To prevent such attacks, programmers writing encryption modules have followed a restrictive rulebook for "constant-time" programming, trying to make sure that each operation on secret information always takes the same amount of time to complete. Otherwise, as decades of research have shown, attackers can take advantage of the timing variations to learn the secrets the software operates on. The software routines responsible for encryption, in popular programs like Web browsers, are especially challenging for programmers to write: not only must they produce the right answer, they must also always take exactly the same time to produce it, regardless of the secret value they operate on. But the team is evaluating other pieces of software to see if they are vulnerable and encourages other software developers to test their programs. It's not clear yet what impact this type of attack may have on ordinary computer users, as SIKE is not widely used outside of the research community. Intel acknowledged that all its processors are affected, but declined to release any patches. Microsoft and Cloudflare released patches to secure their SIKE software against Hertzbleed. The researchers alerted the companies who developed the SIKE software they examined-Microsoft and Cloudflare-as well as chipmaker Intel last year. The team showed that a remote hacker can use changes in how long a processor takes to do certain operations, which correlates with these changes in speed, to steal sensitive information.Īs a case study of the new attack's effectiveness, the researchers showed how an attacker could extract secret keys from two implementations of SIKE, an encryption algorithm designed to withstand even predicted code-breaking abilities of future quantum computers, and a candidate for standardization by the U.S. The adjustment happens hundreds of times per second. When the processor is using more power than its cooling system can dissipate, this mechanism slows down the processor when the processor is using less power, this mechanism speeds it up. The new attack technique takes advantage of a thermostat-like mechanism that processors use to run programs as quickly as possible without overheating. The work was also highlighted in New Scientist and Ars Technica. They described the attack technique in a peer-reviewed paper released last week and accepted for presentation at the Usenix Security Symposium in August.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |