Re: Hyper-Threading Considered Harmful

From: D. J. Bernstein (djb_at_cr.yp.to)
Date: 05/13/05

  • Next message: Jacob Sheehy: "Re: Cluttered Newsgroup" 
    Date: Fri, 13 May 2005 04:03:39 +0000 (UTC)

    Osvik and Tromer made clear months ago that hyperthreading needed to be
    turned off for security. They've been advertising information disclosure
    through hyperthreading since at least February. See, for example, the
    ``Other People's Cache---HyperAttacks with HyperThreading'' abstract in

       http://www.esat.kuleuven.ac.be/sista-cosic-docarch/template.php?page=activities

    reporting recovery---with ``no access to plaintext or ciphertext''---of
    ``45 out of 128 key bits from AES encryption of English text in just one
    minute on an Intel processor with HyperThreading''; and reporting full
    key recovery from known plaintext.

    Osvik and Tromer haven't put their talks on the web, as far as I know,
    but their attack is discussed in Section 13 of my ``Cache-timing attacks
    on AES'' paper, http://cr.yp.to/papers.html#cachetiming, along with the
    obvious recommendation: ``AES implementors should encourage computer
    owners to disable hyperthreading.''

    If Colin Percival has discovered further problems with hyperthreading,
    beyond the cache-timing effects exploited by Osvik and Tromer, then it
    will certainly be interesting to see the details, so that we have a
    better idea of how Intel might screw up our security in the future.

    ---D. J. Bernstein, Associate Professor, Department of Mathematics,
    Statistics, and Computer Science, University of Illinois at Chicago

  • Next message: Jacob Sheehy: "Re: Cluttered Newsgroup"