Difference between revisions of "Plundervolt"
Line 5: | Line 5: | ||
== Description == | == Description == | ||
Plundervolt, also known as CVE-2019-11157, is a vulnerability that relies on the fact that if you run an Intel Core x86 processors, on a voltage that’s a little bit lower than it usually expects, e.g., 0.9V instead of 1.0V, it may carry on working almost as normal, but get some calculations very slightly wrong. | Plundervolt, also known as CVE-2019-11157, is a vulnerability that relies on the fact that if you run an Intel Core x86 processors, on a voltage that’s a little bit lower than it usually expects, e.g., 0.9V instead of 1.0V, it may carry on working almost as normal, but get some calculations very slightly wrong.<ref name="PLV"/> | ||
Plundervolt combines the principles behind these two attacks. The CPU's energy management interface is used and to alter the electrical voltage and frequency of te SGX memory cells. This causes unwanted alterations to SGX data. | Plundervolt combines the principles behind these two attacks. The CPU's energy management interface is used and to alter the electrical voltage and frequency of te SGX memory cells. This causes unwanted alterations to SGX data.<ref name="PLV"/> | ||
The researchers tried undervolting various x86 instructions. They observed that multiplications (e.g., imul) and other complex instructions such as the AES New Instructions (AESNI) extensions can be most easily faulted. Plundervolt can practically fault in-enclave computations. The research team showed different attacks against widely used cryptographic algorithms, such as: | The researchers tried undervolting various x86 instructions. They observed that multiplications (e.g., imul) and other complex instructions such as the AES New Instructions (AESNI) extensions can be most easily faulted. Plundervolt can practically fault in-enclave computations. The research team showed different attacks against widely used cryptographic algorithms, such as:<ref name="PLV"/> | ||
* Factoring RSA Keys With One Fault | * Factoring RSA Keys With One Fault | ||
Line 18: | Line 18: | ||
* SGX-provided instructions for key derivation and attestation | * SGX-provided instructions for key derivation and attestation | ||
But Plundervolt doesn’t only affect cryptographic code, it also affects standard code: | But Plundervolt doesn’t only affect cryptographic code, it also affects standard code:<ref name="PLV"/> | ||
* Faulting Pointer Arithmetic | * Faulting Pointer Arithmetic | ||
Line 51: | Line 51: | ||
== References == | == References == | ||
<references> | |||
<ref name="PLV">K. Murdock, D. Oswald, F. D. Garcia, J. Van Bulck, F. Piessens and D. Gruss, "Plundervolt: How a Little Bit of Undervolting Can Create a Lot of Trouble," in IEEE Security & Privacy, vol. 18, no. 5, pp. 28-37, Sept.-Oct. 2020, doi: 10.1109/MSEC.2020.2990495.</ref> | |||
<ref name="FI2">https://payatu.com/blog/asmita-jha/fault-injection-basics</ref> | |||
</references> | |||
[[Category:Documentation]] | [[Category:Documentation]] |
Revision as of 22:02, 21 December 2021
Summary
Plundervolt is a Fault Injection Attack
Description
Plundervolt, also known as CVE-2019-11157, is a vulnerability that relies on the fact that if you run an Intel Core x86 processors, on a voltage that’s a little bit lower than it usually expects, e.g., 0.9V instead of 1.0V, it may carry on working almost as normal, but get some calculations very slightly wrong.[1]
Plundervolt combines the principles behind these two attacks. The CPU's energy management interface is used and to alter the electrical voltage and frequency of te SGX memory cells. This causes unwanted alterations to SGX data.[1]
The researchers tried undervolting various x86 instructions. They observed that multiplications (e.g., imul) and other complex instructions such as the AES New Instructions (AESNI) extensions can be most easily faulted. Plundervolt can practically fault in-enclave computations. The research team showed different attacks against widely used cryptographic algorithms, such as:[1]
- Factoring RSA Keys With One Fault
- Breaking AES-NI
- SGX-provided crypto functions (MAC used in AES-GCM, ECC signatures and key exchange)
- SGX-provided instructions for key derivation and attestation
But Plundervolt doesn’t only affect cryptographic code, it also affects standard code:[1]
- Faulting Pointer Arithmetic
- Faulting Memory Allocations
Attack Vectors
Breaking AES-NI
Enter these commands in the shell
echo foo echo bar
Faulting Memory Allocations
Make sure to read
- War and Peace
- Lord of the Rings
- The Baroque Cycle
Mitigation and Countermeasures
Device to be used with this documentation Maybe another device to be used with this documentation
Courses
References
Cite error: <ref>
tag with name "FI2" defined in <references>
is not used in prior text.