Major side-channel discovery wins NSA contest

The winning paper broke open a new area of investigation in hardware-based data leaks.

Spectre in code Enlarge

A major breakthrough in the field of side-channel attacks has been recognized by the National Security Agency (NSA) as the winner of the 2020 Best Scientific Cybersecurity Paper competition. The winning paper, describing an exploit called Spectre, broke open a new area of investigation in hardware-based data leaks. Prof. Daniel Genkin worked on the paper with collaborators from around the world.

Spectre abuses a widespread function of modern processors called speculative execution. The result of a series of innovations that help a CPU process instructions faster, this practice involves accessing data before it’s needed by a program (“speculatively”). Unfortunately, this technique circumvents standard steps meant to ensure sensitive data is accessed properly.

This industry standard practice is now mired in controversy thanks to the Spectre discovery. From 2013 to the present, Genkin has helped discover a slew of so-called side-channel attacks. These rely on the non-traditional byproducts of code’s execution, like a computer’s power usage or the time it takes for a memory access, to gain access to off-limits data. Spectre is one of the most famous of these side-channel discoveries, and demonstrated how speculative execution could be abused to allow one application to steal data from another. The vulnerability impacted every microprocessor designed since the 90s, and is present in nearly every computer / phone we use today.

Solutions for solving these so-called transient execution attacks range from fundamentally changing how instructions are executed (which would mean a big hit for performance) to simply patching specific exploitation techniques through hardware and firmware as they become public. To this point, the latter approach has been preferred.

“The first attack variants were all using the processor’s cache to leak information, so then you started seeing research papers proposing a redesign of the cache to make it impossible to leak information that way,” says Ofir Weisse, a PhD alum who worked on related projects. He and the team say that this approach doesn’t address the fundamental problem, since the cache is only one of many ways to transmit a secret.

“The fundamental problem is that attackers can speculatively access secrets, and then can try to transmit them in numerous ways.”

In fact, Genkin’s continued work on the problem in 2020 identified that the specific patches adopted to address these side channel issues were themselves prone to exploitation – it turns out that by simply “flushing” data out of the cache, it could be just as readily leaked elsewhere. It was a matter of identifying the initial pattern, says Genkin, and then finding the weak points in system after system.

“It got to a point where we would spend a train ride or a flight reading some code or a CPU manual, and by the end of the train ride we knew what we needed to do to break it,” Genkin says. “It was a devastating game of whack-a-mole.”

Presently Genkin and other researchers in CSE are still burrowing deeper into the rabbithole, in search of both more vulnerabilities and viable defenses.

Recently, Genkin’s lab was awarded several million in grants by DARPA, NSF and the US Air Force to expand their side-channel investigations in new directions, including examining the risk posed by side-channels to fundamental cryptographic measures and protocols. They plan to build a toolset to mount side-channel attacks and apply them to explore new sources of data leaks, testing all existing side-channel countermeasures along the way.

“We expect this project to contribute to the security of every computer manufactured in the past decades,” the team writes in their proposal. Ultimately, the group seeks to take a more systematic approach to this growing field of research, resulting in computer designs that are more resilient to hardware-based hacks and data leaks.

Previously, Spectre was also recognized with the best paper award in IEEE Security and Privacy for 2019. The related exploit, Meltdown, received honorable mention in NSA’s 2018 contest.