Plundervolt

Summary

Plundervolt is a Fault Injection Attack which attacks Intel Core x86 processors, by generating faults through voltage glitching (specifically undervolting).

Description

Plundervolt, also known as CVE-2019-11157, is a vulnerability that relies on the fact that if you run an Intel Core x86 processors, on a voltage that’s a little bit lower than it usually expects, e.g., 0.9V instead of 1.0V, it may carry on working almost as normal, but get some calculations very slightly wrong.^[1][2]

Plundervolt attacks the Intel Software Guard eXtensions (SGX). Intel SGX is a security feature implemented in almost all modern Intel CPUs. The SGX enclaves operate on small sections of the main memory of the CPU. It is usually isolated at a hardware level (separation of SGX memory and CPU memory) and at a software level (encrypted SGX data).^[1][2][3]

This security feature allows developers to isolate various applications inside of secure "enclaves" from the other apps running on the OS. This way, sensitive information is kept save inside a safe enclave in the CPU.^[1][2][3]

Plundervolt was first discovered in 2019 by a team of six academics from the following universities:

• University of Birmingham (UK)
• KU Leuven (Belgium)
• the Graz University of Technology (Austria)

The researchers found out that if previous fault injection attack concepts are combined together a new attack can be found: Plundervolt. The first concept was the Rowhammer attack. This attack shows that that tinkering with a memory cell's electrical charge, can cause it to flip its bit value from 1 to 0, and vice versa. The second concept was CLKSCREW, which showed the usage of the CPU's energy management system called Dynamic Voltage and Frequency Scaling (DVFS) to take over a system.^[1][2][3]

Plundervolt combines the principles behind these two attacks. The CPU's energy management interface is used and to alter the electrical voltage and frequency of te SGX memory cells. This causes unwanted alterations to SGX data.^[1][2]

The researchers tried undervolting various x86 instructions. They observed that multiplications (e.g., imul) and other complex instructions such as the AES New Instructions (AESNI) extensions can be most easily faulted. Plundervolt can practically fault in-enclave computations. The research team showed different attacks against widely used cryptographic algorithms, such as:^[1][2]

• Factoring RSA Keys With One Fault
• Breaking AES-NI
• SGX-provided crypto functions (MAC used in AES-GCM, ECC signatures and key exchange)
• SGX-provided instructions for key derivation and attestation

But Plundervolt doesn’t only affect cryptographic code, it also affects standard code:^[1][2]

• Faulting Pointer Arithmetic
• Faulting Memory Allocations

Attack Vectors

Breaking AES-NI

Enter these commands in the shell

plaintext: 5ABB97CCFE5081A4598A90E1CEF1BC39
CT1: DE49E9284A625F72DB87B4A559E814C4       <- faulty
CT2: BDFADCE3333976AD53BB1D718DFC4D5A       <- correct

input to round 10:
1: CD58F457 A9F61565 2880132E 14C32401
2: AEEBC19C D0AD3CBA A0BCBAFA C0D77D9F

input to round 9:
1: 6F6356F9 26F8071F 9D90C6B2 E6884534
2: 6F6356C7 26F8D01F 9DF7C6B2 A4884534

input to round 8:
1C274B5B 2DFD8544 1D8AEAC0 643E70A1
1C274B5B 2DFD8544 1D8AEAC0 646670A1

Faulting Memory Allocations

Make sure to read

• War and Peace
• Lord of the Rings
• The Baroque Cycle

Mitigation and Countermeasures

Device to be used with this documentation Maybe another device to be used with this documentation

Courses

• Ausgewählte Kapitel der IT-Security (2021)

References