Remote hackers can modify CPU voltage to steal secrets from Intel SGX enclaves
- 11 December, 2019 08:44
An undocumented feature in Intel CPUs allows attackers to manipulate the voltage of Intel CPUs to trigger computational faults in a controlled manner.
This can be used to defeat the security guarantees of the Intel SGX trusted execution environment, which is meant to protect cryptographic secrets and to isolate sensitive code execution in memory.
The Intel Software Guard Extensions (SGX) is a technology present in modern Intel CPUs that allow users to set up so-called enclaves where the CPU encrypts part of the memory and doesn’t allow any programs except those running inside the enclave to access it.
Like most trusted execution environments, Intel SGX is a solution designed to protect data while in use in a program’s memory even if attackers gain privileged access to the operating system, or the hypervisor in the case of virtualised environments.
It is particularly useful for protecting cryptographic operations and keys on public cloud infrastructure. For example, it’s one of the core components powering Microsoft Azure’s Confidential Computing offerings.
A team of academic researchers from the University of Birmingham in the UK, Graz University of Technology in Austria and KU Leuven in Belgium, developed a new fault injection attack dubbed Plundervolt that can compromise Intel SGX secrets, as well as potentially to trigger memory safety errors in programs that don’t have such bugs in their code.
Fault injection via CPU voltage scaling
Fault injection attacks are not new. They involve manipulating the normal operating conditions of a system to discover unexpected errors.
In the field of cryptanalysis, such attacks have been used as a side channel to infer information about the internal state of cryptographic systems and to recover cryptographic keys by manipulating the CPU’s supply voltage, internal clock and other environmental conditions. The technique is known as differential fault analysis.
Plundervolt is similar in that regard, but instead of using physical manipulation, it exploits a dynamic voltage scaling feature that Intel CPUs already have and that can be triggered from software through a special Model Specific Register (MSR).
This undocumented software interface is present because modern CPUs automatically adjust their operating frequency, and therefore supply voltage, depending on workload to limit power consumption and heating.
“Using this interface to very briefly decrease the CPU voltage during a computation in a victim SGX enclave, we show that a privileged adversary is able to inject faults into protected enclave computations,” the researchers wrote in their paper, which was shared with CSO.
“Crucially, since the faults happen within the processor package, i.e., before the results are committed to memory, Intel SGX’s memory integrity protection fails to defend against our attacks. To the best of our knowledge, we are the first to practically showcase an attack that directly breaches SGX’s integrity guarantees.”
Plundervolt affects all SGX-enabled Intel Core processors starting with the Skylake generation. Previous generations of Intel Core processors also have the under-voltage interface, but it does not pose a threat outside of the SGX context.
To access the voltage scaling MSR, attackers need root privilege on the operating system. However, SGX was built specifically to guarantee the confidentiality and integrity of enclave code execution and memory even in the case of such compromises.
Since physical access is not required to manipulate the voltage, the attacks can be executed remotely if the attacker gains privileged code execution on a system.
“Software-based fault attacks shift the threat model from a local attacker (with physical access to the target device) to a potentially remote attacker with only local code execution,” the researchers said.
“Initially, these attacks were interesting in scenarios where the attacker is unprivileged or even sandboxed. However, with secure execution technologies, such as Intel SGX, ARM TrustZone and AMD SEV, privileged attackers must also be considered as they are part of the corresponding threat models.”
The researchers demonstrated that they can use this attack to extract full keys from Intel’s RSA-CRT and AES-NI -- hardware-accelerated AES -- implementations when running in SGX enclaves. Moreover, this was achieved in a couple minutes with negligible computational effort.
Memory safety errors
The extraction of cryptographic keys from Intel SGX has been achieved before, for example through the Foreshadow CPU side-channel vulnerability. However, Plundervolt can also be used to violate the memory integrity guarantees of the SGX enclaves by artificially introducing memory safety vulnerabilities into seemingly bug-free code.
In other words, even if developers do everything right and ensure their code does not have any vulnerabilities, attackers can use this technique to inject such errors in the code while it’s being executed inside an enclave.
“To the best of our knowledge, we are the first to explore the memory safety implications of faulty multiplications in compiler-generated code,” the researchers said.
“Compared to prior work that demonstrated frequency scaling fault injection attacks against ARM TrustZone cryptographic implementations, we show that undervolting is not exclusively a concern for cryptographic algorithms.”
Mitigation and response
The researchers proposed several possible countermeasures in their paper, both at the hardware and microcode level and the software level through the use of fault-resistant cryptographic primitives, as well as application and compiler hardening. However, many of them have various downsides, including a potential performance impact.
The vulnerability was first reported to Intel in June, but it was also independently discovered by other teams of academic researchers who reported it in August.
The company rates the issue as high severity -- 7.9 on the CVSS scale -- and tracks it as CVE-2019-11157. It has worked with partners to release BIOS updates to address it.
According to the researchers, Intel’s patch consists of disabling access to the particular voltage scaling interface -- MSR -- identified in the paper. However, they note that additional avenues for fault injection might exist through other power or clock management features that have yet to be identified.
"All of the issues publicly announced today have been addressed with the latest versions of Intel's microcode, which is available either through a Red Hat Security Advisory (RHSA) that was released today or directly from Intel,” Christopher Robinson, program manager for product security assurance at Red Hat tells CSO.
“Red Hat does not currently implement SGX, so our customers are not impacted by any of the SGX-related attacks. Like any vulnerability, Red Hat Product Security advises system administrators to evaluate the particular risks and exposures within their own environments, and they are strongly encouraged to deploy the latest security updates to correct known vulnerabilities as soon as possible.”
Microsoft did not immediately respond to a request for comment.