Intel SGX defeated yet again—this time thanks to on-chip power meter

  News
image_pdfimage_print
Intel SGX defeated yet again—this time thanks to on-chip power meter

Researchers have devised a new way to remotely steal cryptographic keys from Intel CPUs, even when the CPUs run software guard extensions, the in-silicon protection that’s supposed to create a trusted enclave that’s impervious to such attacks.

PLATYPUS, as the researchers are calling the attack, uses a novel vector to open one of the most basic side channels, a form of exploit that uses physical characteristics to infer secrets stored inside a piece of hardware. Whereas most power side channels require physical access so attackers can measure the consumption of electricity, PLATYPUS can do so remotely by abusing the Running Average Power Limit. Abbreviated as RAPL, this Intel interface lets users monitor and control the energy flowing through CPUs and memory.

Leaking keys and a whole lot more

An international team of researchers on Tuesday is disclosing a way to use RAPL to observe enough clues about the instructions and data flowing through a CPU to infer values that it loads. Using PLATYPUS, the researchers can leak crypto keys from SGX enclaves and the operating system, break the exploit mitigation known as Address Space Layout Randomization, and establish a covert channel for secretly exfiltrating data. Chips starting with Intel’s Sandy Bridge architecture are vulnerable.

In an email, lead researcher Moritz Lipp of Graz University of Technology wrote:

Typically, attacks exploiting variances in the power consumption of devices required the adversary to have physical access to the device. The attacker would attach a power meter with probes to the device to measure its energy consumption. However, modern processors come with a power meter built-in and allow unprivileged users to read out its measurements from software. We now show that this interface can be exploited to recover cryptographic keys processed on the machine.

In response to the findings, Intel on Tuesday is making key changes to RAPL. The first one requires elevated privileges to access the interface in Linux, whereas before the open source OS provided access with no privileges (both Windows and OS X require that a special driver is installed).

Even when privileges or a dedicated driver are required, however, attackers could still use privileged code to carry out the exploits, an attack that would fit within the threat model of SGX, which is designed to be secure even when the OS is compromised.

To address this, Intel is also introducing a second fix at the microcode level that, when SGX is enabled, limits energy consumption that’s reported. When developers use crypto algorithms that are time constant—meaning the number of operations performed is independent of the input size—the fix prevents RAPL from being used to deduce instructions or data being processed by a CPU.

Intel officials wrote in a statement: “Today, we published INTEL-SA-0389 providing details and mitigation guidance to protect against potential information leakage from Intel SGX using the Running Average Power Limit (RAPL) Interface which is provided by most modern processors. We coordinated with industry partners and released microcode updates for these vulnerabilities through our normal Intel Platform Update (IPU) process.”

The company said that, while there’s no indication the vulnerabilities have been exploited, it’s issuing new attestation keys for affected chip platforms. Intel has more mitigation guidance here.

A thorn in chipmakers’ side

Tuesday’s findings are only the latest to challenge the security of CPUs that form one of the most basic building blocks of all computing. Processor side channels are nothing new, but the attacks known as Spectre and Meltdown almost three years ago ushered in a new era of CPU attacks that could be exploited in more realistic scenarios. Since then, researchers have devised a steady trickle of exploits, including some that undermine the security assurance of Intel’s proprietary SGX technology.

Side channels are clues that stem from differences in timing, data caching, power consumption, or other manifestations that occur when different commands or operations are being carried out. Attackers exploit the differences to infer secret commands or data flowing through a piece of hardware. Among the most common form of side channel is the amount of electricity required to complete a given task. More recently, that energy consumption has largely given way to speculative execution, the side channel used by Spectre and Meltdown.

The researchers behind PLATYPUS found that the RAPL interface reported power consumption with enough granularity to deduce vital secrets. Key among those secrets are crypto keys implemented by AES-NI, a set of instructions Intel says is more resistant to side-channel attacks. Another divulged secret includes RSA keys processed by SGX.

The researchers also used the interface to distinguish other secret information, including different Hamming weights—defined as the number of non-zero bits in a binary number. Inferred operations also occur “intra cache,” which provides a greater level of granularity than many side-channel attacks. The researchers were also able to use PLATYPUS to derandomize ASLR protections, a capability that attackers could combine with software exploits to make them much more potent.

Way more threatening

On a website explaining the attack, researchers wrote:

With classical power side-channel attacks, an attacker typically has physical access to a victim device. Using an oscilloscope, the attacker monitors the energy consumption of the device. With interfaces like Intel RAPL, physical access is not required anymore as the measurements can be accessed directly from software. Previous work already showed limited information leakage caused by the Intel RAPL interface. Mantel et al. showed that it is possible to distinguish if different cryptographic keys have been processed by the CPU. Paiva et al. established a covert channel by modulating the energy consumption of the DRAM.

Our research shows that the Intel RAPL interface can be exploited in way more threatening scenarios. We show that, in addition to distinguishing different keys, it is possible to reconstruct entire cryptographic keys. We demonstrate this by recovering AES keys from the side-channel resilient AES-NI implementation, as well as RSA keys from an Intel SGX enclave. In addition, we distinguish different Hamming weights of operands or memory loads, threatening constant-time implementations of cryptographic algorithms. To mitigate PLATYPUS, the unprivileged access to the energy consumption has been revoked with an update to the operating system. With Intel SGX, however, a compromised operating system is within the threat model, rendering this mitigation insufficient. Therefore, Intel released microcode updates that change the way the energy consumption is reported if Intel SGX is enabled on the system. Instead of actual energy measurements, it falls back to a model-based approach, such that same instructions with different data or operands can not be distinguished.

Intel and beyond

While PLATYPUS attacks Intel processors, the researchers said that onboard energy meters in competing chips can likely also be abused to carry out similar attacks. The interface in modern AMD CPUs, for instance, measures power at the individual core level. What’s more, for AMD Rome CPUs running on Linux kernel version 5.8 and above, it required no privileges for access. An update to the Xen virtual machine on Tuesday now requires privileges to access RAPL on both Intel and AMD CPUs.

PLATYPUS is short for Power Leakage Attacks: Targeting Your Protected User Secrets. The researchers chose the name because they said that platypuses “are fascinating animals” that “can detect electrical signals with their bill.”

The findings—from researchers at Graz University of Technology, CISPA Helmholtz Center for Information Security, and the University of Birmingham—are impressive and far-reaching. As such, Tuesday’s paper is required reading for any organization that relies on SGX to keep data or computing secure. For everyone else, there’s considerably less urgency, as long as all available patches are installed. Updates fixing the vulnerabilities—which are tracked as CVE-2020-8694 and CVE-2020-8695—are being released by Linux distributors and PC manufacturers. They should be installed as they become available.

https://arstechnica.com/?p=1721693