Free Trial
Contact Us
Podcast

Root Causes 333: Intel Side Channel Attack Steals Private Keys

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
September 21, 2023

A newly revealed side channel attack can capture AES encryption keys from Intel chips. We explain this significant and powerful attack.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanToday we want to talk about an August 2023 attack called Downfall. So tell us about Downfall.
Jason SorokoJason SorokoHey, Tim. One of the real bad scenarios for anybody who is trying to keep a secret is to have parts of a secret or the entire secret that might be revealable through some sort of means from the computation system itself. Now, you and I have talked in this podcast about side channel attacks and other ways people can listen in and somehow glean information from something happening within the vicinity of where the attack is taking place. So, in other words, I’ll give you a good example. We've had things that are literally listening in to the amount of electricity going through particular parts of a memory chip, and that was enough to be able to determine what was going on.
Tim CallanTim CallanOr the sound that the chip makes.
Jason SorokoJason SorokoThe sound. Exactly. So what it turns out is this particular attack is really looking at Skylake, through Tiger Lake Intel chips, and I'm not sure if there were other companies involved but this Downfall attack is specifically talking about Intel processors from that sixth generation 2015 to 2019 is I believe. And if you're interested in this, we're looking at CVE-2022-40982.

So Intel has posted on this if you want to look at it. Really, you’re talking about registers within the affected chips that are really, a lot of thought has gone into how to not leak information within these chips and so things like Intel SGX, right, hardware based memory encryption technology, these are all things that we've heard about. I don't know if we talked about that much on this podcast, but it really is ways to try to protect from side channel attacks, a way from protecting from leakages. But the problem is that it looks like registers within these chips are giving up and what I mean by that, they are literally leaking characters, bits from these registers that allow attackers to actually determine from the leaked memory essentially AES 128 bit and 256 encryption keys.

There were demonstrations of this by the researcher, Daniel Moghimi, I believe. Forgive me if I pronounced that wrong. But, it was demonstrated that AES encryption keys were actually lifted from the chip by looking at these registers, which are giving up information and one of the reasons why they're giving up that information is because of Intel, of course, wanting to be very, very efficient in its usage and spec, you might have heard about things like speculative computing within these chips, so that the chips are actually super-duper optimized for how memory handling is happening. And unfortunately, because of this optimization within the chip, there seems to be some data leakage at the register level, allowing for this kind of an attack. And what's scary, Tim, just to put the final thought on it is, that's a lot of chips over a significant number of years and, that's why people have called it out earlier on August. And that's why we want to talk about it here.
Tim CallanTim CallanOnce that the key is leaked, we talk about a lot of these side channel attacks, and you're trying to figure out various things that the chip is doing. But once you use the side channel attack to get that key leaked, then of course, you don't even depend on that chip and that side channel attack anymore. Like once you know that, you can just plain decrypt.
Jason SorokoJason SorokoExactly.
Tim CallanTim CallanLike the power, just the expansiveness and the persistence of that harm is really vast. If I can use the side channel attack under specialized circumstances, and I can get that key and now I know that key, great. Now anytime, until such a time as the attacked entity realizes that this key has been stolen, which maybe they won't, then that key can continue to be used. You can come back tomorrow or in a week, or in six months, and potentially still unlock somebody's secrets.
Jason SorokoJason SorokoYou got it. And sometimes, if you're using those kinds of encryption keys, you are obviously protecting something that's important. So it's just bad.

If you want to read more about this, apparently, I wasn't at BlackHat this year, Tim, but apparently, so at the USENIX Security Symposium, August 11, and BlackHat August 9. Obviously, there's a presentation on this floating around. Intel has talked about ideas for how to mitigate. The problem is mitigating this might actually really degrade the performance of your chip. It's such a significant problem. That is why we're calling it out here on the podcast for people who are using that particular generation of chips within their computing systems, you just, you're gonna have to be aware of this.
Tim CallanTim CallanThere's nothing I can do. If I'm using one of these chips, I can't take action to protect myself from this particular attack.
Jason SorokoJason SorokoWell, I think that Intel, and this is probably out of date information as of even by the time we're speaking here, anybody who really wants to look this up really should look it up.
Tim CallanTim CallanThis is a dynamic story for sure.
Jason SorokoJason SorokoIt is a dynamic story. What I will say is, it looks like Intel is probably going to have some sort of opt out mechanism in the microcode. In other words, you can disable the things, disable the optimizations, essentially, for lack of a better way of saying it. Disable the optimizations within the chip, that are leading to this problem. And, even the researcher himself has said that that's probably not a great idea. Because, there are reasons for that. So the problem is that the mitigations are potentially there, but you really need to know what you're doing before you flip on that mitigation. It's not like insert a hot patch here and everybody is happy.
Tim CallanTim CallanGotcha. That would be the hope, right? Would be exactly that the, the, the deep thinkers at the tech vendor come up with a patch, they give it to you, and you put it on, and you can rely on the fact that they did it correctly. This isn't that simple.
Jason SorokoJason SorokoYou got it. So, 2015 through 2019 chips, 6th Gen Skylake, 11th Gen Rocket Lake and Tiger Lake, but my understanding is any of the 12th generation chips do not have this problem. That's my understanding, as of everything I've read so far. But man, that's 6th Gen Skylake and what I just said earlier, that's a lot of chips. Intel pumped a lot of chips out into the world and, I'd be surprised if a large organization doesn't have some of those chips somewhere in their organization.
Tim CallanTim CallanNow, I think there was a similar attack against AMD, Called Inception. I remember reading about this. It wasn't getting your cryptographic keys, but it was getting real sensitive information. I think they could use it to get a root password for instance. Iit sounds to me like it's a very similar attack. Is that right?
Jason SorokoJason SorokoIt definitely rhymes. It's a similar kind of attack, where they were looking at registers, etcetera. And so, when we're talking about AES encryption keys, as an example, potentially being stolen, that was part of what was being demonstrated. Keep in mind that a clever attacker can also use the same kind of registers to do key logging. Just straight up key logging.
Tim CallanTim CallanSure. There you go.
Jason SorokoJason SorokoSo you might be saying, oh, don't worry, I don't put encryption keys on general computers. I keep them in a different place, so I'm safe. Well, the problem is that even key logging is possible with this particular kind of an attack. Every time you press a key, it's basically floating through memory somewhere. If it's going through these affected registers with the optimization that's on I would imagine that an attacker could find those things within that available memory that's being leaked and so it's a bigger problem than even just like the nightmare scenario of the demonstrated AES encryption key is, you know, that's very dramatic and it shows how just how bad it can be but a lifted password can sometimes be almost as bad.
Tim CallanTim CallanSure. Absolutely. And the lifted key got our attention. We were like, hey, we have to talk about this. Someone stealing your keys through a side channel attack. But if I can sit in key log, I can perhaps do all the same damage.
Jason SorokoJason SorokoHey, you get the right privileged person’s password, you can do a lot of bad things with that. We’ve seen that over and over again.
Tim CallanTim CallanJust if I log all of your keystrokes, I can learn all kinds of things very directly. I can learn the content that you're typing into your computer. That might be what I need to know. Yes, absolutely.

Side channel attacks, I feel like we're hearing about them more and more. Do you think this is an attack vector that's on the rise?
Jason SorokoJason SorokoI think it is one where good researchers are just putting their brains to it. Don’t forget, these are a couple year old few year old chips. And it really comes down to what's the bandwidth of the white hat community and sometimes when you see waves of these things, it's because the white hat community is deciding, ok, let's place our attention here for the next year.
Tim CallanTim CallanPeople are seeing the work that other people are doing. So somebody says, wow, that was some good work by my peer over at this institution. I bet you I can take those ideas, and I can look into this thing and that thing.
Jason SorokoJason Soroko100%.
Tim CallanTim CallanThat's what we want. That's how the white hat community should operate. That's what we want academic researchers to do. All of these things are correct functioning of the systems we have in place. That makes sense. I get that.
Jason SorokoJason SorokoSo Tim, maybe just a couple other comments. And I didn't start off with the whole inflammatory thing. We could have made this a typical journalist who wants to get clickbait, but let me just show you just how bad some of this might be.

