Researchers have devised a new attack against Intel CPUs that can leak sensitive secrets stored in SGX secure enclaves and, at least in theory, from privileged processes across security boundaries such as kernel space, virtual machines and hypervisors.
Dubbed Load Value Injection (LVI), the new attack is based on techniques used in other CPU vulnerabilities such as Spectre, Meltdown and Microarchitectural Data Sampling (MDS), but is different, more importantly, in that it bypasses the mitigations put in place for those flaws.
"Crucially, LVI is much harder to mitigate than previous attacks, as it can affect virtually any access to memory," a team of researchers from KU Leuven, Worcester Polytechnic Institute, Graz University of Technology and the University of Michigan, said on a website dedicated to the new exploit.
"Unlike all previous Meltdown-type attacks, LVI cannot be transparently mitigated in existing processors and necessitates expensive software patches, which may slow down Intel SGX enclave computations up to 19 times."
The team of academic researchers reported the attack to Intel in April 2019, almost a year ago. The issue has been under embargo at Intel's request since then, so the company could develop mitigations.
In February, researchers from security firm Bitdefender also independently discovered and reported to Intel one of the LVI variants known as Load Value Injection in the Line Fill Buffers (LVI-LFB).
How does the LVI vulnerability work?
Like Meltdown and Spectre, LVI exploits transient or speculative execution in modern CPUs. This is a performance-enhancing feature where the CPU computes instructions in advance of finishing the current one by predicting its possible results. The goal is to save time and, if the prediction is wrong, the results of the instructions executed in advance are discarded.
However, these speculative executions might leave traces in the CPU's internal caches or buffers, which can then be used as side channels by attackers to reconstruct sensitive data.
Having remnants of speculative execution in caches and buffers wouldn't be too bad if attackers had no control over what's being executed, but vulnerabilities like Spectre and Meltdown can be used to influence the branch prediction in a way that would generate data of interest to the attackers. LVI turns that attack on its head.
"Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: We smuggle — 'inject' — the attacker's data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim’s fingerprints or passwords," the researchers said.
The attackers begin by poisoning a hidden processor buffer with chosen values and then induce "faults" or "assisted loads" in the victim program so the rogue values are loaded from the buffer by code gadgets -- sequences of instructions -- already loaded by the victim program in its memory.
The execution of the gadget with the rogue values leaves secret-dependent traces that attackers can obtain through known side channels before the CPU detects the mistake and rolls back the operation.
SGX is a trusted execution environment present in modern Intel CPUs that's supposed to provide confidentiality and integrity for cryptographic operations even when the OS is fully compromised.
An application that uses an SGX enclave will perform encryption operations inside memory pages that are only readable by the enclave, not the host OS, and will then return the result. This means the encryption key is never exposed in the OS memory.
With LVI, attackers can, for example, flood the CPU's buffer with zeroes and force the SGX to use zero as the key for an AES encryption round and then capture the produced ciphertext through a side channel. AES encryption is performed in rounds with the output of every round being tied to the next.
Knowing the round keys and the produced ciphertext can help an attacker recover the master key. The researchers published a video demonstrating such an attack.
What is the impact of the LVI vulnerability?
The LVI attack relies on being able to trigger faults or assisted loads in a target process and on finding specific exploitable gadgets in the memory of that process.
While this can be done reliably for SGX, it's not as easy for other processes because of various defences that operating systems have put in place for previous attacks and vulnerability. This doesn't mean it's impossible, but it's not proven yet.
"In our current assessment, we believe that LVI is mainly only relevant to Intel SGX enclaves," the researchers said. "However, in the academic paper we showed that none of the ingredients for LVI are unique to Intel SGX and LVI attacks can in principle apply to non-SGX traditional cross-process, cross-virtual-machine, or user-to-kernel environments.
"We did not succeed in finding any practical LVI gadgets that can be realistically exploited, however, and only explored such non-SGX attacks in synthetic scenarios where we inserted our own LVI gadgets."
Bitdefender researchers Andrei Lutas and Dan Lutas, who independently found and reported the LVI-LFB variant, said in their paper that they believe the technique can be used to initiate leaks from kernel space to user space or even across security boundaries like hypervisors.
They, too, developed a synthetic proof-of-concept, meaning they created both the victim and the attacker processes for testing to prove that the victim process will use rogue values placed in the buffer by the attacker process.
However, since they created the victim process and its gadgets to fit their needs, it does not prove exploitation against an application found in the real world.
"Intel is not currently aware of any load value injection-specific universal or non-universal gadget for operating system from application, VMM [Virtual Machine Manager] from VM, between guests in Virtualised environments, between different application and inside an application and is not releasing additional mitigations for these environments," Intel said in its security advisory.
"As a best practice, Intel recommends that users update to the latest operating system and VMM provided by your system vendors."
Intel has released updates to the SGX Platform Software (PSW) and the SGX SDK, which is used by application developers to create SGX enclaves. The company has also published software mitigation techniques for developers and is working with partners to add compiler options to strengthen applications against such attacks.
"Depending on the execution properties of the Intel SGX enclave workload (for example, CPU-bound vs. I/O-bound, cache locality), the performance impact of mitigating all potential Load+Transmit, Load+Load+Transmit, and Load+Branch gadgets will vary depending on workload but may be significant in some cases," the company said in its LVI deep dive documentation.
"If the overhead imposed by mitigating all loads is unacceptable and their particular threat model allows for it, then independent software vendors (ISVs) may also opt to only apply partial mitigations."
While Intel has not released specific performance impact numbers for these mitigations, in tests performed by the team of researchers observed SGX computations slowed down between 2 and 19 times when mitigations were applied.
It's worth keeping in mind that this is a new attack technique, so researchers are just beginning to investigate it. In the two years after Spectre and Meltdown were disclosed, many variations of those vulnerabilities came to light, some of which defeated the initial mitigations.
There's no reason to think LVI will be any different, especially since it has the potential to affect more than just SGX and is much harder and computationally expensive to mitigate than Spectre and Meltdown.