TLBleed: A crypto-key-leaking CPU attack

A team of researchers at the Systems and Network Security Group at Vrije Universiteit Amsterdam, in the Netherlands, say they found a dangerous vulnerability in Intel CPUs. The TLBleed vulnerability uses flaws in the CPU’s translation lookaside buffer (TLB), a special type of cache memory that maps virtual to physical memory addresses.

Security group said their code was able to lift a secret 256-bit key, used to cryptographically sign data, from another program while it performed a signing operation. It took roughly 17 seconds to determine each of the keys using machine-learning software and some brute force, according to a paper detailing the attack.

TLBleed misused through the execution of symmetric multithreading (SMT) a technique for improving the efficiency of CPUs with, by Intel’s hyper-threading. With hyper-threading enabled, a single core can execute multiple threads simultaneously, and sharing resources inside that core, including TLB.

It is important to note that you need malware running on, or a malicious user logged into, your system to exploit it. Also right now nobody is leveraging the weaknesses in the wild. There are easier ways for hackers to extract data from a computer or other device, via security bugs in browsers, PDF readers, email clients, browser plugins and so on.

However, if you are worried about cache-based attacks – such as, if you’re running a virtual machine on a public cloud platform, and fear neighboring guest machines are trying to snoop on you – then you should be paying attention to TLBleed vulnerability.

Currently Intel reckons existing cache-snooping countermeasures are sufficient to prevent data from leaking from one program to another via TLBleed but as with any new vulnerability only time will tell. As for AMD chips a spokesperson for AMD has been in touch to say none of its chips are susceptible to TLBleed.

Related video on Security Now podcast: