Hyperthreading footprints expose Intel P4 users

A newly discovered timing attack takes advantage of hyperthreading to sniff out passwords

Intel is acting to calm fears that technology in its Pentium 4 processors will allow hackers to steal passwords by reading 'footprints' in the cache.

Hyperthreading, introduced in Intel's Pentium 4, could allow hackers to access secure information, according to Colin Percival, a 23 year old Ph.D student from Vancouver. The technology makes software run faster by letting two threads run on the same processor at the same time. Percival has developed a sophisticated attack based on timing, which exploits the fact that both processes can access the same cache memory.

The attack, revealed on Friday in a paper delivered at the BSDCan conference in Ottawa, relies on a spy process installed on the server, and sharing the L2 cache with an OpenSSL cryptographic process. The spy process observes the time taken for certain cache operations, and deduces what the other process is doing (which Percival refers to as "footprints in the cache"), gathering information that could help crack the desired password.

Intel was informed of the problem in March, and says the risk is very low. It only works on a server that has already been compromised to allow a malicious hacker to install a spy process. If the hacker has already achieved this, there are many easier and quicker ways to steal data, according to Intel spokesman Howard High.

The attack could also affect any other processor that shares resources, and not just Intel chips or hyperthreading chips, the company has pointed out. Nevertheless, the company expects future versions of Windows and Linux to fix the problem.

Since discovering the flaw in October 2004, Percival has been working with FreeBSD and other operating systems developers to judge the dangers, and various responses are posted on his site. Operating systems that do not exploit hyperthreading and keep it disabled, such as SCO's UnixWare, are immune.