contention for fun and profit people be referring it Port Smash. So what it does is it actually

you got open ssl running and it's using a private key and you've got another program which they call that spy program which runs alongside

It and is able to extract the private key from the open ssl program even though it shouldn't be able to do that

So I thought it was interesting to have a little chat about the way it's exploiting the cpu so again like

spectrum meltdown and quite a few of the exploits that have turned up over the past year its

exploiting the fact that people have tried to make the CPUs run faster and faster and sort of squeeze

every last ounce of speed out of the actual cpu technology that's there and

what this is specifically targeting is what's put into most intel cpus and AMD

which is hyper threading. So what is hyper threading well normally when we think about

a computer system we have a cpu in there and

originally that CPU would execute one single stream of instructions and process data with them

you could have two CPUs in there's got some

Multiprocessor system or a multi-core system depending on how you wire them up and then you could have two separate streams of instructions

being executed and

the way that those CPUs are designed is

you have three stages that each instruction has to sort of go through that in the cpu that's for them it's a smaller stage but

We can think about this of three broad stages we have to sort of fetch the instruction from memory

then we decode it to work out what we actually wanted to do and then we execute it and

To make the cpu run as fast as possible then you end up with various

execution units in your cpu which do various things there might be an algorithmic and logic unit which will do addition and subtraction and various

logical operations. There might be bits that can load and store

values from memory. There might be bits that can do various other sorts of calculations multiplications and so on address

calculations floating point operations vector

processing and so on so you have lots of these

execution units in your machine and one of the things you got was sort of a superscalar architecture where you'd

fetch two instructions and execute them at the same time

providing that they were using different parts that you could sort of fetch a value from memory while adding a value onto another

register as long as they're using separate registers and so on. So the idea is you've got if we sort of draw a

picture you've got some sort of logic here which we'll call decode and you've got going into that a stream of

instructions coming from memory. So you're feeding them in there and this is actually breaking them up into a series what

of what we call micro operations that do different things, so one

x86 instruction may get broken up into

multiple micro operations for example to load a value from memory add that value onto a value in a register and store that result

out back into the same memory location it's all three operations so it gets split so which use different

execution that operations. Some have to happen sequentially some can be done in parallel depending on what you're doing

So we end up with a series of execution operations - so let's say we've got an ALU and

We might have say a division unit in there

We might have another one with an ALU it might have some things to do - vector type stuff

we've got another one which has got another ALU and a multiplication unit on there and

there's various ports that these are connected to -- so you've got a sort of port

One here which connects to this set of operations

Port two will say here and this is a generalized version which is connected to these operations

Q:Are these physical ports like physical wires?

Erm they'll be parts with inside the CPU so the way that things are connected up... and this block is a sort of

scheduler which is getting the decoded

micro-ops from this section and

sort of sending them to the right ports as they're being ... as they're available and so on to cause the right operations to happen in

the best order to make most use of the system. You'd have a few more over here that says this has got a load port

And so on so what you can do is you can start pulling the multiple instructions here and as long as they're not depending on

values that previous instructions have created

and haven't completed yet then you can sort of schedule them on different

parts the unit - so if you had one

instruction which adds value one on to EAX you could put it on to this port the next insert is adding something onto B EBX

You could put it onto that port (they're registers within the CPU) and they could execute at the same time. But the problem

you've got is that

sometimes you get a sequence of instructions which either a

sequential so you add one to a value in a register then you multiply that register by two

And then so on - you've got to execute them and things and so you can't always make full use of

your

Available

execution units down here in the CPU

So the idea which happened many

many years ago and sort of fell out of favor and then was brought back with the Pentium 4 in the mid

2000s and has existed through on various CPUs both from AMD and

Intel is hyperthreading - you say well ok this is only a single core but let's make it present itself as

if it was two cores

Two logical cores we've got one physical core with one set of execution units but we have it appear to the operating system as two

logical cores so the operating system can have two - as far as its concerned two - independent bits programs threads whatever

Executing on there and so they'll be two streams of instructions executing and so we'd have another

stream of

instructions coming in to the decode logic and then

the CPUs got a better chance of keeping things running at the same time because you can either run an instruction from here

But if you can't schedule that it might be out of scheduled instruction from the other stream of instructions. You may get some interesting

things so for example on this one that we've drawn we've only got one

multiplier we've only got one load and store unit. If we have both of these trying to do a

multiply then one will have to wait for

the other to complete and the sort of way that CPU might do that it's a sort of round-robin that the first

clock cycle this one gets the multiply on the second clock cycle that one will get the multiply and so on. So that's the basic

idea behind hyperthreading - you've got two

logical processors that are used by the operations to schedule the jobs on your computer

but they're executed by one physical core on the CPU.

Q: So hyper threading is different to multi-threading?

So multi threading is the idea that you split your program or your programs into multiple threads of operation

and then they get scheduled either by the operating system on to different

CPU cores if you've got multiple ones or onto one single core by sort of executing a bit of

thread one than a bit of thread two you than a bit of thread three

effectively like you could watch multiple programs on YouTube at once by chopping between the different programs and watching sort of bits after the other

Be quite garbled watching multiple computer files in that sort of way. So unlike a normal photograph/In a very basic sense if you've got/

Bletchley Park/So that's a way of doing things in software and programming/yeah

It's/hyper threading is a bit more Hardware So the idea is there, okay well you've got these different threads of execution

okay if you've got multiple

Cores multiple processing units then you can schedule your each of those threads onto

Each of the cores and have them executing at the same time

but a few limitations on access to memory and things because and so on

With hyper threading you say okay we'll have the idea we got two

threads of execution

happening at the same time

But we've actually only got one physical set of units to do it so it's the hardware that's doing the scheduling because it can

do a finer grain than the operating system can. The operating system is still scheduling across those two

logical cores but the hardware can then say well actually

this one is trying to multiply this is trying to add I can run them at the same time

whereas this is trying to

Multiply and this is trying to multiply I need to sequence it so it can actually start to do a finer grain

sort of threading operation and sort of

knit them together

Q: So where's the problem come in then? So the problem comes in the

let's say we've got a program where we want to find some information about what it's doing and let's say this program here

we want to know what sort of instructions it's executing well what we could do for example

Is if we wanted to find out if it was executing multiply instructions on the example we've got here we've only got one

multiply unit so if this is

Trying to execute multiple instructions and this is trying to execute multiply instructions then they're going to have to take turns to execute

those multiply instruction on the other and if the one we're trying to find out on isn't executing multiply instructions then

This one will be able to execute multiple instructions one after the other so what the port smash paper have done is

that they've written their program that will

execute certain types of instructions in a loop so they have a repetition of about 64 let's say it's

these various different ones but so is the 64 add instructions to make use of all the ALUs on Intel CPU - there's four of

them that it can make use of

say just four

continuous adds we should all exceute at the same time if nothing else was running on that CPU and it times how long they

take to execute

It does that and it gets an idea of how long they take to execute and then you run the same thing at the same

Time as the other program is running and if it takes more time to execute

than the other program then you know that program must be also executing some add instructions and

So what you can do is by looking at which of these

bits are being used by running instructions then you can find out what type of instructions are being executed

on the other side

Now the reason why it's called port smash is because

We've drawn this a time one multiply it but that's also on the same part as an ALU

for example and what they actually do is that these are all connected to one

port of the scheduler within the CPU and so if we wanted to say use the multiply bit

of this CPU then we have to run out of port 2 which means the ALU on port 2 can't be used as well

can use one of the things in

this column same for example here if we want to use a divide we can't do any ALU processing or vector processing

so we could run instructions that we know will tie up one of these specific ports or will tie up a group of them and

Then we can see whether the other program providing we can get it scheduled onto the same physical execution unit which isn't

Impossible to do is also trying to use parts of the system on that point what the port smash

example program does is cleverly uses certain instructions which tie up a particular port on the

CPU core

To see whether that one is being used by the other program and by measuring the time we can see whether

That has been done so we've got this side channel where we can see

We can get insight into what the other process is doing as a black box we say ok it must be trying to execute this

type of instructions because it's interfering with our use of this port or it isn't

interfering with this use of this port. So what they do is that they run this alongside

OpenSSL doing its encryption of the task that's been set to do and it can measure what type of instructions it's trying to execute

What it ends up with is a series of

timing sequences that shows how long things are taking at particular points or sometimes it be running it full-speed some points it'll be running slower

and that gives it what they call a noisy signal which some signal processing they apply to it they can use to actually extract

the private key that was being used by open SSL purely from watching the timings that are going there. So what they've demonstrated is that

by running a program they can sort of monitor enough information because they can see what the other CPU is doing

by what their program is doing Ie if the other program is trying to multiply at the same time as they're trying to multiply and

there's only one multiply unit that it will slow both programs down and you can detect that

They can start to work out what operations the other program must be doing and then start to work out what that would

mean in terms of what that program is doing and backtrack from that to actually extract information that

ideally they shouldn't be able to access

So the upshot of this is that one of the recommendations is that perhaps in certain circumstances you might want to turn off

hyper-threading either completely and just go back to having four physical cores that only execute for separate threads rather than four physical cores

executing eight logical threads or the very least modify things so that the operating system has the ability to turn

hyper-threading on and off on each processor core

depending on what process is running on this because for some processes it doesn't matter and extracting information from it wouldn't be that

important but from others use of encryption programs you really don't want this sort of side channel there.

Q:Is this operating system specific

or is this

what's the deal there then?

It's not operating system specific it will be

CPU specific so the example they've got is for the Intel skylake in KB Lake