A group of researchers from the University of Birmingham have demonstrated the VoltPillager attack, which can violate the confidentiality and integrity of data in Intel SGX enclaves. To implement this, the researchers learned to manipulate the processor core voltage.Let me remind you that with the release of the Skylake architecture, Intel introduced a technology called SGX (Software Guard Extensions).
SGX is a set of CPU instructions through which applications can create protected zones (enclaves) in the application’s address space, within which various confidential data can be stored under reliable protection.
SGX enclaves are usually isolated at the hardware level (SGX memory is separated from the rest of the CPU memory) and at the software level (SGX data is encrypted). The developers themselves describe this technology as a kind of “inverse sandbox”.
A year ago, several members of the University of Birmingham research team participated in the development of a similar attack, Plundervolt (CVE-2019-11157).
In fact, a year ago, researchers proved that by adjusting the voltage and frequency of the processor, they can change the bits inside the SGX, which will lead to errors that can be used later after the data has left the safe enclave. As a result, the Plundervolt attack could be used to recover encryption keys or introduce bugs into previously trusted software.
Following the disclosure of Plundervolt in December 2019, Intel has addressed the vulnerability by disabling the ability to reduce CPU voltage through microcode and BIOS updates.
Now the researchers say that they managed to implement a very similar hardware attack on SGX, while spending only $ 36 on hacking equipment. Scientists plan to hold a detailed presentation of VoltPillager next year, at the Usenix Security 2021 conference, and so far they have published a scientific report on their research.
VoltPillager works even on systems that have received the CVE-2019-11157 vulnerability patch. The essence of the attack is to inject messages into the Serial Voltage Identification (SVID) bus, between the CPU and the voltage regulator, in order to control the voltage in the CPU core.
Fortunately, VoltPillager is not a remote attack. To implement it, you need physical access to the server, opening the case and connecting special equipment. However, the researchers explain that the point of SGX is precisely to protect confidential data, including data from unscrupulous administrators. For example, if the servers are located in someone else’s data center or cloud provider, and local personnel can gain physical access to the machine, compromise the Intel processor and its SGX protection.
The team’s report states that as a defense against VoltPillager, user can apply cryptographic authentication for SVIDs or use CPU monitoring of malicious packets for SVIDs. However, the researchers believe that none of these methods will give good results, and only hardware changes can significantly change the situation.
However, it seems that Intel representatives are not too worried about the reports of scientists, and patches should not be expected. Thus, the researchers warned Intel about their discovery back in March this year, but the company replied that “opening the case and tampering with internal hardware to compromise SGX is not part of the SGX risk model. The patches for vulnerability CVE-2019-11157 (Plundervolt) are not designed to protect against hardware attacks.”
Intel representatives gave a similar comment this week to The Register:
Let me also remind you that Intel processors need hardware fixes due to new LVI attack.