A team of cybersecurity researchers demonstrated a novel yet another technique to hijack Intel SGX, a hardware-isolated trusted space on modern Intel CPUs that encrypts extremely sensitive data to shield it from attackers even when a system gets compromised.
Dubbed Plundervolt and tracked as CVE-2019-11157, the attack relies on the fact that modern processors allow frequency and voltage to be adjusted when needed, which, according to researchers, can be modified in a controlled way to induce errors in the memory by flipping bits.
Bit flip is a phenomenon widely known for the Rowhammer attack wherein attackers hijack vulnerable memory cells by changing their value from 1 to a 0, or vice versa—all by tweaking the electrical charge of neighboring memory cells.
However, since the Software Guard Extensions (SGX) enclave memory is encrypted, the Plundervolt attack leverages the same idea of flipping bits by injecting faults in the CPU before they are written to the memory.
Plundervolt resembles more with speculative execution attacks like Foreshadow and Spectre, but while Foreshadow and Spectre attack the confidentiality of SGX enclave memory by allowing attackers to read data from the secured enclave, Plundervolt attacks the integrity of SGX to achieve the same.
To achieve this, Plundervolt depends upon a second known technique called CLKSCREW, a previously documented attack vector that exploits energy management of CPU to breach hardware security mechanisms and take control over a targeted system.
“We show that a privileged adversary is able to inject faults into protected enclave computations. Crucially, since the faults happen within the processor package, i.e., before the results are committed to memory, Intel SGX’s memory integrity protection fails to defend against our attacks,” the researchers said.
As demonstrated by the researchers in the videos, by subtly increasing or decreasing the voltage delivered to a targeted CPU, an attacker can trigger computational faults in the encryption algorithms used by SGX enclaves, allowing attackers to easily decrypt SGX data.
“We demonstrate the effectiveness of our attacks by injecting faults into Intel’s RSA-CRT and AES-NI implementations running in an SGX enclave, and we reconstruct full cryptographic keys with negligible computational efforts,” the researchers said.
“Given a pair of correct and faulty ciphertext on the same plaintext, this attack is able to recover the full 128-bit AES key with a computational complexity of only 232+256 encryptions on average. We have run this attack in practice, and it only took a couple of minutes to extract the full AES key from the enclave, including both fault injection and key computation phases.”
Plundervolt attack, which affects all SGX-enabled Intel Core processors starting with the Skylake generation, was discovered and privately reported to Intel in June 2019 by a team of six European researchers from the University of Birmingham, Graz University of Technology, and KU Leuven.
In response to the researchers’ findings, Intel yesterday released microcode and BIOS updates to address Plundervolt by locking voltage to the default settings, along with 13 other high and medium severity vulnerabilities.
“Intel has worked with system vendors to develop a microcode update that mitigates the issue by locking voltage to the default settings,” Intel’s blog post published today reads. “We are not aware of any of these issues being used in the wild, but as always, we recommend installing security updates as soon as possible.”
Here’s the list of CPU models affected by the Plundervolt attack:
- Intel 6th, 7th, 8th, 9th & 10th Generation Core Processors
- Intel Xeon Processor E3 v5 & v6
- Intel Xeon Processor E-2100 & E-2200 Families
- For the full list of affected products, you can head on to Intel’s security advisory INTEL-SA-00289.
Besides releasing a proof-of-concept (PoC) on GitHub, the team has also released a dedicated website with FAQs and detailed technical paper [PDF] titled, Plundervolt: Software-based Fault Injection Attacks against Intel SGX, that you can check to know in-depth details on the attack.
I don抰 even know how I ended up here, but I thought this post was great. I do not know who you are but certainly you are going to a famous blogger if you aren’t already 😉 Cheers!
A motivating discussion is worth comment. I do believe that you ought to publish more on this subject, it may not be a taboo subject but generally people don’t speak about these topics. To the next! Many thanks!!|
It’s difficult to find educated people on this subject, but you sound like you know what you’re talking about! Thanks|
No matter if some one searches for his required thing, therefore he/she wants to be available that in detail, so that thing
is maintained over here.
Quality articles is the main to be a focus for the people to pay a quick visit the web page,
that’s what this website is providing.
This website definitely has all the info I wanted about this subject and didn’t know
who to ask.
Usually I do not read post on blogs, however I would like
to say that this write-up very compelled me to try and do it!
Your writing taste has been amazed me. Thanks,
quite nice post.
It’s a shame you don’t have a donate button! I’d
certainly donate to this excellent blog! I guess for now i’ll settle for book-marking and adding your RSS feed to my
Google account. I look forward to brand new updates
and will talk about this site with my Facebook group. Talk soon!
A fascinating discussion is worth comment. There’s no doubt that that you need to publish more on this issue,
it might not be a taboo subject but generally folks don’t speak about these topics.
To the next! Many thanks!!
Wow, awesome blog layout! How long have you been blogging
for? you make blogging look easy. The overall look of
your website is wonderful, let alone the content!
Hey There. I found your blog the usage of msn. That is an extremely well written article.
I will make sure to bookmark it and return to read extra of your helpful
info. Thanks for the post. I will certainly comeback.
Quality articles is the key to attract the users to go to see
the website, that’s what this web page is providing.