A group of researchers from the University of Birmingham demonstrated VoltPillager attackThat can compromise the confidentiality and integrity of data in Intel SGX enclaves. To implement this, the researchers learned to manipulate the processor core voltage.
Let me remind you that with the release of the Skylake architecture, Intel introduced a technology called SGX (Software Guard Extensions). SGX is a set of CPU instructions, thanks to which applications can create protected zones (enclaves) in the application's address space, inside which various confidential data can be stored under reliable protection. SGX enclaves are usually isolated at the hardware level (the SGX memory is separated from the rest of the CPU memory) and at the software level (the SGX data is encrypted). The developers themselves describe this technology as a kind of "reverse sandbox" (inverse sandbox).
A year ago, several members of the University of Birmingham research team participated in the development of a similar attack, Plundervolt (CVE-2019-11157). Let me remind you that Plundervolt abuses the interface through which the operating system can control the voltage and frequency of the processor. The same interface is used by gamers when overclocking.
In fact, a year ago, researchers proved that by adjusting the voltage and frequency of the processor, they can change the bits inside the SGX, which will lead to errors that can be used later after the data has left the safe enclave. As a result, the Plundervolt attack could be used to recover encryption keys or introduce bugs into previously reliable software.
Following the disclosure of Plundervolt in December 2019, Intel has addressed the vulnerability by disabling the ability to reduce CPU voltage through microcode and BIOS updates.
Now the researchers say that they managed to implement a very similar hardware attack on SGX, while spending only $ 36 on hacking equipment. Scientists plan to hold a detailed presentation of VoltPillager next year, at the Usenix Security 2021 conference, and so far they have published a scientific report on their research.
VoltPillager works even on systems that have received the CVE-2019-11157 vulnerability patch. The essence of the attack is to inject messages into the Serial Voltage Identification (SVID) bus, between the CPU and the voltage regulator, in order to control the voltage in the CPU core.
Fortunately, VoltPillager is not a remote attack. To implement it, you need physical access to the server, opening the case and connecting special equipment. However, the researchers explain that the point of SGX is precisely to protect confidential data, including from unscrupulous administrators. For example, if the servers are located in someone else's data center or cloud provider, and local personnel can gain physical access to the machine, compromise the Intel processor and its SGX protection.
"This attack is especially relevant due to the fact that you can often hear claims that SGX protects against malicious insiders or cloud providers," experts write. – We demonstrate that this is not so. That is, physical attacks on SGX are possible and very cheap (about $ 30). In addition, unlike previous attacks on SGX, the problems we found are not easy to fix (say, using microcode). "
The team's report states that as a defense against VoltPillager, for example, you can use cryptographic authentication for SVIDs or use CPU monitoring of malicious packets for SVIDs. However, the researchers believe that none of these methods will give good results, and only hardware changes can significantly change the situation.
But it seems that Intel representatives are not too worried about the reports of scientists, and patches can not wait. Thus, the researchers warned Intel about their discovery back in March this year, but the company replied that “opening the case and tampering with internal hardware to compromise SGX is not part of the SGX risk model. The patches for CVE-2019-11157 (Plundervolt) vulnerability are not designed to protect against hardware attacks. "
Intel representatives gave almost the same comment this week to the journalists of the publication. The register:
“Attack techniques that require physical opening of the case, including removing screws or damaging plastic fasteners, in order to gain access to the internal hardware of a device, are usually not considered a vulnerability. We can traditionally recommend to users, keep systems up to date, and physically own devices. "