion…

===

Search Terms

Dynamometer

Clive Robinson June 21, 2022 9:42 PM

@ lurker, JonKnowsNothing,

Re : Crypto or not.

How does the attacker know what is being processed at any given time?

The answer is,

“They don’t but they can infer in an ever more exact way”

As, @JonKnowsNothing indicated with the car example there are,

1, Qualative
2, Quantative
3, Sequence

Asspects that also fall in larger expected patterns.

That is “processes” have both fine and course signitures of “code” and processes tend to be utilised in a workflow pattern that has it’s own signiture. Random has a very different signiture.

Think the best example of The Four Seasons violin concertos composed by Antonio Vivaldi compared to white noise.

If you have a fine musical ear not only do you hear the music, you can feel it as well, some can visualize the movments of the muscians hands and fingers. Also in some cases like the voices of singers you can identify the individual instrument playeres by their fine motor control that adds additional colour and tone and detect also tiny flaws that feel wrong to the ear[1].

We’ve written computer programs that can spot all of this in music and identify the persons even in a piece of music new to the software.

Random is white noise it is “average” at every point in frequency and time and it sums to zero. That is it has no structure and is easily averaged out. Where as music has complicated interlocking patterns that form “signitures” that don’t average in of themselves but decay into or blend into other sub signitures, giving structure on many levels.

There is an old joke about “Heavy Rock Music” and “VU meters” which is,

“The way you tell heavy rock from noise is the VU meters twitch less”

Indicating if it realy need be said that heavy rock is about the continuous power that assults the senses from the gut to the eyes and all nerves inbetween…

Your usage of a computer is atleast as stylistically sensitive as your choice of music, and it can be detected.

As I’ve mentioned before the very low frequency effective luminance signal your “high efficiency” flat screen puts at the point electrical power is brought into your home can very easily identify what you are watching… So next time you are watching something you might find embarrassing if orhers knew (such as “When Harry met Sally”)… Remember your “Smart Meter” can “grass you up” to anyone around the world who can get access to it as an “instrument head”.

[1] I get an annoying jar in “il silenzio” where to me it goes the wrong way, thus jars the flow, likewise in “The Lark ascending” by Vaughan Williams. Others get a similar feeling about the section “but how great the change from major to minor every time we say good night” in Cole Porter’s “Every Time We Say Goodbye” that for me works but at an entirely different emotional level.

FA June 22, 2022 5:07 AM

@Clive

I get an annoying jar in “il silenzio” where to me it goes the wrong way

If such simple harmonic maneuvers seem to ‘go the wrong way’ then you should listen to . Start at 09:30 (the second movement), quite cuddly until e.g. 13:08, where you probably will ‘get a jar’.

And that’s quite simple compared to what other 20th century composers have produced later. It takes some time to get used to, but once you are such things become very expressive.

Security Sam June 22, 2022 1:39 PM

Since the Hertzbleed attack is rising
And is about to become the prevailing
Those upgrading their Dell and Ryzen
Will most likely be weeping and wailing.

SpaceLifeForm June 22, 2022 5:22 PM

@ Security Sam

Call me paranoid

I have a now two year old Ryzen box that has still not seen power. Sitting on the floor. I use it as a table. A small expensive table. I still am not sure if I am confident enough to ever power it up, even with no ethernet cable.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.