Hyperthreading Vulnerability - Worrisome or Just Hype?

Every so often a security story comes along that seems to attract more attention in the media than would seem warranted. I’ve been spending time lately dealing with the recent discussions about a hyperthreading vulnerability which allows monitoring info (eventually crypto key info) when a CPU is swapping between users. I won’t go into the technical specifics here since you can find them in a number of places covered more thoroughly than I could in a blog.

Don’t get me wrong, I understand the security implications and I realize the vulnerability has been proven (instead of merely theoretically possible according to code analysis), but all of security is a trade off between risk and usability. In this case it seems highly unlikely in a real world setting that an attacker with local access to a server would be able to capture the necessary information in order to decrypt sensitive information. Add to this the potential performance impact of disabling the hardware feature, or the impractical solution of rewriting all crypto applications and it doesn’t seem reasonable to expect a hardware or software vendor to ruin usability to protect against this unlikely attack.

With that said, I do believe the vendors owe it to their customers to explain the risk and offer possible solutions in the event that a customer would prefer to engage the security at the cost of usability. In short, I think Intel got this one right when they pointed out that anyone who has sufficient access to a machine to be able to configure this attack is already in position to cause significant damage. We’re in the process of publishing a Sun Alert with this information.

Posted at 02:50PM May 31, 2005 by drscholl in Security Coordination  |  Comments[1]