We're talking 6th to 11th Generation Intel Core CPUs. We are talking about probably chips counting in the billions. So not even the hundreds of millions. We’re talking billions of processors that apply to that. And that these chips are going to be used in both personal computers, enterprise computers, as well as. Tim, and here's a softball you can knock out of the park for me. It also went into a whole lot of cloud computers as well. Think about that for a moment. The problem with if this vulnerability is up in the cloud, then what happens if you're on a shared computer resource?
Tim CallanTim CallanSure. Absolutely. Then they're all like, your attack surface, just multiplied dramatically in terms of your targets. Let's call it your target surface. Everybody who is touching that processor is a potential target. Is vulnerable. And the other thing in these cloud environments is they’re also very dynamic. It’s not like machines on racks on your floor. They’re being used by one target. Part of the whole point of cloud services is that they are agile and that means that the actual footprint of clusters that I operate on changes and might change a lot. And if there's a machine sitting there and it's compromised, anybody who passes through that machine is potentially compromised.
Jason SorokoJason SorokoYes, sir. You got it. So I would say that if you're an enterprise that’s at least more than a year old, you probably have computers in your environment that have these chips.
Tim CallanTim CallanYou also don't have visibility. You don't know. Like, if you're off using a cloud service, you don't know what hardware you're on.
Jason SorokoJason SorokoExactly.
Tim CallanTim CallanIf someone comes to you as the CISO, and says, hey, are we subjected to this vulnerability? If you've got anything running in public cloud, or anything running in a large hosted environment. Your answer has to be I don't know.
Jason SorokoJason SorokoYour answer is probably yes. And we have to assume so. I think that's the honest answer to any CISO/CIO.
Tim CallanTim CallanSo can I cycle out? Can I cycle out my keys? Does that help?
Jason SorokoJason SorokoTim, here's one for you. In the world of certificate lifecycle management, keep your keys, your key lifecycles as short as possible.
Tim CallanTim CallanShorten them. Absolutely. You're right. Short, short, short. I mean this could still happen, because these chips could still be in use, but at least you're reducing the time for your vulnerability. So that's a great reason to shorten your certificate lifecycles right there.
Jason SorokoJason SorokoFunny, Tim. We also typically think about the public internet as the hostile place and I think that what we have to do is fully accept that even down at our workload level, wherever our apps are running or wherever our anything is running at all, that's also a hostile environment. I've been saying that for a long time. I'm going to repeat it here. Folks, even the computer you can hold with your hands and you trust, you should consider its runtime to be hostile environment. And that's a hard way to live. That's like saying your bedroom is a hostile environment? Well, when it comes to computing - yes, it is.
Tim CallanTim CallanWell, sure. And once upon a time, we had this concept of a green zone, right? We had a hardened perimeter and inside the perimeter, we were all safe and we've learned that we can't think that way.
Jason SorokoJason SorokoThat’s right.
Tim CallanTim CallanAnd to a degree, what you're saying feels like just the extension of that lesson to the next level.
Jason SorokoJason SorokoPrecisely, Tim. So you and I had some podcasts on what we call Zero Trust for a long time and that marketing term is still with us, and got bandied around, but all those principles around micro segmentation, and, in our business keeping your key lifespans as short as possible. Guess what? It just highlights all of those back to basics principles. They still apply.
Tim CallanTim CallanAbsolutely. And if anything, the need for them and to apply those principles and ideas rigorously, the need for that seems to be just only going up.
Jason SorokoJason SorokoIt only is going up and the white hats are showing us every step of the way that even in systems that we consider to be nearly sacrosanct, we can't think about them like that at all. It's a mistake. It's a mistake to think anywhere isn't somewhat hostile.
Tim CallanTim CallanYep. Treat everything as a potential target. Treat every environment as potentially hostile. Keep your key lifespans short. Ok. There you are.
Jason SorokoJason SorokoThere you are.
Tim CallanTim CallanAgain, this caught our attention because a key was being stolen in particular but all of these other points we're talking about are great points. So I appreciate it, Jason.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud