Security Hardware Intel Xeon's Data Direct IO (DDIO) Lets Researchers Steal SSH Keystrokes!

eva2000 · Sep 11, 2019

Ouch more potential Intel cpu security vulnerabilities in their Intel Xeon cpu space due to an Intel Xeon Data Direct IO (DDIO) feature which they first launched with Intel Xeon E5 v1 and E7v2

In late 2011, Intel introduced a performance enhancement to its line of server processors that allowed network cards and other peripherals to connect directly to a CPU's last-level cache, rather than following the standard (and significantly longer) path through the server's main memory. By avoiding system memory, Intel's DDIO—short for Data-Direct I/O—increased input/output bandwidth and reduced latency and power consumption.

Now, researchers are warning that, in certain scenarios, attackers can abuse DDIO to obtain keystrokes and possibly other types of sensitive data that flow through the memory of vulnerable servers. The most serious form of attack can take place in data centers and cloud environments that have both DDIO and remote direct memory access enabled to allow servers to exchange data. A server leased by a malicious hacker could abuse the vulnerability to attack other customers. To prove their point, the researchers devised an attack that allows a server to steal keystrokes typed into the protected SSH (or secure shell session) established between another server and an application server.

Merely scratching the surface
The researchers have named their attack NetCAT, short for Network Cache ATtack. Their research is prompting an advisory for Intel that effectively recommends turning off either DDIO or RDMA in untrusted networks. The researchers say future attacks may be able to steal other types of data, possibly even when RDMA isn't enabled. They are also advising hardware makers do a better job of securing microarchitectural enhancements before putting them into billions of real-world servers.
Click to expand...

The researchers devised NetCAT after reverse-engineering DDIO and finding that last-level caches were sharing data across CPUs and peripherals, even when they received untrusted or potentially malicious input. Among the things this shared resource divulged was the precise arrival times of data packets sent in sensitive connections such as SSH. The information gave the researchers a side channel they could use to deduce the contents of each keystroke.

NetCAT is based partly on the observation that humans follow largely universal typing patterns that can often reveal clues about the keys they enter into a keyboard. For instance, it's usually faster for most people to type an "s" immediately after an "a" than to type a "g" right after typing an "s." These patterns allowed the researchers to use DDIO to carry out a keystroke timing attack, similar to this one, that uses statistical analysis of the inter-arrival timings of packets.
Click to expand...

At the same time, people should remember that the research isn't likely to materialize into widespread attacks in the real world any time soon.

"NetCAT is a complex attack and is likely not the low-hanging fruit for the attackers," Razavi wrote. "In server settings with untrusted clients, where security matters more than performance, however, we recommend DDIO to be disabled."
Click to expand...

Looks like more and more of Intel's performance features are getting peeled back and reversed with security vulnerability Kernel patch fixes and advisories to disable certain Intel features i.e. Hyper-threading and now Intel DDIO !

Rake-GH · Sep 12, 2019

Crazy stuff, but I doubt we'll ever see exploitation the wild. Just like the side channel attacks they keep finding, it's just too obscure to be weaponized. Will be interesting to see if they ever do get seen in the wild. The people who are reversing the CPUs and finding these types of vulns are insane, in a good way (maybe).

Log in / Register

Forums

Want to subscribe to topics you're interested in?

Security Hardware Intel Xeon's Data Direct IO (DDIO) Lets Researchers Steal SSH Keystrokes!

eva2000 Administrator Staff Member

Rake-GH Active Member

.

Log in / Register

Useful Searches

Want to subscribe to topics you're interested in?

Security Hardware Intel Xeon's Data Direct IO (DDIO) Lets Researchers Steal SSH Keystrokes!

eva2000 Administrator Staff Member

Rake-GH Active Member

.