PlunderVolt attack hijacks Intel SGX Enclaves by tweaking CPU Voltage

Pierluigi Paganini December 11, 2019

A team of researchers devised a new attack technique, dubbed PlunderVolt, to hijack Intel SGX enclave by tweaking CPU voltage.

A group of security researchers (Kit Murdock, David Oswald, Flavio D Garcia (The University of Birmingham), Jo Van Bulck, Frank Piessens (imec-DistriNet, KU Leuven), Daniel Gruss (Graz University of Technology)) demonstrated a new attack technique, dubbed PlunderVolt, to hijack the Intel SGX enclave by tweaking .

Intel Software Guard eXtensions (SGX) is a technology for application developers that allows protecting select code and data from disclosure or modification. The Intel SGX allows application code executing within an Intel SGX enclave, which are protected areas of execution in memory.

Enclaves are designed to be protected from processes running at higher privilege levels, including the operating system, kernel, BIOS, SMM, hypervisor.

The Plundervolt issue, tracked as CVE-2019-11157, is related to the fact that modern processors allow frequency and voltage to be adjusted when needed. An attacker could modify the voltage in a controlled way to induce errors in the memory by flipping bits and trigger the condition for the Rowhammer attack.

PlunderVolt

Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically, an attacker can change any value of the bit in the memory.

The Plundervolt attack leverages bit flipping by injecting faults in the CPU before they are written to the memory.

Plundervolt leverages a technique called CLKSCREW that exploits energy management of CPU to breach hardware security and take control over a targeted system.

“We present the Plundervolt attack, in which a privileged software adversary abuses an undocumented Intel Core voltage scaling interface to corrupt the integrity of Intel SGX enclave computations. Plundervolt carefully controls the processor’s supply voltage during an enclave computation, inducing predictable faults within the processor package. Consequently, even Intel SGX’s memory encryption/authentication technology cannot protect against Plundervolt.” reads the paper published the experts.

“We show that a privileged adversary is able to inject faults into protected enclave computations. Crucially, since the faults happen within the processor package, i.e., before the results are committed to memory, Intel SGX’s memory integrity protection fails to defend against our attacks,”

The experts published PoC videos that show how to carry out the attack by increasing or decreasing the voltage delivered to a targeted CPU. This technique allows an attacker to trigger computational faults in the encryption algorithms used by SGX enclaves, making it possible to decrypt SGX data.

The experts also released a proof-of-concept (PoC) on GitHub.

“For the first time, we bypass Intel SGX’s integrity guarantees by directly injecting faults within the processor package.” continues the paper. “We demonstrate the effectiveness of our attacks by injecting faults into Intel’s RSA-CRT and AES-NI implementations running in an SGX enclave, and we reconstruct full cryptographic keys with negligible computational efforts,” the researchers said.

“Given a pair of correct and faulty ciphertext on the same plaintext, this attack is able to recover the full 128-bit AES key with a computational complexity of only 232+256 encryptions on average. We have run this attack in practice, and it only took a couple of minutes to extract the full AES key from the enclave, including both fault injection and key computation phases.”

The Plundervolt attack works against all SGX-enabled Intel Core processors starting with the Skylake generation. Intel acknowledged the issue and released microcode and BIOS updates to address the Plundervolt flaw and tens of other high and medium severity vulnerabilities. The mitigation consists of locking voltage to the default settings.

“Intel has worked with system vendors to develop a microcode update that mitigates the issue by locking voltage to the default settings,” Intel’s blog post published today reads. “We are not aware of any of these issues being used in the wild, but as always, we recommend installing security updates as soon as possible.” reads the post published by Intel.

“We are not aware of any of these issues being used in the wild, but as always, we recommend installing security updates as soon as possible.”

Below the list of CPU models affected by the Plundervolt issue:

  • Intel 6th, 7th, 8th, 9th & 10th Generation Core Processors
  • Intel Xeon Processor E3 v5 & v6
  • Intel Xeon Processor E-2100 & E-2200 Families
  • For the full list of affected products, you can head on to Intel’s security advisory INTEL-SA-00289.
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Plundervolt, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment