An apparent security flaw in Hyper-Threading, as currently implemented on Intel Corp.’s Pentium Extreme Edition, Pentium 4, Mobile Pentium 4, and Xeon processors, has been discovered by Colin Percival, a former student working toward his doctor of philosophy in computing at Wadham College at Oxford University.
The flaw, explained by Percival at the BSDCan 2005 conference on Friday in Ottawa, supposedly permits local information disclosure, including allowing an unprivileged user to steal an RSA private key being used on the same machine, according to Percival’s Web site.
Percival strongly advises administrators of multi-user systems to take action to disable Hyper-Threading immediately, whereas single-user systems such as desktop computers are not affected.
To mitigate thoughts to the contrary, the Oxford graduate makes it clear that he does not have any dislike for Intel. “In fact, I think Intel makes great CPUs, and I have an Intel processor in every computer I own,” he says on his Web site.
Further, “As someone who works in the field of computer security, I don’t play political games: If I find a vulnerability, I'm going to report it and work with vendors to fix it, regardless of what the problem is or who it affects,” he added.
Percival first discovered the Hyper-Threading flaw in late October 2004 and worked to develop a proof-of-concept exploit, which was completed and tested in December 2004.
On Dec. 31, 2004, the FreeBSD Security Officer Team was notified of the upcoming security issue.
In February, Percival completed the first draft of a paper on the flaw. Between late February and early March, Percival contacted other security teams and vendors including Intel contacted.
An Intel spokesman confirmed the company had spoken with Percival and definitely takes security threats very seriously.
In its labs, Intel was able to replicate this theoretical timing exploit on all modern architectures, not just Intel-based machines, as Percival did.
As a result, Intel believes all architectures could be susceptible to an attack on Hyper-Threading and it has been working with cryptographic tool and software provider, as corrections for these types of issues are typically corrected with cryptographic software, the spokesman said.
Further, Intel said this type of flaw would not be one launched remotely -- it would have to be done by a malicious user or someone with access to the system and therefore does not rank highly as a typical, real-world vulnerability.
As to whether Intel would hire this talented recent graduate, the Intel spokesman said, “You never know. We do have some cryptographers and security team on staff.”