Modern Intel and Arm CPUs expose cryptographic data to timing attacks, Eric Biggers, a software engineer at Google on the Platform Encryption Team, has highlighted in a series of discussions on mailing lists for the past months.
Timing attacks against cryptography algorithms were discovered in the mid-90s and were proven practically at the start of the 2000s. Researchers proved that by measuring the time it takes for a CPU to process data, they could infer private information, such as an RSA private key. To prevent timing attacks, constant-time code capabilities were added to CPUs so the time needed to perform an operation would be relatively constant and independent from the value of the data handled inside the processor.
But Biggers says that for the past few years, both Intel and Arm have disabled by default features in their CPUs that enforce constant-time operations, namely DIT on Arm and DOITM on Intel.
Biggers says the upcoming 6.2 version of the Linux kernel will re-enable DIT inside Arm CPUs, but only for kernel-level code.
“Without any additional patches, userspace code will still get data-dependent timing by default,” Biggers says, while no patch is currently scheduled to re-enable DOITM on Intel CPUs at all.
“Thus, as-is, it’s not really possible to safely execute cryptographic algorithms on Linux systems that use an Intel processor with Ice Lake or later,” Biggers says.
The issue appears to be a disaster waiting to happen, especially as more Arm and Intel CPUs are being shipped worldwide without what any cryptography expert would consider a must-have security feature.
“Constant-time code is super important in crypto to avoid timing attacks,” Jean-Philippe Aumasson, cryptographer and co-founder & chief security officer at Taurus, a digital assets platform for the banking sector.
“It’s definitely a potential major issue, but I’ve yet to see an attack PoC that could be exploited in real applications,” Aumasson says.
Nevertheless, while attacks have not been spotted in the wild as of yet, research exploring timing attacks has continued over the past two decades, exploring new ways to carry them out. The latest example is new research published last year on a timing attack named Hertzbleed that can be carried out remotely and impacts all AMD and Intel CPUs on the market.
