A team of cybersecurity researchers demonstrated a novel yet another technique to hijack Intel SGX, a hardware-isolated trusted space on modern Intel CPUs that encrypts extremely sensitive data to shield it from attackers even when a system gets compromised.
Dubbed Plundervolt and tracked as CVE-2019-11157, the attack relies on the fact that modern processors allow frequency and voltage to be adjusted when needed, which, according to researchers, can be modified in a controlled way to induce errors in the memory by flipping bits.
Bit flip is a phenomenon widely known for the Rowhammer attack wherein attackers hijack vulnerable memory cells by changing their value from 1 to a 0, or vice versa—all by tweaking the electrical charge of neighboring memory cells.
However, since the Software Guard Extensions (SGX) enclave memory is encrypted, the Plundervolt attack leverages the same idea of flipping bits by injecting faults in the CPU before they are written to the memory.
Plundervolt resembles more with speculative execution attacks like Foreshadow and Spectre, but while Foreshadow and Spectre attack the confidentiality of SGX enclave memory by allowing attackers to read data from the secured enclave, Plundervolt attacks the integrity of SGX to achieve the same.
To achieve this, Plundervolt depends upon a second known technique called CLKSCREW, a previously documented attack vector that exploits energy management of CPU to breach hardware security mechanisms and take control over a targeted system.
“We show that a privileged adversary is able to inject faults into protected enclave computations. Crucially, since the faults happen within the processor package, i.e., before the results are committed to memory, Intel SGX’s memory integrity protection fails to defend against our attacks,” the researchers said.
As demonstrated by the researchers in the videos, by subtly increasing or decreasing the voltage delivered to a targeted CPU, an attacker can trigger computational faults in the encryption algorithms used by SGX enclaves, allowing attackers to easily decrypt SGX data.
“We demonstrate the effectiveness of our attacks by injecting faults into Intel’s RSA-CRT and AES-NI implementations running in an SGX enclave, and we reconstruct full cryptographic keys with negligible computational efforts,” the researchers said.
“Given a pair of correct and faulty ciphertext on the same plaintext, this attack is able to recover the full 128-bit AES key with a computational complexity of only 232+256 encryptions on average. We have run this attack in practice, and it only took a couple of minutes to extract the full AES key from the enclave, including both fault injection and key computation phases.”
Plundervolt attack, which affects all SGX-enabled Intel Core processors starting with the Skylake generation, was discovered and privately reported to Intel in June 2019 by a team of six European researchers from the University of Birmingham, Graz University of Technology, and KU Leuven.
In response to the researchers’ findings, Intel yesterday released microcode and BIOS updates to address Plundervolt by locking voltage to the default settings, along with 13 other high and medium severity vulnerabilities.
“Intel has worked with system vendors to develop a microcode update that mitigates the issue by locking voltage to the default settings,” Intel’s blog post published today reads. “We are not aware of any of these issues being used in the wild, but as always, we recommend installing security updates as soon as possible.”
Besides releasing a proof-of-concept (PoC) on GitHub, the team has also released a dedicated website with FAQs and detailed technical paper [PDF] titled, Plundervolt: Software-based Fault Injection Attacks against Intel SGX, that you can check to know in-depth details on the attack.