Intel’s SGX coughs up crypto keys when scientists adjust CPU voltage

To counter the growing sophistication of computer attacks, Intel and other chip manufacturers have built digital safes into CPUs to separate sensitive calculations and secrets from the computers that the main engine uses. Now scientists have devised an attack that causes the Software Guard Extensions – Intel’s implementation of this secure CPU environment to reveal cryptographic keys and potentially cause dangerous memory errors.

Plundervault, as the attack is dubbed, starts with the assumption that an attacker can run privileged software on a targeted computer. While that is a lofty condition, it is precisely the scenario in which the SGX feature from Intel is designed to protect against. The chip maker invoices SGX as a private region that uses hardware-based memory encryption to isolate sensitive calculations and data from malicious processes running at high authorization levels. Intel even says that “Only Intel SGX offers such a detailed level of control and protection.”

But it appears that subtle fluctuations in the voltage that drives the main CPU can damage normal operation within the SGX. By subtly increasing or decreasing the power supplied to a CPU – operations known as “overvolting” and “undervolting” – a team of scientists has discovered how to cause SGX errors that leak cryptographic keys, break integrity guarantees and possibly cause memory errors that can be used in other types of attacks.

Surgical strikes

The breakthrough that led to these attacks was the ability of scientists to use earlier research into the undocumented model-specific register in the x86 instruction set to abuse the dynamic voltage scaling interface that controls the amount of voltage used by a CPU. Also remarkable is the surgical control of tension in a way that introduces specific types of attacks.

In a paper published on Tuesday, the scientists wrote:

In this article we present Plundervolt, a new attack on Intel SGX to reliably corrupt enclave calculations by abusing privileged dynamic-voltage-scaling interfaces. Our work builds on reverse engineering efforts that revealed which ModelSpecific Registers (MSRs) are used to control the dynamic voltage scaling of software (64, 57, 49). The respective MSRs exist on all Intel Core processors. Using this interface to very briefly reduce the CPU voltage during a calculation in a victim’s SGX enclave, we show that a privileged opponent can inject errors into protected enclave calculations. Crucially, since the errors occur in the processor package, i.e. before the results are stored in memory, the Intel SGX memory integrity protection does not defend against our attacks. As far as we know, we are the first to know
practically present an attack that directly violates SGX’s integrity guarantees. In summary, our most important contributions are:

1) We present Plundervolt, a new software error attack on Intel Core x86 processors. For the first time,
we bypass Intel SGX integrity guarantees by injecting errors directly into the processor package.

2) We demonstrate the effectiveness of our attacks by injecting errors into Intel’s RSA-CRT and AES-NI implementations performed in an SGX enclave, and we reconstruct entire cryptographic keys with negligible computing efforts.

3) We are investigating the use of Plundervolt to cause memory security errors in enclave-free code. Through various case studies, we show how in-enclave references can be redirected to untrusted memory and how Plundervolt can cause heap overflows in widespread SGX runtimes.

4) Finally, we discuss countermeasures and why fully limiting Plundervolt can be a challenge in practice.

The researchers privately reported the vulnerability to Intel prior to Tuesday’s publication. In response, Intel has released a microcode and BIOS updates that limit attacks by locking power to the default settings. Readers using Intel Core processors from Skylake and some Xeon E-based platforms must install INTEL-SA-00289 as soon as it is available from the respective computer manufacturers. The vulnerability is tracked as CVE-2019-11157.

Similar Posts

Leave a Reply