Academics from three universities across Europe have disclosed today a new attack that impacts the integrity of data stored inside Intel SGX, a highly-secured area of Intel CPUs.
The attack, which researchers have named Plundervolt, exploits the interface through which an operating system can control an Intel processor's voltage and frequency -- the same interface that allows gamers to overclock their CPUs.
Academics say they discovered that by tinkering with the amount of voltage and frequency a CPU receives, they can alter bits inside SGX to cause errors that can be exploited at a later point after the data has left the security of the SGX enclave.
They say Plundervolt can be used to recover encryption keys or introduce bugs in previously secure software.
Intel desktop, server, and mobile CPUs are impacted. A full list of vulnerable CPUs is available at the bottom of this article.
Intel has also released microcode (CPU firmware) and BIOS updates today that address the Plundervolt attack.
How the Plundervolt attack works
The Plundervolt attack specifically targets Intel Software Guard eXtensions (SGX).
Intel SGX is a very powerful security feature found in all modern Intel CPUs. It allows developers to isolate applications in secure "enclaves" where they can trust the CPU with sensitive information, knowing the data is safe from other apps running on the OS.
SGX enclaves run on small sections of the main Intel CPU memory and are usually isolated at a hardware level (the SGX memory is separate from the rest of the CPU memory) and at a software level (SGX data is encrypted).
Earlier this year, a team of six academics from the University of Birmingham (UK), KU Leuven (Belgium), and the Graz University of Technology (Austria) have realized that they can combine the concepts behind two other past attacks to attack data inside Intel SGX.
The first was the Rowhammer attack, which showed that when you tinker with a memory cell's electrical charge, you can cause it to flip its bit value from 1 to 0, and vice versa.
The second was CLKSCREW, which showed how you could use a CPU's energy management system called Dynamic Voltage and Frequency Scaling (DVFS) to take over a computer.
Plundervolt combines the principles behind these two attacks. It uses the CPU's energy management interface to alter electrical voltage and frequency inside the SGX memory cells, causing unwanted alterations to SGX data.
These are small alterations, though, and do not break SGX secrecy. Instead, they introduce bugs and faults inside the SGX operations and the data they handle. In other words, Plundervolt doesn't break SGX, but merely sabotages its output.
For example, Plundervolt can be used to induce bugs in the encryption algorithms/operations performed inside SGX, resulting in encrypted content that's easy to crack once it leaves the SGX enclave, allowing attackers to recover the encryption key that was used to encrypt the data in the first place.
"The undervolting induces bit flips in CPU instructions itself, such as multiplications or AES rounds (AES-NI)," David Oswald, an academic at the University of Birmingham told ZDNet last week.
"Because SGX only encrypts the data when read from/written to memory (but not inside the CPU), SGX's memory protection does not prevent these errors (since the faulty values themselves are written to memory)," he added.
Plundervolt attacks also go beyond weakening the encryption of SGX-secured data. They can also introduce bugs in previously secure applications, allowing for attacks on those apps once they leave the SGX.
But tinkering with a CPU's voltage and frequency can often cause problems, either by crashing the operating system, or even by destroying the CPU.
However, Oswald told ZDNet that Plundervolt attacks aren't particularly intrusive, and are usually safe.
"We operate the CPU at the boundary where such flips just occasionally occur so that the system itself does not crash," he said.
Besides not crashing systems, there's another detail that makes Plundervolt a dangerous attack. It's fast -- or at least faster than most other attacks on Intel CPUs, like Spectre, Meltdown, Zombieload, RIDL, and others.
"Typically we get bitflips in multiplications or AES very quickly. For example, extracting an AES key takes a few minutes, including the computation required to get the key from the faulty ciphertext," Oswald said.
Plundervolt is not a remote attack
Plundervolt needs to run from an app on an infected host with root or admin privileges. This is not an impossible attack scenario, but this will require some social engineering and additional exploits -- if Plundervolt is to be used in the wild.
Additionally, Plundervolt doesn't work from within virtualized environments, such as virtual machines and cloud computing services, where the host OS usually restricts the guest OS from accessing the interface that manages the CPU's voltage and frequency.
What's impacted and where to get fixes
Nonetheless, Plundervolt is a serious issue. The research team said it notified Intel in June, and the vendor has worked tirelessly to prepare patches.
Microcode and BIOS updates were released today as part of security advisory INTEL-SA-00289. These updates give administrators a new BIOS option to disable the volting and frequency control interface on their systems, if they don't use it, or if they perceive Plundervolt (CVE-2019-11157) to be a real risk.
According to Intel, the following CPU series are vulnerable to Plundervolt attacks:
Plundervolt is nothing that end-users should worry about. It's an attack vector that is of little interest for malware authors since it's hard to automate at scale. It is, however, an attack vector that could be weaponized in targeted attacks, against specially selected targets. If Plundervolt is a serious threat depends on each user's threat matrix.
A research paper describing the Plundervolt attack can be downloaded from this website. The paper is entitled "Plundervolt: Software-based Fault Injection Attacks against Intel SGX."
Proof-of-concept code for reproducing attacks will be released later today on GitHub.
The CVE-2019-11157 vulnerability is also known as VoltJockey and V0LTpwn, as it was named by other teams of academics, who also discovered the same attack.