VoltPillager: New Hardware-Based Voltage Manipulation Attack Against Intel SGX
A group of researchers from the University of Birmingham has devised a new attack that can break the confidentiality and integrity of Intel Software Guard Extensions (SGX) enclaves through controlling the CPU core voltage.
The attack relies on VoltPillager, “a low-cost tool for injecting messages on the Serial Voltage Identification bus between the CPU and the voltage regulator on the motherboard,” and can be used to fault security-critical operations.
The open-source hardware device can inject Serial Voltage Identification (SVID) packets, thus allowing the researchers to fully control the CPU core voltage and perform fault-injection attacks.
In a newly published paper, six researchers from the School of Computer Science at the University of Birmingham in the UK demonstrate that their attack is more powerful than software-based under-volting attacks targeting SGX, such as CVE-2019-11157, also known as Plundervolt.
The researchers, who present proof-of-concept key-recovery attacks targeting the cryptographic algorithms inside the SGX, note that VoltPillager could be abused by untrusted cloud providers that have physical access to hardware.
During their investigation, the researchers discovered that a Voltage Regulator (VR) on the motherboard regulates the voltage of the CPU based on information received from the SVID, and that SVID packets are not cryptographically authenticated.
Next, they built a microcontroller-based board that, when connected to the SVID bus, can be used to inject commands and control the CPU voltage. The device is based on the widely available Teensy 4.0 microcontroller board.
This, the researchers say, allowed them to mount the first hardware-based attacks that breach SGX’s integrity and to recover end-to-end secret keys. The attack model assumes that the adversary has full control over the BIOS and operating system.
Moreover, the researchers have demonstrated that the countermeasures that Intel implemented for CVE-2019-11157 fail to prevent fault-injection attacks if the adversary has physical access, and they’ve presented novel fault effects of hardware-based under-volting.
“We have proven that this attack vector is practical by recovering RSA keys from an enclaved application, and have shown that other fundamental operations such as multiplication and memory/cache writes can be faulted as well. These lead to novel memory safety vulnerabilities within SGX, which are not detected by SGX’s memory protection mechanisms,” the researchers note.
The findings were disclosed to Intel on March 13, 2020, but the company does not plan on addressing the concerns, noting that the SGX threat model does not include hardware compromise and that the patches released for Plundervolt were not meant to protect against hardware-based attacks.
Due to the results of their investigation and the fact that Intel does not plan to address the attack, the researchers question SGX’s ability to keep information confidential in the context of a malicious cloud services provider that has physical access to hardware.
“The results in this paper, together with the manufacturer’s decision to not mitigate this type of attack, prompt us to reconsider whether the widely believed enclaved execution promise of outsourcing sensitive computations to an untrusted, remote plat-form is still viable,” the researchers conclude.