Hertzbleed is a side-channel attack that aims to exfiltrate sensitive information such as cryptographic keys from the system that uses an x86 processor. The experiment that led to the finding of the attack was done with the use of a novel chosen-ciphertext attack against SIKE. It was publicly disclosed on June 14, 2022, as research that was conducted by a group of researchers from the University of Texas, the University of Illinois Urbana-Champaign, and the University of Washington.
Hertzbleed is known to affect desktop and laptop models that run 8th to 11th generation core microarchitecture Intel processors as well as several AMD desktops, mobile, and server processors, including Ryzen Zen 2 and Zen 3 desktop and laptop processors.
Along with the other processor vendors such as ARM was made aware of Hertzbleed as they are known to be using frequency scaling in their products even though the confirmation about them being affected was not made.
Hertzbleed is particularly dangerous because it allows an attacker to steal sensitive information by stealing AES cryptographic keys from distant servers. But as the vulnerability is yet to be scored only hypothetical assumptions about the severity and its risk level can be made.
However, the vulnerability is not a bug. The main cause of the attack is the dynamic voltage and frequency scaling (DVFS), a mechanism in modern processors that is used to reduce power consumption during low CPU usage ensuring that the system stays cool below thermal limit during high CPU loads. As the dynamic frequency scaling on current Intel (CVE-2022-24436) and AMD (CVE-2022-23823) x86 processors is dependent on power consumption and the type of data being processed in it, any system with it is feasible for the attack.
The researchers have stated that in the modern x86 CPUs, a power side-channel attack can be changed into a timing attack subsiding the needs power measurement interface. And as the periodic CPU frequency adjustments depend on the real-time power consumption of the CPU, the adjustments directly translate to execution time difference i.e., 1 hertz = 1 cycle per second.
In addition to it, even when it is implemented by the default implementation of constant time, the cryptographic code seems to leak from the remote timing analysis. And therefore, it concluded that the code that is currently used to write constant-time code is insufficient to commit constant-time execution on modern processors. Moreover, under the demarcation of the likelihood of effect and existence of the vulnerability, it is stated that if a system consists of a constant-time cryptographic library it is susceptible to secret-dependent power leakage and as the dynamic frequency scaling of modern x86 processors depends on the data being processed and power consumption the program can run at a different frequency while computing so it can allow an intruder to extract cryptographic keys from remote servers that were initially considered to be secure.
Even though it has a system-wide performance impact, disabling frequency boost is considered a considerable option for the mitigation of Hertzbleed. It can be disabled through BIOS or at run-time via frequency scaling driver. As the frequency stays constant even during the workload, the leakage caused by Hertzbleed nullifies itself. Despite this, the strategy fails to work on systems with custom system configurations where frequency updates may occur even when the frequency boost is disabled.
In addition to it, Cloudflare and Microsoft mitigated the attack on SIKE where they used the strategy to validate before decapsulation of the ciphertext with a pair of linearly independent points of the correct order. According to the report, more analysis is to be done to evaluate what cryptosystems can be exploited with a Hertzbleed attack.
No patches for the microcode have been provided yet by either of the vendors. AMD has stated that the developers of the cryptographic system must apply countermeasures to the software code of the algorithm by implementing masking, hiding, or key rotation to mitigate the attack whereas Intel provided developers with guidance to tighten their libraries and applications against the attack.
The source code of the attack is provided on GitHub in addition to the preprint of the paper.