A team of cybersecurity researchers demonstrated a technique to hijack Intel SGX which is a hardware-isolated trusted space on modern Intel CPUs that encrypts extremely sensitive data to protect it from attackers even when the system is compromised.
The attacks which has been dubbed Plundervolt and tracked as CVE-2019-11157 depends on the fact that modern processors let frequency and voltage to be adjusted when required. The researchers say that this can be modified in a controlled way to make errors in the memory by flipping bits.
Bit flip is a phenomenon known for the Rowhammer attack in which the attackers hijack vulnerable memory cells by changing their value from 1 to a 0, or vice versa. This is done by tweaking the electrical charge of neighboring memory cells.
Since the Software Guard Extensions (SGX) enclave memory is encrypted, the Plundervolt attack leverages the same idea of flipping bits by injecting faults in the CPU before they are written to the memory.
Plundervolt resembles with speculative execution attacks like Foreshadow and Spectre, but Foreshadow and Spectre attack the confidentiality of SGX enclave memory by allowing attackers to read data from the secured enclave. The Plundervolt attacks the integrity of SGX to attain the same.
Plundervolt depends upon another technique called CLKSCREW, an attack vector that exploits energy management of CPU to breach hardware security mechanisms and take control over a targeted system.
The researchers said that “We show that a privileged adversary is able to inject faults into protected enclave computations. Crucially, since the faults happen within the processor package, i.e., before the results are committed to memory, Intel SGX’s memory integrity protection fails to defend against our attacks.”
The demonstration made by the researchers are below.
By subtly increasing or decreasing the voltage delivered to a targeted CPU, an attacker can trigger computational faults in the encryption algorithms used by SGX enclaves, allowing attackers to easily decrypt SGX data.
The effectiveness of the attacks can be understood by injecting faults into Intel’s RSA-CRT and AES-NI implementations running in an SGX enclave, and the researchers reconstructed full cryptographic keys with negligible computational efforts.
When a pair of correct and faulty ciphertext is provided on the same plaintext, this attack is able to recover the full 128-bit AES key with a computational complexity of only 232+256 encryptions on average. The researchers performed the attack and it took only a couple of minutes to extract the full AES key from the enclave, including both fault injection and key computation phases.
Plundervolt attack, which affects all SGX-enabled Intel Core processors starting with the Skylake generation, was discovered and privately reported to Intel in June 2019 by a team of six European researchers from the University of Birmingham, Graz University of Technology, and KU Leuven.
As a response to the researchers’ findings, Intel yesterday released microcode and BIOS updates to address Plundervolt by locking voltage to the default settings, along with 13 other high and medium severity vulnerabilities.
In a blog post made by Intel it was stated that they are not aware of any of these issues being used in the wild, but they still recommend installing security updates at the earliest.
The list of CPU models affected by the Plundervolt attack are
- Intel 6th, 7th, 8th, 9th & 10th Generation Core Processors
- Intel Xeon Processor E3 v5 & v6
- Intel Xeon Processor E-2100 & E-2200 Families
The complete list of affected products can be found on the Intel’s security advisory INTEL-SA-00289.
The security team released a proof-of-concept (PoC) on GitHub, and also released a dedicated website with FAQs and detailed technical paper titled, Plundervolt: Software-based Fault Injection Attacks against Intel SGX. Those who wish to know more details about the attack can check them.