Re: Hyper-Threading Considered Harmful
From: D. J. Bernstein (djb_at_cr.yp.to)
Date: Fri, 13 May 2005 04:03:39 +0000 (UTC)
Osvik and Tromer made clear months ago that hyperthreading needed to be
turned off for security. They've been advertising information disclosure
through hyperthreading since at least February. See, for example, the
``Other People's Cache---HyperAttacks with HyperThreading'' abstract in
reporting recovery---with ``no access to plaintext or ciphertext''---of
``45 out of 128 key bits from AES encryption of English text in just one
minute on an Intel processor with HyperThreading''; and reporting full
key recovery from known plaintext.
Osvik and Tromer haven't put their talks on the web, as far as I know,
but their attack is discussed in Section 13 of my ``Cache-timing attacks
on AES'' paper, http://cr.yp.to/papers.html#cachetiming, along with the
obvious recommendation: ``AES implementors should encourage computer
owners to disable hyperthreading.''
If Colin Percival has discovered further problems with hyperthreading,
beyond the cache-timing effects exploited by Osvik and Tromer, then it
will certainly be interesting to see the details, so that we have a
better idea of how Intel might screw up our security in the future.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago