Hyperthreading Attack
A hyperthreading attack is a side-channel attack where one hardware thread on a hyperthreaded core extracts secrets from another thread running on the same core by observing shared execution hardware: cache accesses, functional unit contention, and operation timings.
Why?
Under SMT, two threads share the same execution core: same cache, same functional units, same branch predictor. That shared state is visible from inside the core in a way that cross-core threads can’t see. If a victim thread is running crypto on one hyperthread, an attacker on the sibling hyperthread can watch the shared state well enough to reconstruct the secret key. It turns a performance feature (SMT) into a confidentiality bug.
Mechanism. From L07: “a thread can figure out what the other thread is doing by noticing its cache accesses and by timing how long it takes to complete operations.”
Zarnett’s analogy:
“Like sitting next to someone who’s taking a multiple choice exam and noticing what answers they are choosing by how long it takes them to move their pencil down the page to fill in the correct circle.”
The attacker doesn’t read the victim’s memory directly; they watch timing patterns that depend on what the victim is doing, and reconstruct the secret from those patterns.
Practical demonstration. Aldaya et al., “Port Contention for Fun and Profit” (2018) [ABuH+18] showed a working exploit that extracts a 384-bit secret key from a co-tenant process over time, purely via port-contention timing. Paper: https://eprint.iacr.org/2018/1060
Mitigations (per L07):
- Short term: OS patches that prevent threads from different processes from being co-scheduled on the same core. Slower because you lose hyperthreading benefits across process boundaries.
- Long term: possibly turn off hyperthreading entirely. Performance cost is significant (SMT typically gives 15–30% throughput for free), but it’s the only way to fully close the channel.
Prerequisite for the attack: attacker must be running on the same physical core as the victim. That’s a meaningful barrier in practice, but realistic on shared cloud hosts.
From ECE459 L07.