Bleeding Secrets

A team of researchers including Ph.D. student Yingchen Wang and professor Hovav Shacham from UT Austin has found that a common feature of modern computer processors can make even carefully written encryption software reveal its secrets when probed by an attacker. The new attack technique, dubbed Hertzbleed, upends decades of guidance for how to write encryption software and prompted widespread patching as developers came to terms with its implications.

The team demonstrated this ability in experimental encryption software that’s not yet widely used, but is now evaluating other, more common pieces of software to assess the potential impact on ordinary computer users. Other software developers, too, began to test their programs. 

To prevent such attacks, programmers writing encryption modules have followed a restrictive rulebook for “constant-time” programming, trying to make sure that each operation on secret information always takes the same amount of time to complete. When processors operated at a fixed speed, that was sufficient to protect the information, but now that they change speed dynamically, that’s no longer the case.

“Hertzbleed throws the rulebook for how programmers write constant-time code out the window,” Wang, the Ph.D. student, said. “We look forward to working with the community to rewrite it and help keep users safe.”