
V0LTpwn: Attacking x86 Processor Integrity from Software - gandalfgeek
https://arxiv.org/abs/1912.04870
======
nneonneo
Intel SGX is really a big gift to security researchers, second only to
speculative execution and friends. Intel is selling it as a way to keep
secrets safe inside the processor against attackers with root/hypervisor
software access or even physical access. Of course, a bevy of attacks in the
recent months have demonstrated that this isn’t really achievable given the
extremely large attack surface.

SGX has opened Intel up to physical attacks on the chip in a way that really
hasn’t been interesting in the past. Previously attacking a CPU physically
wouldn’t give you any more capabilities than you already had (with unlimited
ability to tamper I/O and memory). Now, physically attacking the CPU can be
used to reveal SGX secrets or mess with SGX computations. Expect a lot more
attacks like this to come out in the future!

~~~
bluegreyred
> Intel is selling it as a way to keep secrets safe inside the processor
> against attackers with root/hypervisor software access or even physical
> access. Of course, a bevy of attacks in the recent months have demonstrated
> that this isn’t really achievable given the extremely large attack surface.

As a layman I have to wonder, should we expect similar attacks on Apple's
Secure Enclave in the future?

~~~
fpoling
It greatly helps Apple that T2 is a separated chip specially designed to do
one function well, that is to do crypto in a secure way even in presence of
physical attacks. How to do that has been known for quite some time. For
example, modern SIM cards or cards for satellite tv are very secure and a
physical attack is possible if one is willing to spend like over 100K per
card.

What Intel is trying to do is to allow a general purpose secure computing with
minimal extra cost. This is relatively new and as various bugs demonstrates
may not even archivable. I.e. it may be possible to create provably secure
chip, but its cost will make it a niche product.

~~~
baybal2
> physical attack is possible if one is willing to spend like over 100K per
> card.

Firmware recovery from "hardened" microcontrollers costs $15-25k here, and
even that's most likely a "special foreigner price"

~~~
baby
It’s not about firmware recovery: it’s about tampering it in a non-intrusive
way OR extracting keys from its secured non volatile memory.

~~~
baybal2
Yes, MCU with intentionally hardened flash blocks are what those firmware
recoverers specialize. They do things like gemalto chips sim and credit cards.

~~~
baby
the firmware should not be in internal flash though, where the keys are

------
mehrdadn
I feel dumb for asking this, but is this really something that's not supposed
to be possible from software? My assumption was always that if you overlock,
undervolt, etc. then (a) you already have high-privileged code running, and
(b) anything can go wrong from crashes to physically breaking your CPU, so I'm
not really shocked (not sure if pun intended) to hear undervolting can damage
the software state. Should I be?

~~~
hannob
It's not a dumb question, not at all.

Processor vendors have been trying to tell us that they can protect parts of
the CPU from its user. Intels version of that is called SGX.

There are very few good use cases of this. Also it doesn't really work.

But there are gazillion ways to attack it, so plenty of papers can be written
about it.

~~~
baby
To add to this ^ imagine that your enclave is computing a wrong result and
then signing this result along with an attestation that it ran the correct
code.

This could be fine if the computation first goes through a consensus mechanism
that tolerates faults, but could be devastating otherwise.

------
loser777
I might be misreading the paper, but it seems like that this is due to an
unfaithful implementation of the hardware that allows for undervolting occur
with the right mix of instructions, P-states, and software, rather than a
fundamental design flaw? Basically the equivalent of shipping a chip with the
operating voltage set too aggressively so that the right sequence of
instructions trips it up.

------
non-entity
How do security researches manage to find stuff like this? o they just run
some sort of fuzzer until something interesting happens and they try to
reproduce it? Do they scan intel manuals from top to bottom and are
intelligent enough to read vulnerabilities through the lines? I am incredibly
fascinated by this stuff, but reading things like:

> The hardware interfaces to adjust the voltage (Section 2.2) are
> undocumented. To use them, we had to rely on third-party reverse-engineered
> partial documentation and piece it together to develop a real-world setup
> running on our systems, which required substantial effort on our part.

Is so strange to me. I have no idea how people manage to, or even decide to
take on tasks like that. I have trouble finding that sort of stuff even when I
know exactly what I'm looking for.

~~~
saagarjha
Usually they read a lot, have a general idea of how things might be organized
and where vulnerabilities might lie, and then they try a bunch of things to
see what works.

~~~
baby
This. After having read a lot of papers you can find out how you can use that
knowledge to produce another one.

~~~
non-entity
Is there a good site or journal that specializes in these things, other than
occasionally getting aggregated to HN or Reddit. I'm always intrigued by
processor level exploits, especially more obscure ones like this.

~~~
baby
For having spent the last month reading about it:

1\. google keywords like smart card, tpm, hsm, secure element, tee, sgx,
secure enclave, trustzone, etc.

2\. then add the keywords attack, threat model, etc.

3\. Read all the papers

------
grifball
>the only software-based fault exploit Plundervolt came out around the same
time and is similar, the authors may not have known about each other.

~~~
crypt0x
Also came here wondering how it relates to this.

[https://plundervolt.com/](https://plundervolt.com/)
[https://media.ccc.de/v/36c3-10883-plundervolt_flipping_bits_...](https://media.ccc.de/v/36c3-10883-plundervolt_flipping_bits_from_software_without_rowhammer)

~~~
grifball
I only read a little bit of voltpwn, but plundervolt is really cool. In one of
the attacks, a fault is caused in the RSA scheme initialization, leading to
reduced strength that can be broken. I guess a similar attack is possible with
AES, but i dont understand it as well.

------
sqldba
It seems it requires root privileges to start with. Am I misunderstanding?

~~~
baq
SGX is supposed to be able to hide stuff from root.

