CPU Side-channel attacks have grabbed the headlines since January 4, 2018 with the announcement of Spectre and Meltdown. In this post, we’ll define side-channel attacks, what they are not and where they could impact your Active Directory security.
Since January, more of these types of CPU attacks have been discovered and disclosed, ranging from variants of Spectre to new attacks targeting symmetric multithreading (SMT) like TLBLeed or the recently announced PortSmash. Some of these side-channel attack techniques are more difficult to exploit and aren’t likely to happen given all the variables that need to line up, but others, like the PortSmash, could be much more problematic for public cloud users today and ultimately your Active Directory security.
What is a CPU side-channel attack? And what isn’t?
First, let’s define a side-channel attack (SCA). This type of attack is truly an art form because it doesn’t focus on exploiting a vulnerability in a cryptographic operation (deciphering based on mathematics or a bug in the software), instead a SCA uses the physical implementation in hardware to decipher cryptographic keys.
Simply put, observation.
More specifically, attackers will use various techniques to observe power consumption, electromagnetic waves, sound, cache in a shared physical system or in the case of hyper-threading, timing, of computations by the hardware to get an extremely accurate inference of the secret key.
To bring this home, see how British MI5 agents used side-channel observations to spy on the communications of the Egyptian Embassy in London in 1965. They placed microphones near the rotor-cipher machine used by the Egyptians to monitor click-sounds, giving them enough information to help crack the cipher.
For CPU side-channel attacks, the cybercriminal observes processes of the CPU, the part processing all of the commands of the operating system kernel like opening a browser and loading a webpage to log into your bank.
What is not a side-channel attack?
To put more definition about what a SCA is, it’s important to understand what it is not. A SCA is not an attempt to break a cryptosystem by getting your hands-on legitimate access. Social engineer or rubber-hose cryptanalysis (think beating someone with a rubber hose to coerce them to give you the keys to the vault) are separate attacks that seek credentials. SCA’s observe everyday computational tendencies and frequencies to extract private information from a server or a laptop.
A side-channel attack scenario
Company A has a website hosted in a public cloud that customers access to log in to their account. When a customer is on the website, they see the green padlock in the upper corner telling them that the information they are sending/receiving from the website is secure from prying eyes.
Hank the Hacker also has an account with the same public cloud provider and his VM just happens to be on the same physical machine as the VM for Company A’s Web Server. Their VMs are sharing the same hardware resources; so, Hank uses various side-channel observations (such as listed above) to extract sensitive information, like the cryptographic keys that will allow him to unlock the secure communications between Company A’s website and the customer.
The staying power of side-channel attack techniques
The above scenario is not only real today, but becoming more and more common as people move workloads to the public cloud. I could add a bunch of stats here about public cloud consumption, but you get it – you probably have cloud projects in play right now.
But its not just shared VMs in an IaaS, situation. Emerging cloud computing architectures and development models are increasing resource sharing. Organizations taking advantage of rapid application deployment with containers-as-a-service offerings (like Azure Kubernetes Service) or building cloud-native applications that take advantage of serverless computing (like Azure Functions) should absolutely think about how side-channel attacks could impact their applications.
Furthermore, while all these attacks sound super complicated and may look like only highly specialized and targeted bad actors can exploit them; the reality is that these attacks are becoming more refined and accessible by the work of researchers, government agencies, or bad dudes. In reality, this kind of attack will be baked into a toolkit with mimikatz making it easy for someone not so sophisticated to launch this from their couch.
IT/security consultant Hector Martin sums up the quandary and staying power of side-channel attacks:
And yes, Spectre v1 and PortSmash aren’t going away. Anyone who knows anything about CPUs knew PortSmash was theoretically possible for years (just someone bothered to finally implement it). Disable HT or petition OSes to do security-domain-aware HT by default.
— Hector Martin (@marcan42) November 2, 2018
How a side-channel attack can compromise Active Directory
So if SCA is all about observations and not about using compromised credentials, do you have to worry about your Active Directory (AD)?
Let’s breakdown how a SCA can compromise your Active Directory security.
In the PortSmash exploit, the SCA observes the timing leakage of two programs running at the same time on a single core (simultaneous multithreading) in order to extract the OpenSSL key used for private over-the-internet communications.
To use our previous example, Company A’s website (that’s hosted in the public cloud along with Hank the Hacker’s VM) employs single sign-on that uses Active Directory, the stolen decryption keys would expose the AD credentials being passed over the internet.
This scenario of PortSmash is probably the biggest vulnerability for Active Directory because, unfortunately, there are a lot of systems out there that are using so-called “basic” authentication protected only by OpenSSL. Other systems than Web Servers could be compromised here, but this is the lowest hanging fruit.
In another scenario, Company B has their domain controller located in the same public cloud and on the same physical machine as Hank the Hacker’s VM (or the DC is located in a VM where Hank has access as a VM admin on the physical machine). With a SCA, the decryption key could be leaked through timing observation and give HAnk access to the DC.
Once Hank gets his hands on AD credentials, he’s in like FLynn and can move laterally or elevate his privileges to access your data as an insider.
So when you read about side-channel attacks, or any security attack, the point always comes down to two motives: steal information or disrupt operations. SCA is one of many ways in which an attacker can get his hands on your AD and thus begin exfiltrating data or trashing your system.
How to protect your Active Directory from side-channel attacks
There are certainly things to mitigate side-channel attacks like emitting a channel noise to deter acoustic cryptanalysis or power line conditioning, but in the case of the public cloud, you don’t have access to put in those countermeasures.
There are a few things you can do:
- First, move away from basic username/password authentication and use two-factor authentication for an added layer of security the attacker can’t access.
- Employ federated authentication from another source such as Azure AD, instead of connecting directly to your valuable internal AD.
- Monitor Active Directory security with advanced threat detection based on artificial intelligence that can learn the normal behavior of users and systems on its own. This way you eliminate false positives and zero in on the suspicious actions.
- Monitor vSphere and Hyper-V for VM action for suspicious activities as well as Azure activity logs to monitor operations taken on the resources in your subscription.