Researchers have discovered a new attack impacting modern Intel CPUs, which could allow an attacker to extract highly-sensitive information – such as encryption keys – from affected processors by altering their voltage.
The attack, dubbed “Plundervolt,” centers around Intel Software Guard Extensions (SGX), a set of security-related instruction codes that are built into Intel CPUs. Intel SGX shields sensitive data – such as AES encryption keys – inside “enclaves,” which are physically separate from other CPU memory and are protected by software encryption.
However, researchers uncovered a way to target the safeguards used by PC operating systems (OS) to control processor voltage and frequency, tampering with then to alter the bits held inside Intel SGX and create exploitable glitches.
“With Plundervolt, we showed that these software interfaces can be exploited to undermine the system’s security,” said researchers with the University of Birmingham, imec-DistriNet, KU Leuven and Graz University of Technology on Tuesday. “We were able to corrupt the integrity of Intel SGX on Intel Core processors by controlling the voltage when executing enclave computations. This means that even Intel SGX’s memory encryption/ authentication technology cannot protect against Plundervolt.”
Intel issued microcode and BIOs updates on Tuesday, parallel to the attack’s disclosure, for the high-severity vulnerability (CVE-2019-11157).
“Intel recommends that users of [affected] Intel processors update to the latest BIOS version provided by the system manufacturer that addresses these issues,” according to Intel’s advisory. “An SGX TCB key recovery is planned for later in Q1 2020.”
The Attack
Attackers can launch the Plundervolt attack (the name stems from the word “plunder,” meaning to steal or remove something precious) by meddling with Intel CPU voltage and frequencies.
Systems only draw a certain amount of processor power, so that their battery life won’t drain and they won’t overheat. However, users can override these predefined processor frequency and voltage levels using a process commonly triggered by gamers looking to overclock (speed up) their CPUs; they can tweaking the “Model-Specific Registers,” which control chip voltage. Attackers with control over a victim’s operating system can use this same method to decrease voltage and launch the Plundervolt attack.
“Finding the right undervolting value… requires some experimentation by carefully reducing the core voltage in small decrements (e.g., by 1mV per step) until a fault occurs, but before the system crashes,” researchers said.
By altering the voltage, researchers were able to break the integrity of SGX in order to alter the bits held inside, creating holes which then open up the possibility of privilege-escalation and information-disclosure attacks.
The attack comes with some stipulations – while researchers noted that an attacker doesn’t need physical access to a victim’s computer to launch the attack, an attacker would need to be authenticated and would first need root access to an untrusted OS.
“In any case, note that attackers with physical access would also be in the threat model of SGX,” researchers said.
Plundervolt affects all SGX-enabled Intel Core processors from Skylake onward, meaning that Intel modern Core processors (6th-, 7th-, 8th-, 9th- and 10th-generation), as well as Intel Xeon Processor E3 v5 and v6, and Intel Xeon Processor E-2100 and E-2200 families are at risk.
Other Intel Attacks
A flurry of attacks continue to plague Intel chips – in 2018, three new speculative execution design flaws in Intel CPUs were disclosed, impacting Intel’s SGX technology, its OS and system management mode (SMM) and hypervisor software.
Other Spectre-class flaws have been discovered since Spectre and the related Meltdown vulnerability were found, including side-channel variants 1, 2, 3, 3a and 4.
However, “speculative execution attacks like Foreshadow or Spectre allow to read data from SGX enclave memory (i.e. attacks the confidentiality),” researchers explained. “Plundervolt achieves the complementary operation, namely changing values in SGX-protected memory (i.e. attacks the integrity).”
Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.