New Platypus attack can steal data from Intel CPUs
A team of academics has disclosed today a new attack method that can extract data from Intel CPUs.
Named Platypus, an acronym for “Power Leakage Attacks: Targeting Your Protected User Secrets,” the attack targets the RAPL interface of Intel processors.
RAPL, which stands for Running Average Power Limit, is a component that allows firmware or software applications to monitor power consumption in the CPU and DRAM.
RAPL, which effectively lets firmware and software apps read how much electrical power a CPU is pulling in to perform its tasks, is a system that has been used for years to track and debug application and hardware performance.
Researcher steal encryption keys via Intel RAPL
In a research paper published today, academics from the Graz University of Technology, the University of Birmingham, and the CISPA Helmholtz Center for Information Security have revealed how a Platypus attack can be used to determine what data is being processed inside a CPU by looking at values reported via the RAPL interface.
“Using PLATYPUS, we demonstrate that we can observe variations in the power consumption to distinguish different instructions and different Hamming weights of operands and memory loads, allowing inference of loaded values,” researchers said.
These “loaded values” refer to data loaded in the CPU. These can be encryption keys, passwords, sensitive documents, or any other type of information.
Accessing this kind of data is normally protected by a slew of security systems, such as kernel address space layout randomization (KASLR) or hardware-isolated trusted execution environments (TEEs), like Intel SGX.
However, researchers say that Platypus allows an attacker to bypass all these security systems by looking at variations in power consumption values.
In tests, researchers said they bypassed KASLR by observing RAPL power consumption values for only 20 seconds, and then they retrieved data from the Linux kernel. In another test, they also retrieved data that was being processed inside Intel SGX secure enclaves.
A Platypus attack that retrieved RSA private keys from an SGX enclave required the attacker to monitor RAPL data for 100 minutes, while an attack that retrieved AES-NI encryption keys from an SGX enclave and from the Linux kernel memory space took 26 hours.
Linux more vulnerable than the rest
According to the research team, Platypus attacks work on Linux systems the best. This is because the Linux kernel ships with the powercap framework, a universal driver for interacting with RAPL interfaces and other power capping APIs, allowing easy reads of power consumption values.
Attacks on Windows and macOS are also possible, but in these cases, the Intel Power Gadget app must be installed on the attacked devices to allow the attackers to interact with the RAPL interface.
Platypus attacks aimed at Intel SGX enclaves work regardless of the underlying OS as the attackers are going after the (separate) SGX enclave and not the underlying OS and its (separate) CPU memory.
A first of its kind remote attack
The Platypus attack, named so after the platypus animal’s ability to sense electrical current with its bill, is a first of its kind attack.
While other research teams have managed to observe CPU power read-outs by connecting oscilloscopes to a CPU, Platypus attacks can be carried out remotely.
For example, the attack’s code can be packed inside malicious apps (malware) that are installed or planted on a targeted device. This allows the attack to carry out without a threat actor needing physical access to the attacked system.
Platypus also differs from PlunderVolt, another attack against the power voltage interface of Intel CPUs. However, the two attacks are different, Moritz Lipp, one of the researchers who worked on both Platypus and PlunderVolt, told ZDNet.
The difference is that PlunderVolt is an active attack that modifies power values, while Platypus is a passive attack that infers data just by looking at the power consumption data.
Patches available starting today
Researchers say that Platypus works against Intel server, desktop, and laptop CPUs. Intel has also confirmed that some mobile and embedded CPUs are also impacted.
The chipmaker has released today microcode (CPU firmware) updates to block Platypus attacks, which the company has made available to industry partners to include in their products’ next security updates.
The Linux kernel has also shipped an update. The update restricts access to the RAPL interface only to apps with elevated privileges, making attacks harder to pull off from inside low-level apps.
Updates for the Platypus attacks will contain references for CVE-2020-8694 (Linux+Intel), CVE-2020-8695 (Intel), and CVE-2020-12912 (Linux+AMD), the three identifiers for the issues exploited during a Platypus attack.
No need to panic
But amidst an onslaught of recent Intel CPU bugs, there is no need to panic. Intel also said that it was not aware of any attacks exploiting this bug in the wild, outside the academic research field.
Most of the CPUs affected by the Platypus attack are recent CPU models that are still supported by both Intel and device makers, which will most likely distribute Intel’s microcode updates to users in future updates.
A list of affected CPUs is available in Intel’s security advisory here.
Other CPU makers likely impacted as well
Besides Intel, almost all other chipmakers also include a RAPL interface with their products. The research team says that these products are also likely impacted; however, they have not tested all devices available on the market today due to prohibitive research time and budget costs.
“We already ran some experiments on AMD where we observed leakage through the energy consumption as well (it’s in the Appendix of the paper),” Lipp told ZDNet. For its part, AMD has also released updates for its Linux driver as well.
“We [also] discussed ARM-based devices as well but did not had the time to thoroughly evaluate them.”
Other processor vendors that shipped RAPL-like power capping systems included NVIDIA, Marvell, and Ampere.
Update: Article updated with AMD CVE, which became public after this article’s publication.