VoltPillager attack compromises Intel SGX

VoltPillager attack on Intel SGX

A group of researchers from the University of Birmingham have demonstrated the VoltPillager attack, which can violate the confidentiality and integrity of data in Intel SGX enclaves. To implement this, the researchers learned to manipulate the processor core voltage.

Let me remind you that with the release of the Skylake architecture, Intel introduced a technology called SGX (Software Guard Extensions).

SGX is a set of CPU instructions through which applications can create protected zones (enclaves) in the application’s address space, within which various confidential data can be stored under reliable protection.

SGX enclaves are usually isolated at the hardware level (SGX memory is separated from the rest of the CPU memory) and at the software level (SGX data is encrypted). The developers themselves describe this technology as a kind of “inverse sandbox”.

A year ago, several members of the University of Birmingham research team participated in the development of a similar attack, Plundervolt (CVE-2019-11157).

Plundervolt abuses the interface through which the operating system can control the voltage and frequency of the processor. The same interface is used by gamers when overclocking.say the researchers.

In fact, a year ago, researchers proved that by adjusting the voltage and frequency of the processor, they can change the bits inside the SGX, which will lead to errors that can be used later after the data has left the safe enclave. As a result, the Plundervolt attack could be used to recover encryption keys or introduce bugs into previously trusted software.

Following the disclosure of Plundervolt in December 2019, Intel has addressed the vulnerability by disabling the ability to reduce CPU voltage through microcode and BIOS updates.

Now the researchers say that they managed to implement a very similar hardware attack on SGX, while spending only $ 36 on hacking equipment. Scientists plan to hold a detailed presentation of VoltPillager next year, at the Usenix Security 2021 conference, and so far they have published a scientific report on their research.

VoltPillager works even on systems that have received the CVE-2019-11157 vulnerability patch. The essence of the attack is to inject messages into the Serial Voltage Identification (SVID) bus, between the CPU and the voltage regulator, in order to control the voltage in the CPU core.

Fortunately, VoltPillager is not a remote attack. To implement it, you need physical access to the server, opening the case and connecting special equipment. However, the researchers explain that the point of SGX is precisely to protect confidential data, including data from unscrupulous administrators. For example, if the servers are located in someone else’s data center or cloud provider, and local personnel can gain physical access to the machine, compromise the Intel processor and its SGX protection.

This attack is especially relevant due to the fact that you can often encounter with the claims that SGX is protecting against malicious insiders or cloud providers. We demonstrate that this is not so. That is, physical attacks on SGX are possible and very cheap (about $30). In addition, unlike previous attacks on SGX, the problems we found are not easy to fix (for example, using only a microcode).”write the experts.

The team’s report states that as a defense against VoltPillager, user can apply cryptographic authentication for SVIDs or use CPU monitoring of malicious packets for SVIDs. However, the researchers believe that none of these methods will give good results, and only hardware changes can significantly change the situation.

However, it seems that Intel representatives are not too worried about the reports of scientists, and patches should not be expected. Thus, the researchers warned Intel about their discovery back in March this year, but the company replied that “opening the case and tampering with internal hardware to compromise SGX is not part of the SGX risk model. The patches for vulnerability CVE-2019-11157 (Plundervolt) are not designed to protect against hardware attacks.”

Intel representatives gave a similar comment this week to The Register:

Attack techniques that require physically opening the case, including removing screws or damaging plastic fasteners, in order to gain access to the internal hardware of a device, are usually not considered a vulnerability. We can traditionally recommend to users, keep systems up to date, and physically control devicessaid Intel representatives.

Let me also remind you that Intel processors need hardware fixes due to new LVI attack.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *