TLBleed

Post Reply
User avatar
PC_THE_GREAT
Core team
Posts: 53
Joined: Mon Apr 16, 2018 5:28 pm

TLBleed

Post by PC_THE_GREAT » Wed Jun 20, 2018 3:18 pm

TLBleed

You probably have heard about people getting paranoid about something called TLBleed. Apparently, this will be presented this year at Blackhat USA. TLBleed is a new side channel attack that exploits the TLB rather than CPU caches to infer activity from a co-resident hyperthread.
Translation_Lookaside_Buffer.png
Translation_Lookaside_Buffer.png (16.48 KiB) Viewed 118 times
---------------------------------------------------------------------------------------------


One TLBleed exploit successfully leaks a 256-bit EdDSA key from libgcrypt (used in e.g. GPG) with a 98% success rate after just a single observation of signing operation on a co-resident hyperthread and just 17 seconds of analysis time. Furthermore they show how another exploit based on TLBleed can leak bits from the side-channel resistant RSA implementation in libgcrypt. Read more here about those two guys.

This 98% success rate was possible thanks to machine learning, one more reason why I keep stressing on our folks to be more proficient when it comes to their machine learning skills, the possibilities with that is enormous. (Enough of off topic)

So what exactly is the Translation Look aside Buffer?
A translation lookaside buffer (TLB) is a memory cache that stores recent translations of virtual memory to physical addresses for faster retrieval. When a virtual memory address is referenced by a program, the search starts in the CPU. First, instruction caches are checked.

Here is a small video explaining this.

What can you do about it? Should you do anything about it?

Well, OpenBSD is considering hyper-threading as a security risk and is offering ak nob to disable this: hw.smt sysctl.
Read more about OpenBSD's decision on this here.

But how about you, as a desktop user? As a desktop user, if you do not allow anyone else to have user access to your machine and you don't have any service that can be exploited to allow remote instructions to be executed on your machine, or you are not hosting multiple guest OS that are exposed to the internet with others accessing them you shouldn't be that worried. So calm down.


But if you believe you want to sacrifice speed for security and you are in a situation where you can be at risk, then you can use the above knob if you are in OpenBSD or use the following:

For Ubuntu, you can use this small script I made to disable it.

Code: Select all

#!/bin/sh
#selven [A7] hackers mu

read -p 'Number of CPU: ' cpus

while [ $cpus -gt 0 ]; do
	echo "echo 0 > /sys/devices/system/cpu/cpu$cpus/online"
	cpus=$(($cpus-1))
done
FreeBSD

Code: Select all

sysctl machdep.hyperthreading_allowed=0 

Note: You can disable that in your BIOS as well if the option is available.

Feel free to contribute what you could do to disable HT in your OS.
Click here to comment.
Cheers,

PC_THE_GREAT || Pirabarlen

Post Reply