Plundervolt

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

Summary

Plundervolt is a Fault Injection Attack which attacks Intel Core x86 processors, by generating faults through voltage glitching (specifically undervolting).

Description

Plundervolt, also known as CVE-2019-11157, is a vulnerability that relies on the fact that if you run an Intel Core x86 processors, on a voltage that’s a little bit lower than it usually expects, e.g., 0.9V instead of 1.0V, it may carry on working almost as normal, but get some calculations very slightly wrong.[1][2]

Plundervolt attacks the Intel Software Guard eXtensions (SGX). Intel SGX is a security feature implemented in almost all modern Intel CPUs. The SGX enclaves operate on small sections of the main memory of the CPU. It is usually isolated at a hardware level (separation of SGX memory and CPU memory) and at a software level (encrypted SGX data).[1][2][3]

This security feature allows developers to isolate various applications inside of secure "enclaves" from the other apps running on the OS. This way, sensitive information is kept save inside a safe enclave in the CPU.[1][2][3]

Plundervolt was first discovered in 2019 by a team of six academics from the following universities:

  • University of Birmingham (UK)
  • KU Leuven (Belgium)
  • the Graz University of Technology (Austria)

The researchers found out that if previous fault injection attack concepts are combined together a new attack can be found: Plundervolt. The first concept was the Rowhammer attack. This attack shows that that tinkering with a memory cell's electrical charge, can cause it to flip its bit value from 1 to 0, and vice versa. The second concept was CLKSCREW, which showed the usage of the CPU's energy management system called Dynamic Voltage and Frequency Scaling (DVFS) to take over a system.[1][2][3]

Plundervolt combines the principles behind these two attacks. The CPU's energy management interface is used and to alter the electrical voltage and frequency of te SGX memory cells. This causes unwanted alterations to SGX data.[1][2]

The researchers tried undervolting various x86 instructions. They observed that multiplications (e.g., imul) and other complex instructions such as the AES New Instructions (AESNI) extensions can be most easily faulted. Plundervolt can practically fault in-enclave computations. The research team showed different attacks against widely used cryptographic algorithms, such as:[1][2]

  • Factoring RSA Keys With One Fault
  • Breaking AES-NI
  • SGX-provided crypto functions (MAC used in AES-GCM, ECC signatures and key exchange)
  • SGX-provided instructions for key derivation and attestation

But Plundervolt doesn’t only affect cryptographic code, it also affects standard code:[1][2]

  • Faulting Pointer Arithmetic
  • Faulting Memory Allocations

Attack Vectors

Breaking AES-NI

The attack vector for breaking the AES-NI encryption instruction (v)aesenc shows that this instruction is vulnerable on the i7-8650U-A processor with –195 mV undervolting and on the i3-7100U-A processor with –232-mV undervolting. The faults were always a single bit flip on the leftmost two bytes of the round function’s output. Such single bit-flip faults are ideally suited for differential fault analysis. The researchers repeated this attack a few times. They got a fault in round 8. The bold text indicates the fault propagation from round to round. In round 8, there is a single fault. In round 9, the fault has affected more bytes. By round 10, every byte is affected. They then apply the differential fault analysis technique which, given a pair of correct and faulty ciphertexts on the same plaintext, recovers the full 128-bit AES key with a computational complexity of only 232 + 256 encryptions on average.[1][2]

plaintext: 5ABB97CCFE5081A4598A90E1CEF1BC39
CT1: DE49E9284A625F72DB87B4A559E814C4       <- faulty
CT2: BDFADCE3333976AD53BB1D718DFC4D5A       <- correct

input to round 10:
1: CD58F457 A9F61565 2880132E 14C32401
2: AEEBC19C D0AD3CBA A0BCBAFA C0D77D9F

input to round 9:
1: 6F6356F9 26F8071F 9D90C6B2 E6884534
2: 6F6356C7 26F8D01F 9DF7C6B2 A4884534

input to round 8:
1C274B5B 2DFD8544 1D8AEAC0 643E70A1
1C274B5B 2DFD8544 1D8AEAC0 646670A1

Faulting Memory Allocations

The second attack vector is size computations for dynamic memory allocations. These allocations are very common and rely on multiplications. For example, a large array of struct elements might be allocated using the following (where red indicates the data type of the variable, teal is a code comment, and green represents a keyword). However, we showed that Plundervolt breaks the processor’s architectural guarantees, as imul (signed multiply) can be faulted to produce erroneous results that are smaller than the expected value. When a multiplication fault occurs during calculation of the size variable, a smaller buffer than expected will be allocated. Because Plundervolt corrupts multiplications silently, without failing the malloc() call, the subsequent code has no means of determining the actual size of the allocated buffer. The allocated buffer will assume a larger buffer for write and read operations and hence read or write out of bounds, corrupting the trusted enclave heap.[1][2]

// Compute size
size_t size = count * sizeof(elem_t);

// Allocate array
elem_t *array = malloc(size);

// ... use array ...

Mitigation and Countermeasures

Plundervolt is a serious issue. Countermeasures and counterattacks, as published by the researchers, for Plundervolt would be:[1][2]

  • Hardening the trusted in-enclave code, by detecting faulty computation results.[1][2]
  • For cryptographic algorithms, the use of (generic) temporal redundancy (compute-twice-and-compare) is proposed as well as the usage of more algorithm-specific approaches. For instance, in the RSA-CRT case, the signature could be verified. In the AES-NI case, the encryption can be verified with a subsequent decryption, and so on.[1][2]
  • For noncryptographic code the situation is complicated—the exact results of a fault injection will vary. Mitigations like address space layout randomization (which changes the location of the program in memory each time it runs) make exploits harder but still do not remove the root cause.[1][2]

Intel has already patched the vulnerability. The patch is a BIOS update that turns off access to the processor instruction used to produce undervoltages, thus stopping any software, including code inside the kernel, from fiddling with your CPU voltage while the system is running.[1][2]

Courses

References

  1. 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 1.11 1.12 1.13 K. Murdock, D. Oswald, F. D. Garcia, J. Van Bulck, F. Piessens and D. Gruss, "Plundervolt: How a Little Bit of Undervolting Can Create a Lot of Trouble," in IEEE Security & Privacy, vol. 18, no. 5, pp. 28-37, Sept.-Oct. 2020, doi: 10.1109/MSEC.2020.2990495.
  2. 2.00 2.01 2.02 2.03 2.04 2.05 2.06 2.07 2.08 2.09 2.10 2.11 2.12 2.13 K. Murdock, D. Oswald, F. D. Garcia, J. Van Bulck, D. Gruss and F. Piessens, "Plundervolt: Software-based Fault Injection Attacks against Intel SGX," 2020 IEEE Symposium on Security and Privacy (SP), 2020, pp. 1466-1482, doi: 10.1109/SP40000.2020.00057.
  3. 3.0 3.1 3.2 https://nakedsecurity.sophos.com/2019/12/16/plundervolt-stealing-secrets-by-starving-your-computer-of-voltage/