A research team from the University of Birmingham has developed a new attack that can break the confidentiality and integrity of the Intel Software Guard Extensions (SGX) enclaves by checking the voltage of the processor core.
The attack is based on the VoltPillager, a low-cost tool that delivers serial voltage identification messages between the processor and the motherboard voltage regulator on the bus and can be used to interrupt safety-critical operations.
The open source hardware device can inject SVID (Serial Voltage Identification) packets, allowing researchers to fully control the CPU core voltage and launch attacks on injector damage.
In a recently published article, six researchers from the School of Computer Science at the University of Birmingham in the UK show that their attack is more powerful than software attacks on SGXs such as CVE-2019-11157, also known as looting.
Researchers presenting evidence of major recovery attacks targeting cryptographic algorithms within SGX point out that VoltPillager can be used by unreliable cloud computing vendors with physical access to the hardware.
In the study, the researchers found that the voltage regulator (VR) on the motherboard regulates the processor voltage based on information from the SVIDs and that the SVID packets have no cryptographic authentication.
Next, a microcontroller-based circuit board was built which, when connected to the SVID bus, can be used to enter commands and control the processor voltage. The device is built on a widely used Teensy 4.0 microcontroller card.
According to the researchers, this allowed them to carry out the first physical attacks that violated the integrity of SGX and retrieve the secret keys from start to finish. The attack model assumes that the enemy has full control over the BIOS and the operating system.
In addition, the researchers have shown that the countermeasures implemented by Intel for the CVE-2019-11157 are unable to prevent injection attacks when the enemy has physical access to it, and have also presented new effects of malfunctions related to insufficient excitement at the hardware level.
We have proven that this attack vector is viable by restoring RSA keys from a locked application, and we have shown that other basic operations such as multiplication and memory/cache writing can also be distorted. This leads to new memory holes within SGX that are not recognized by SGX’s memory security mechanisms – the researchers noted.
The results were released by Intel on March 13, 2020, but the company does not intend to resolve the issue because the SGX threat model does not contain any hardware compromises and the patches released for Plundervolt are not intended to protect against hardware attacks.
Based on the results of the investigation and the fact that Intel has no intention of taking action against the attack, the investigators wonder whether SGX is able to maintain the confidentiality of information in the context of a malicious cloud service provider with physical access to the hardware.
The results presented in this article, as well as the supplier’s decision not to mitigate such attacks, lead us to the question whether the promise to outsource the processing of sensitive data to a remote and unreliable plateau, which is still widely used in enclaves, is feasible, the researchers conclude.
That’s what it looks like: A voltage attack in which the voltage is used to steal data from Intel chips.
That’s what it looks like: Wrapped in a black hat: Io and hardware vulnerabilities are the focus.
Ionat Argir is the international correspondent for Security Week.
Previous chronicles of Ionat Argir: