Dropping Voltage to CPUs Can Force Sensitive Data Disclosure
Intel issued a firmware update on Tuesday to mitigate an attack, dubbed Plundervolt, which uses voltage fluctuations to reveal secrets such as encryption keys.
The findings are the latest bad news for Intel as researchers have dug deep into its chip architecture, findings deeply embedded security problems, including the speculative execution issues known as Spectre, Meltdown and Foreshadow (see: Intel Has a New Speculative Execution Issue: Foreshadow).
Plundervolt comes from researchers at the University of Birmingham in the U.K., Graz University of Technology in Austria and KU Leuven in Belgium. They told Intel of the issue in June. Other researchers, however, were right behind them.
Intel’s advisory says it was advised of the same findings in August by a team from Technische Universität Darmstadt and the University of California and from a separate team at the University of Maryland and Tsinghua University.
Affects Skylake CPUs
Plundervolt is an attack against Intel’s Software Guard Extensions, which was introduced in 2013. SGX creates safe places in memory, called enclaves, where code can’t be either disclosed or modified even if an attacker has kernel-level access.
SGX enclaves are used, for example, to calculate encryption keys and store data. The researchers found, however, by tampering with the voltage, the calculations within the enclave could be corrupted in a predictable way and in other situations leak data.
“In multiple case studies, we show how the induced faults in enclave computations can be leveraged in real-world attacks to recover keys from cryptographic algorithms (including the AES-NI instruction set extension) or to induce memory safety vulnerabilities into bug-free enclave code,” they write in a research paper, which was published by The Register.
They say all SGX-enabled Intel Core processors from the Skylake family onward are vulnerable.
Modern CPUs adjust their power usage depending on computational loads and rarely run at maximum speed. The Plundervolt attack pivots on an attacker being able to access the privileged dynamic voltage interfaces in order to modify the power supplied. They’re the same interfaces gamers use to overclock processors. But access to those interfaces does mean an attacker needs to have kernel-level access already.
“Using this interface to very briefly decrease the CPU voltage during a computation in a victim SGX enclave, we show that a privileged adversary is able to inject faults into protected enclave computations,” according to the researchers’ paper. “Crucially, since the faults happen within the processor package, i.e., before the results are committed to memory, Intel SGX’s memory integrity protection fails to defend against our attacks. To the best of our knowledge, we are the first to practically showcase an attack that directly breaches SGX’s integrity guarantees.”
Such an attack has varying effects. In this video, the researchers show how “undervolting” can cause critical data to be written outside of the secure enclave in untrusted memory rather than within:
It’s also possible to create errors. Processors will do correct calculations, but only if they’re run within the proper power specifications. Dropping the power can cause calculation mistakes, as demonstrated in this video:
In another video, the researchers show how it’s possible to recover AES keys after intentionally causing calculation errors through undervolting. In their paper, they also write it’s possible to recover RSA keys from implementations running in SGX.
The researchers provided an analysis for Intel’s fix, which they recommended to the company. But they warned it doesn’t get rid of the underlying problem.
Intel’s fix includes a BIOS patch that disables the interface that allows for adjusting the voltage for actions such as overclocking. But the researchers warned that “other yet undiscovered avenues for fault injection through power and clock management features might exist (and would have to be disabled in a similar manner).”
Even if the software interfaces are sealed off, there’s still a potential for a hardware-based attack, they write.
“Especially disturbing in this respect is that the SerialVID bus between the CPU and voltage regulator appear to be unauthenticated,” the paper says. “Hence adversaries might be able to physically connect to this bus and overwrite the requested voltage directly at the hardware level.”