ÆPIC Leak works on the newest Intel CPUs based on Ice Lake, Alder Lake, and Ice Lake SP and does not rely on hyperthreading enabled.
“A potential security vulnerability in some Intel® Processors may allow information disclosure.Intel is releasing firmware updates to address this potential vulnerability.” reads the advisory published by Intel.
“Improper isolation of shared resources in some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.”
The discovery of the flaw is the result of research conducted by boffins from the Sapienza University of Rome, the Graz University of Technology, Amazon Web Services, and the CISPA Helmholtz Center for Information Security.
Unlike Meltdown and Spectre, ÆPIC Leak is an architectural bug, which means that the sensitive data are disclosed without relying on side channel attacks
“ÆPIC Leak is like an uninitialized memory read in the CPU itself.” reads the description published by the researchers. “A privileged attacker (Administrator or root) is required to access APIC MMIO. Thus, most systems are safe from ÆPIC Leak. However, systems relying on SGX to protect data from privileged attackers would be at risk, thus, have to be patched.”
“The scan of the I/O address space on Intel CPUs based on the Sunny Cove microarchitecture revealed that the memory-mapped registers of the local Advanced Programmable Interrupt Controller (APIC) are not properly initialized. As a result, architecturally reading these registers returns stale data from the microarchitecture.” reads the research paper. “As the I/O address space is only accessible to privileged software, ÆPIC Leak targets Intel’s TEE, SGX. ÆPIC Leak can leak data from SGX enclaves that run on the same physical core. While ÆPIC Leak would represent an immense threat in virtualized environments, hypervisors typically do not expose the local APIC registers to virtual machines, eliminating the threat in cloud-based scenarios.”
The experts tested the ÆPIC Leak issue with 100 different random keys and tried to leak the AES keys with a single run of the attack. The results are that full key recovery takes on average 1.35 s
(n = 100, σ = 15.70%) with a success rate of 94 %
The flaw enables an attacker with permissions to execute privileged native code on a target machine to extract the private keys, and worse defeat attestation, a cornerstone of the security primitives used in SGX to ensure the integrity of code and data.
“We show attacks that allow leaking data held in memory and registers. We demonstrate how ÆPIC Leak completely breaks the guarantees provided by SGX, deterministically leaking AES secret keys, RSA private keys, and extracting the SGX sealing key for remote attestation.” concludes the paper.
The researchers also propose several firmware and software mitigations that would prevent ÆPIC Leak from leaking sensitive data or completely prevent ÆPIC Leak.
Intel has already released firmware updates to address the flaw.
The experts published a video demo to show how an attacker can disclose data from a protected SGX enclave.
The development comes as researchers demonstrated what’s the first-ever side channel attack (CVE-2021-46778) on scheduler queues impacting AMD Zen 1, Zen 2, and Zen 3 microarchitectures that could be abused by an adversary to recover RSA keys.
The attack, codenamed SQUIP (short for Scheduler Queue Usage via Interference Probing), entails measuring the contention level on scheduler queues to potentially glean sensitive information.
No security updates have been released to patch the line of attack, but the chipmaker has recommended that “software developers employ existing best practices, including constant-time algorithms and avoiding secret-dependent control flows where appropriate.”
(SecurityAffairs – hacking, ÆPIC Leak)