A group of security researchers (Kit Murdock, David Oswald, Flavio D Garcia (The University of Birmingham), Jo Van Bulck, Frank Piessens (
Intel Software Guard eXtensions (SGX) is a technology for application developers that allows protecting select code and data from disclosure or modification. The Intel SGX allows application code executing within an Intel SGX enclave, which are protected areas of execution in memory.
Enclaves are designed to be protected from processes running at higher privilege levels, including the operating system, kernel, BIOS, SMM, hypervisor.
The Plundervolt issue, tracked as CVE-2019-11157, is related to the fact that modern processors allow frequency and voltage to be adjusted when needed. An attacker could modify the voltage in a controlled way to induce errors in the memory by flipping bits and trigger the condition for the Rowhammer attack.
The Plundervolt attack leverages bit flipping by injecting faults in the CPU before they are written to the memory.
“We present the Plundervolt attack, in which a privileged software adversary abuses an undocumented Intel Core voltage scaling interface to corrupt the integrity of Intel SGX enclave computations. Plundervolt carefully controls the processor’s supply voltage during an enclave computation, inducing predictable faults within the processor package. Consequently, even Intel SGX’s memory encryption/authentication technology cannot protect against Plundervolt.” reads the paper published the experts.
“We show that a privileged adversary is able to inject faults into protected enclave computations. Crucially, since the faults happen within the processor package, i.e., before the results are committed to memory, Intel SGX’s memory integrity protection fails to defend against our attacks,”
The experts published PoC videos that show how to carry out the attack by increasing or decreasing the voltage delivered to a targeted CPU. This technique allows an attacker to trigger computational faults in the encryption algorithms used by SGX enclaves, making it possible to decrypt SGX data.
The experts also released a proof-of-concept (PoC) on GitHub.
“Given a pair of correct and faulty ciphertext on the same plaintext, this attack is able to recover the full 128-bit AES key with a computational complexity of only 232+256 encryptions on average. We have run this attack in practice, and it only took a couple of minutes to extract the full AES key from the enclave, including both fault injection and key computation phases.”
The Plundervolt attack works against all SGX-enabled Intel Core processors starting with the Skylake generation. Intel acknowledged the issue and released microcode and BIOS updates to address the Plundervolt flaw and tens of other high and medium severity vulnerabilities. The mitigation consists of locking voltage to the default settings.
“Intel has worked with system vendors to develop a microcode update that mitigates the issue by locking voltage to the default settings,” Intel’s blog post published today reads. “We are not aware of any of these issues being used in the wild, but as always, we recommend installing security updates as soon as possible.” reads the post published by Intel.
“We are not aware of any of these issues being used in the wild, but as always, we recommend installing security updates as soon as possible.”
Below the list of CPU models affected by the Plundervolt issue:
(SecurityAffairs – Plundervolt, hacking)