Hardware-based fault injection attacks against Intel SGXSecurity Affairs

Boffins has developed a new attack, called VoltPillager, which can breach the privacy and integrity of Intel SGX-enclaves by controlling the CPU core voltage.

A team of six researchers from the University of Birmingham has developed a new attack technique called VoltPillager that can break the confidentiality and integrity of Intel Software Guard Extensions (SGX) enclaves by controlling the voltage of the processor core.

The attack uses a low-cost instrument to inject SVID (Serial Voltage Identification) packets into the serial voltage identification bus between the CPU and the voltage regulator on the motherboard.

The injection packages allowed the researchers to fully control the CPU core voltage and carry out injection attacks.

We built the VoltPillager, an inexpensive tool to provide the bus with messages detecting the serial voltage between the CPU and the mainboard’s voltage regulator. This enables us to precisely control the core voltage of the processor. We use this powerful tool to launch attacks against the confidentiality and integrity of Intel SGX-enclaves.

The researchers found that the standard motherboard has a separate voltage regulating (VR) chip that generates and controls the processor voltage. Specialists have developed the VoltPillager tool to connect to the interface of the unprotected VR chip and monitor this voltage.

Experts were able to carry out attacks using an injection method that violates the confidentiality and integrity of the Intel SGX enclaves, and to provide evidence of major recovery attacks against cryptographic algorithms running within SGX.

The VoltPillager microcontroller card, developed by researchers based on the Teensy 4.0 microcontroller card, is an inexpensive device that can be collected for 30 dollars.

An attack developed by the researchers requires full control of the BIOS and the operating system.

The experts noted that the patches for the CVE-2019-11157 (Plundervolt) vulnerability do not protect the VoltPillager because they simply disable the undervoltage program interface while the hardware interface remains active.

We have proven that this attack vector is viable by restoring RSA keys from a locked application, and we have shown that other basic operations such as multiplication and memory/cache writing can also be distorted. This leads to new memory vulnerabilities within SGX that are not recognized by SGX’s memory security mechanisms.

Experts presented their research results on Intel on March 13, 2020, but the company does not plan to solve the problem because the SGX threat model does not include hardware attacks.

…opening the hull and manipulating internal systems to compromise SGX goes beyond the SGX threat model. The patches for CVE-2019-11157 (Plundervolt) are not designed to protect against hardware attacks as part of the threat model, Intel said.

The results presented in this article, as well as the supplier’s decision not to mitigate such attacks, lead us to the question whether the promise to outsource the processing of sensitive data to a remote and unreliable plateau, which is still widely used in enclaves, is feasible, the researchers conclude.

Pierluigi Paganini

(Security issues – Hacking, VoltPillager)

 

Part

 

Related Tags: