Plundervolt
Summary
Plundervolt is a Fault Injection Attack targeting Intel Core x86 processors, by inducing faults through voltage manipulation.
This exploit is a sophisticated attack leveraging vulnerabilities in Intel Core x86 processors. By manipulating voltage, attackers can induce faults in the CPU, compromising the security of various cryptographic operations and standard computations. The attack exploits specific weaknesses in Intel processors, posing a significant threat to systems relying on these CPUs.[1][2]
Description
Plundervolt, also known as CVE-2019-11157, is a Side Channel Attack, misusing undocumented model-specific registers (MSR) for voltage and frequency regulation. This manipulation aims to undervolt Intel Core x86 processors, introducing faults into error-free code. The primary targets are multiplications, crucial for operations like memory allocation and encryption.[1][2]
Plundervolt targets Intel Software Guard eXtensions (SGX), a security feature prevalent in modern Intel CPUs. SGX enclaves operate on specific sections of the CPU's main memory, isolated both at a hardware and software level. This isolation enhances security, allowing sensitive information to remain within secure enclaves on the CPU.[1][2][3]
The attack methodology combines concepts from the Rowhammer and CLKSCREW attacks. It manipulates the CPU's energy management interface, dynamically altering the voltage and frequency of SGX memory cells. This induces unintended changes in SGX data, compromising the security of the enclave. Plundervolt specifically exploits vulnerabilities in Intel processors, targeting the SGX feature.[1][2]
Plundervolt was first discovered in 2019 by a team of six academics from the following universities:
- University of Birmingham (UK)
- KU Leuven (Belgium)
- the Graz University of Technology (Austria)
The researchers found out that if previous fault injection attack concepts are combined together a new attack can be assembled: Plundervolt. The first concept was the Rowhammer attack. This attack shows that that tinkering with a memory cell's electrical charge, can cause it to flip its bit value from 1 to 0, and vice versa. The second concept was CLKSCREW, which showed the usage of the CPU's energy management system called Dynamic Voltage and Frequency Scaling (DVFS) to take over a system.[1][2][3]
Plundervolt combines the principles behind these two attacks. The CPU's energy management interface is used and to alter the electrical voltage and frequency of the SGX memory cells. This causes unwanted alterations to SGX data.[1][2]
The researchers tried undervolting various x86 instructions. They observed that multiplications (e.g., imul) and other complex instructions such as the AES New Instructions (AESNI) extensions can be most easily faulted. Plundervolt can practically fault in-enclave computations. The research team showed different attacks against widely used cryptographic algorithms, such as:[1][2]
- Factoring RSA Keys With One Fault
- Breaking AES-NI
- SGX-provided crypto functions (MAC used in AES-GCM, ECC signatures and key exchange)
- SGX-provided instructions for key derivation and attestation
The researchers observed that undervolting specific x86 instructions, particularly multiplications and AES New Instructions (AESNI) extensions, could induce faults. Plundervolt demonstrated practical in-enclave attacks on widely used cryptographic algorithms, including factoring RSA keys, breaking AES-NI, and compromising SGX-provided crypto functions for AES-GCM, ECC signatures, and key exchange.[1][2]
Plundervolt extends its impact beyond cryptographic code, affecting standard code as well. It introduces faults in pointer arithmetic and memory allocations, emphasizing its broad-reaching consequences for various applications.[1][2]
Attack Vectors
Breaking AES-NI
The attack vector for breaking the AES-NI encryption instruction (v)aesenc shows that this instruction is vulnerable on the i7-8650U-A processor with –195 mV undervolting and on the i3-7100U-A processor with –232-mV undervolting. The faults were always single bits flip on the leftmost two bytes of the round function’s output. Such single bit-flip faults are ideally suited for differential fault analysis. The researchers repeated this attack a few times and got a fault in round 8. The bold text indicates the fault propagation from round to round. In round 8, there is a single fault. In round 9, the fault has affected more bytes. By round 10, every byte is affected. They then apply the differential fault analysis technique which, given a pair of correct and faulty ciphertexts on the same plaintext, recovers the full 128-bit AES key with a computational complexity of only 232 + 256 encryptions on average.[1][2]
plaintext: 5ABB97CCFE5081A4598A90E1CEF1BC39 CT1: DE49E9284A625F72DB87B4A559E814C4 <- faulty CT2: BDFADCE3333976AD53BB1D718DFC4D5A <- correct input to round 10: 1: CD58F457 A9F61565 2880132E 14C32401 2: AEEBC19C D0AD3CBA A0BCBAFA C0D77D9F input to round 9: 1: 6F6356F9 26F8071F 9D90C6B2 E6884534 2: 6F6356C7 26F8D01F 9DF7C6B2 A4884534 input to round 8: 1C274B5B 2DFD8544 1D8AEAC0 643E70A1 1C274B5B 2DFD8544 1D8AEAC0 646670A1
Faulting Memory Allocations
The second attack vector is size computations for dynamic memory allocations, which are very common and rely on multiplications. For example, a large array of struct elements might be allocated using the following (where red indicates the data type of the variable, teal is a code comment, and green represents a keyword). However, we showed that Plundervolt breaks the processor’s architectural guarantees, as imul (signed multiply) can be faulted to produce erroneous results that are smaller than the expected value. When a multiplication fault occurs during calculation of the size variable, a smaller buffer than expected will be allocated. Because Plundervolt corrupts multiplications silently, without failing the malloc() call, the subsequent code has no means of determining the actual size of the allocated buffer. The allocated buffer will assume a larger buffer for write and read operations and hence read or write out of bounds, corrupting the trusted enclave heap.[1][2]
// Compute size size_t size = count * sizeof(elem_t); // Allocate array elem_t *array = malloc(size); // ... use array ...
Mitigation and Countermeasures
Plundervolt poses a serious threat, necessitating countermeasures and counterattacks as published by the researchers:[1][2]
- Hardening the trusted in-enclave code by detecting faulty computation results.[1][2]
- For cryptographic algorithms, advocating the use of (generic) temporal redundancy (compute-twice-and-compare) and algorithm-specific approaches. For instance, in the RSA-CRT case, signature verification is proposed. In the AES-NI case, encryption can be verified with subsequent decryption, and so on.[1][2]
- For noncryptographic code, mitigations are challenging, as fault injection results vary. Techniques like address space layout randomization enhance security but do not eliminate the root cause.[1][2]
Intel has released a BIOS update, addressing the vulnerability by disabling access to the processor instruction responsible for undervoltage. This preventive measure ensures that software, including kernel code, cannot manipulate CPU voltage during system runtime, effectively mitigating the Plundervolt attack.[1][2]
Courses
- Ausgewählte Kapitel der IT-Security (2021, 2023)
References
- ↑ 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 1.11 1.12 1.13 1.14 1.15 K. Murdock, D. Oswald, F. D. Garcia, J. Van Bulck, F. Piessens and D. Gruss, "Plundervolt: How a Little Bit of Undervolting Can Create a Lot of Trouble," in IEEE Security & Privacy, vol. 18, no. 5, pp. 28-37, Sept.-Oct. 2020, doi: 10.1109/MSEC.2020.2990495.
- ↑ 2.00 2.01 2.02 2.03 2.04 2.05 2.06 2.07 2.08 2.09 2.10 2.11 2.12 2.13 2.14 2.15 K. Murdock, D. Oswald, F. D. Garcia, J. Van Bulck, D. Gruss and F. Piessens, "Plundervolt: Software-based Fault Injection Attacks against Intel SGX," 2020 IEEE Symposium on Security and Privacy (SP), 2020, pp. 1466-1482, doi: 10.1109/SP40000.2020.00057.
- ↑ 3.0 3.1 https://nakedsecurity.sophos.com/2019/12/16/plundervolt-stealing-secrets-by-starving-your-computer-of-voltage/