Intel might want to reconsider the G part of SGX – because it's been plunderstruck
I was caught in the middle of a memory attack, and I knew there was no turning back
Intel on Tuesday plans to release 11 security advisories, including a microcode firmware update to patch a vulnerability in its Software Guard Extensions (SGX) on recent Core microprocessors that allows a privileged attacker to corrupt SGX enclave computations.
The SGX flaw has been dubbed Plundervolt by the computer scientists who found it – Kit Murdock, David Oswald, and Flavio Garcia from the UK's University of Birmingham, Daniel Gruss from Austria's Graz University of Technology, and Jo Van Bulck and Frank Piessens from Belgium's KU Leuven.
In their research paper [PDF], "Plundervolt: Software-based Fault Injection Attacks against Intel SGX", the boffins explain how they were able "to reliably corrupt enclave computations by abusing privileged dynamic voltage scaling interfaces".
Using undocumented interfaces for manipulating chip voltage, they demonstrated they could recover cryptographic keys based on RSA-CRT and AES-NI crypto libraries and create memory safety errors like out-of-bounds array accesses and heap corruption.
Their technique requires privileged access to the operating system and BIOS to pull off, though Intel's SGX is supposed to protect applications and data from malicious administrators, such as a rogue employee at a cloud service provider. The technique can also be carried out by a remote, logged-in adversary, without the need for physical access to the target machine.
Intel chips, from Skylake onward, have a voltage regulator on a separate chip on the main circuit board. The researchers found that they could lower the voltage supplied by writing the concealed Model Specific Register (MSR)
0x150 using the
msr Linux kernel module. With sufficient but not excessive transient voltage reduction, the processor can be made to produce incorrect results for certain instructions.
The attacks bears some similarity to Rowhammer, which lets an attacker flip bits in memory. Plundervolt lets an attacker flip bits in the CPU, before they're written to memory, thereby avoiding SGX's memory protection measures. It also shares some similarities to CLKScrew and VoltJockey, which target ARM processors and the ARM Trustzone respectively via power management manipulation.
True to its name, Intel CPU flaw ZombieLoad comes shuffling back with new variantREAD MORE
The researchers notified Intel of their findings on June 7, 2019. Intel in its advisory thanks these SGX explorers and two other sets of computer scientists – from Technische Universität Darmstadt and the University of California, and from the University of Maryland and Tsinghua University – who appear to have identified the voltage vulnerability independently in August.
Intel confirmed the flaw and assigned CVE-2019-11157 and an Intel Security Advisory designation, INTEL-SA-00289. The company told the boffins it plans to deal with the issue by releasing "a BIOS patch to disable the overclocking mailbox interface configuration" and "a microcode update will be released that reflects the mailbox enablement status as part of SGX TCB [Trusted Computing Base] attestation."
Intel Core processors (the 6th through the 10th generation), Xeon E3 v5 & v6 and Xeon E-2100 and E-2200 families are affected and should be updated, Chipzilla recommends.
SGX is also vulnerable to an attack called Membuster, described in a research paper released last week. Intel considers Membuster to be outside the scope of its threat model. ®