A new side-channel attack known as Hertzbleed allows remote attackers to steal full cryptographic keys from remote servers that were previously believed to be secure, by observing variations in CPU frequency enabled by dynamic voltage and frequency scaling (DVFS).
The root cause of Hertzbleed is dynamic frequency scaling, a feature of modern processors, used to reduce power consumption (during low CPU loads) and to ensure that the system stays below power and thermal limits (during high CPU loads). Hertzbleed is tracked under CVE-2022-23823 for AMD x86 processors and CVE-2022-24436 for Intel processors.
Hertzbleed was disclosed by a team of researchers from the University of Texas at Austin, the University of Illinois Urbana-Champaign, and the University of Washington. The issue has been reported with proof-of-concept code, to Intel, Cloudflare, and Microsoft in Q3 2021 and to AMD in Q1 2022.
Intel’s security advisory states that all Intel processors are affected. The disclosed findings confirmed that several Intel processors are affected, including desktop and laptop models from the 8th to the 11th generation Core microarchitecture.
AMD’s security advisory states that several desktops, mobile, and server processors are affected including desktop and laptop models from the Zen 2 and Zen 3 microarchitectures.
After the researcher notify the issues to processor vendors (e.g., ARM), they also implemented frequency scaling in their products against Hertzbleed.
What is the impact of Hertzbleed?
First, Hertzbleed shows that on modern x86 CPUs, power side-channel attacks can be turned into (even remote!) timing attacks—lifting the need for any power measurement interface. The cause is that, under certain circumstances, periodic CPU frequency adjustments depend on the current CPU power consumption, and these adjustments directly translate to execution time differences (as 1 hertz = 1 cycle per second).
Second, Hertzbleed shows that, even when implemented correctly as constant time, cryptographic code can still leak via remote timing analysis. The result is that current industry guidelines for how to write constant-time code (such as Intel’s one) are insufficient to guarantee constant-time execution on modern processors.
According to the researchers of Hertzbleed, Intel and AMD have no plans to release microcode patches to address this new family of side-channel attacks described as frequency side channels. However, Intel provides guidance to mitigate Hertzbleed in software. Cryptographic developers may choose to follow Intel’s guidance to harden their libraries and applications against Hertzbleed. For more information, please refer to the official security advisories from Intel and AMD.
For full reproducibility, the research team of Hertzbleed has also released the source code of all the experiments which you can find on GitHub. The "Hertzbleed: Turning Power Side-Channel Attacks Into Remote Timing Attacks on x86" paper will be presented during the 31st USENIX Security Symposium (Boston, 10–12 August 2022), and a preprint version is available here [PDF].