A group of security researchers (Kit Murdock, David Oswald, Flavio D Garcia (The University of Birmingham), Jo Van Bulck, Frank Piessens (
Intel Software Guard eXtensions (SGX) is a technology for application developers that allows protecting select code and data from disclosure or modification. The Intel SGX allows application code executing within an Intel SGX enclave, which are protected areas of execution in memory.
Enclaves are designed to be protected from processes running at higher privilege levels, including the operating system, kernel, BIOS, SMM, hypervisor.
The Plundervolt issue, tracked as CVE-2019-11157, is related to the fact that modern processors allow frequency and voltage to be adjusted when needed. An attacker could modify the voltage in a controlled way to induce errors in the memory by flipping bits and trigger the condition for the Rowhammer attack.
The Plundervolt attack leverages bit flipping by injecting faults in the CPU before they are written to the memory.
“We present the Plundervolt attack, in which a privileged software adversary abuses an undocumented Intel Core voltage scaling interface to corrupt the integrity of Intel SGX enclave computations. Plundervolt carefully controls the processor’s supply voltage during an enclave computation, inducing predictable faults within the processor package. Consequently, even Intel SGX’s memory encryption/authentication technology cannot protect against Plundervolt.” reads the paper published the experts.
“We show that a privileged adversary is able to inject faults into protected enclave computations. Crucially, since the faults happen within the processor package, i.e., before the results are committed to memory, Intel SGX’s memory integrity protection fails to defend against our attacks,”
The experts published PoC videos that show how to carry out the attack by increasing or decreasing the voltage delivered to a targeted CPU. This technique allows an attacker to trigger computational faults in the encryption algorithms used by SGX enclaves, making it possible to decrypt SGX data.
The experts also released a proof-of-concept (PoC) on GitHub.
“Given a pair of correct and faulty ciphertext on the same plaintext, this attack is able to recover the full 128-bit AES key with a computational complexity of only 232+256 encryptions on average. We have run this attack in practice, and it only took a couple of minutes to extract the full AES key from the enclave, including both fault injection and key computation phases.”
The Plundervolt attack works against all SGX-enabled Intel Core processors starting with the Skylake generation. Intel acknowledged the issue and released microcode and BIOS updates to address the Plundervolt flaw and tens of other high and medium severity vulnerabilities. The mitigation consists of locking voltage to the default settings.
“Intel has worked with system vendors to develop a microcode update that mitigates the issue by locking voltage to the default settings,” Intel’s blog post published today reads. “We are not aware of any of these issues being used in the wild, but as always, we recommend installing security updates as soon as possible.” reads the post published by Intel.
“We are not aware of any of these issues being used in the wild, but as always, we recommend installing security updates as soon as possible.”
Below the list of CPU models affected by the Plundervolt issue:
(SecurityAffairs – Plundervolt, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.