
Plundervolt: Software-Based Fault Injection Attacks Against Intel SGX [pdf] - xucheng
https://plundervolt.com/doc/plundervolt.pdf
======
ulrikrasmussen
At this point, I really don't understand how people can still believe that SGX
is ever going to work. The threat model is so incredibly hostile that it is
basically impossible to create something that isn't vulnerable through some
kind of side channel or physical manipulation such as this. When it is
compromised at just one site, then the whole security model topples. In the
end, you will only be able to "securely" deploy it in environments where you
trust the parties to not tinker too much with it. But in that case, why not
just go for something a lot simpler when you already rely on trust?

~~~
panpanna
The idea behind sgx is that you don't need to trust your cloud provider.

There are already simpler solutions for local execution.

------
missosoup
These kinds of brownout/undervolt attacks have been used in console cracking
for decades.

Surely someone involved would have known about that. I wonder what chain of
events led to the creation of a secure enclave with such well understood
flaws.

~~~
bradstewart
While the premise is similar, this is much different from the decades old
brownout attacks. The researchers are causing the undervolt with software, not
by manipulating the supply lines to the chip.

~~~
missosoup
Yes but not really? Intel just made it easier than oldschool hardware attacks:

> adversary abuses an undocumented Intel Core voltage scaling interface

Instead of having to buy hardware to mess with the power rail in a controlled
manner, you can now just do it with a code snippet!

~~~
bradstewart
And you can do it remotely. But the certainly made it easier because this is
(presumably) behind the brownout detectors and other circuitry usually
attached to the supply lines to combat this sort of stuff.

------
tasty_freeze
I understanding how screwing with the voltage can cause execution errors. If a
random flop somewhere in the design flips state (or fails to when it should)
the resulting behavior could be anything, including hanging the chip.

How does such a random event get turned into an exploit?

~~~
panpanna
There are a bunch of different methods but the old school method was mainly to
make a control point to make an incorrect decision.

------
baybal2
Don't you think Intel's "fix" of disabling DVFS amounts to a post-release
product downgrade?

~~~
the_pwner224
All their security fixes are. My 2 year old laptop feels noticeably slower in
day-to-day usage now. I haven't tested it, but I would bet a small sum of
money that it would go back to its original 2-year-ago performance with
mitigations=off specified to Linux.

If I can't undervolt anymore, then my laptop will be unable to run the CPU at
100% without thermal throttling. Not Intel's fault that Dell used a shitty
cooling system and a too-high default voltage, but it's yet another penalty
that I have to take because Intel failed.

~~~
undersuit
Intel is playing a dangerous game if you ask me. AMD lost a class action
lawsuit because someone was disappointed in the performance of an AMD chip
even though all the performance metrics were available for them to
research[1]. Intel is still selling hyper-threaded processors. You cannot buy
an Intel laptop that isn't pre-configured to be vulnerable to Zombieload[2],
unless you find one of the 4 obscure Intel chips like the Core i5-8500 _B_
Processor in a laptop

[1]
[https://www.theverge.com/circuitbreaker/2019/8/28/20837336/a...](https://www.theverge.com/circuitbreaker/2019/8/28/20837336/amd-12-million-
false-advertising-class-action-lawsuit-bulldozer-chips)
[2][https://zombieloadattack.com/](https://zombieloadattack.com/)

------
segfaultbuserr
Most comments simply missed the point.

Power analysis attack and power glitch attacks are well-known in cryptography
and electronics. The classic technique is to monitor the Vcc voltage and
current on an oscilloscope and try deducing the internal operation of the chip
and extract the secret, or to inject a glitch by on the Vcc rail to induce a
fault. A classic side-channel attack, but these attacks required complete
physical control over the hardware, and you need to put a dozen of probes on
the motherboard in a lab with an elaborate setup, so it was typically not a
concern unless it's a crypto key or something ( _if so, it would be done on a
separate security chip with physical defense internally_ ).

But this attack showed that, since every CPU and SoC now has builtin dynamic
voltage scaling and power management, by using these features, you can use the
CPU to launch a power analysis attack against itself, and you don't even need
to touch even a single trace on the PCB, the attack can be launched remotely,
and all you need is root access!

This is frightening. Who knows what is going to be the next.

------
xioxox
Terrible for those of us who use undervolting to keep their laptop as cool as
possible. I hope they allow it enabled in the bios settings.

~~~
strstr
"After carefully reviewing the CPU voltage setting modification, Intel is
mitigating the issue in two parts, a BIOS patch to disable the overclocking
mailbox interface configuration. Secondly, a microcode update will be released
that reflects the mailbox enablement status as part of SGX TCB [Trusted
Computing Base] attestation. The Intel Attestation Service (IAS) and the
Platform Certificate Retrieval Service will be updated with new keys in due
course. The IAS users will receive a ‘CONFIGURATION NEEDED’ message from
platforms that do not disable the overclocking mailbox interface.”

Seems like you should be able to just avoid applying the bios patch. That
said, you won't be able to keep your BIOS up to date.

~~~
chithanh
But then again, the researchers state: "In the paper, we show that Plundervolt
may affect SGX's attestation functionality" so they are apparently able to
fake at least part of the attestation.

Also it will be interesting to see whether directly talking to the voltage
regulation controller on the mobo will circumvent the microcode protection.

~~~
segfaultbuserr
> _whether directly talking to the voltage regulation controller on the mobo_

Is it even possible to do that without physical access?

Can you confirm that? Do modern motherboards expose an interface that allows
directly control over the voltage regulation in software without physical
access?! If so, it's terrifying...

~~~
chithanh
I am talking working around attestation for someone who operates the computer
and wants to subvert SGX enclaves. Whether you need physical access or not is
thus inconsequential.

------
jotm
Intel just keeps getting kicked in the nuts, huh

There is no way to get _the most_ performance out of your Intel chip without
undervolting - especially on mobile, they run really hot under constant load
and often throttle. Manufacturers using barely capable heatsinks doesn't help.

Time to switch to AMD when the new Zen mobile chips arrive.

~~~
bayindirh
Honestly, I was considering to return to AMD while getting a new system. This
is the final nudge for switching back.

Thanks Intel, you really tried and succeeded.

------
baybal2
There is no such thing as a "trusted" computing.

The very same DFVS is also possible to exploit for side channel attacks. Say,
one branch makes the processor kick in in a higher gear, and over millions of
branches, you can reliably deduce branch result for operation behind the MCU
barrier.

------
someguyorother
I wonder, with formal verification being a thing, could you formally verify
that a chip would be resistant to all types of power attacks according to the
current laws of physics?

Such a proof can never be final, because the laws of physics aren't either.
But just because it's not perfect doesn't mean it wouldn't be good.

~~~
q3k
An Intel CPU is a pretty large design. I'm not sure it's feasible to run all
formal verification benchmarks on a full RTL design of the entire chip,
including caches, memory controllers, etc.

Not to mention - these sort of fault injection attacks are way past issues in
high-level RTL, and instead are in the post-synethesis, analog/metastable
domain specific to a given target process. Simulating those effects sounds
prohibitively expensive, and I'm not sure there is any existing formal
verification suite that can even do that.

Unless someone modeled at a higher-level that modifying an MSR can cause
undervolting, and then this undervolting can in turn cause bitflips to occur,
this wouldn't have been caught. And if they did model it, they would have
probably thought of this attack anyway :).

~~~
kyboren
> An Intel CPU is a pretty large design. I'm not sure it's feasible to run all
> formal verification benchmarks on a full RTL design of the entire chip,
> including caches, memory controllers, etc.

Agreed. It's still possible to verify smaller components of the design,
though.

> [...] These sort of fault injection attacks are way past issues in high-
> level RTL. [...] Simulating those effects sounds prohibitively expensive,
> and I'm not sure there is any existing formal verification suite that can
> even do that.

It's possible to have a "high-level RTL" design that inherently resists some
types of fault injection attacks. TMR is a trivial example:
[https://en.wikipedia.org/wiki/Triple_modular_redundancy](https://en.wikipedia.org/wiki/Triple_modular_redundancy)

In fact, there is a wide body of literature studying the application of formal
verification to side-channel and fault-injection analysis. Some systems can
even synthesize a fault-injection resistant design. Unfortunately it is not
realistic to be resistant to "all types of [fault injection] attacks according
to the current laws of physics". We _can_ , however, make different models of
fault attacks and then prove (or synthesize) that some design is resistant to
attacks in that model.

If you're interested, look for publications in CHES, TCAD, FMCAD, DAC, DATE,
etc. with keywords like "DFA", "DFIA", "SAT", "fault injection", etc.

------
eyegor
Important caveats, for the lazy:

\- SGX is disabled by default, it has to be enabled for this exploit to be
relevant

\- POC requires privileged execution, at which point you can safely assume all
is already lost

Anyone who has spent time around digital logic circuits will know that messing
with voltages will cause errors. If the power lines are too low some
transistors will not be able to switch their load. Or too high and you will
cause parasitic losses or capacitance in unexpected places. This is actually a
really nice attack to show off to people with an interest in
computer/electrical engineering because it demonstrates how a basic design
constraint can cascade in unexpected ways.

~~~
xucheng
> SGX is disabled by default, it has to be enabled for this exploit to be
> relevant

This is an attack on SGX. If you are not using it, it is irrelevant regardless
of whether it is enabled.

> POC requires privileged execution, at which point you can safely assume all
> is already lost

For SGX, this is different. The threat model behind SGX is that anything
outside SGX (including OS, BIOS, motherboard, etc.) is untrusted. The whole
motivation behind SGX is to create a trusted environment in an untrusted host.

------
rasz
isnt Netflix using SGX for DRM?

~~~
bayindirh
Not on the client side, at least. My desktop doesn't have SGX capabilities,
yet I watch Netflix.

~~~
lossolo
They use it on client side for higher resolutions, you will not be able to
watch 4k content on laptop/PC without Intel SGX.

~~~
bayindirh
Actually my plan is not UHD since my displays don't go up to 11. Do they warn
me if they block UHD streaming due to hardware deficiencies (i.e. SGX not
available)?

~~~
lossolo
Possibility to choose 4k quality will not be available on that kind of
platform (Widevine L3).

------
ddtaylor
Does anyone have a ELI5 explanation?

~~~
xucheng
Intel SGX is a Secure Enclave embedded in Intel CPU, which aims to provide
secure and trust computation environment. For example, storing and processing
cryptography secret keys, etc. It is similar to the enclave in Apple A chips
used in Touch ID/Face ID. Currently, there is no wide adoption of SGX in the
production environments, mainly due to the attacks like this.

In this attack, the researchers found that by adjusting the voltage and clock
frequencies of the CPU, they are able to generate errors inside SGX enclave
and recover the secret keys inside.

~~~
Legogris
IME lack of adoption is more due to lack of tooling and integration with
popular languages and libraries.

Also, the domains that have the most to benefit from SGX (heavily regulated
ones like healthcare) tend to be very slow adopters of new technology.

I guess there is definitely some level of concern for sidechannel attacks,
given Intel's track record, but I don't think that's whats been holding back
adoption.

~~~
throwaway2048
It also requires a very expensive license from intel, and to allow them
partial control of your code via codesigning.

~~~
thu2111
No it doesn't. Getting a whitelisted code signing key just requires you to
agree that you won't distribute malware. You pay nothing for it and Intel
don't see the code you sign. Please don't make things up because they "sound
right".

~~~
dboreham
Are there non-Intel remote attestation servers now?

~~~
thu2111
Only Intel know what chips they've manufactured and what microcode patch
levels are currently considered secure, so that wouldn't make much conceptual
sense. But the new DCAP feature lets you run some of the RA infrastructure
yourself, yes.

