VoltPillager: Hardware-based fault injection attacks against Intel SGX enclaves

Boffins devised a new attack, dubbed VoltPillager, that can break the confidentiality and integrity of Intel SGX enclaves by controlling the CPU core voltage.

A group of six researchers from the University of Birmingham has devised a new attack technique, dubbed VoltPillager, that can break the confidentiality and integrity of Intel Software Guard Extensions (SGX) enclaves by controlling the CPU core voltage.

The attack leverage a low-cost tool that is used to inject Serial Voltage Identification (SVID) packets on the Serial Voltage Identification bus between the CPU and the voltage regulator on the motherboard.

The injected packets allowed the researchers to fully control the CPU core voltage and perform fault-injection attacks.

“we have built VoltPillager, a low-cost tool for injecting messages on the Serial Voltage Identification bus between the CPU and the voltage regulator on the motherboard. This allows us to precisely control the CPU core voltage.” reads the paper published by the researchers. “We leverage this powerful tool to mount fault-injection attacks that breach confidentiality and integrity of Intel SGX enclaves.”

The researchers discovered that on a standard motherboard there is a separate Voltage Regulator (VR) chip that generates and controls the CPU voltage. The experts devised VoltPillager tool to connect to the interface of the VR chip, which is not protected, and control that voltage.

The experts were able to mount fault-injection attacks that breach confidentiality and integrity of Intel SGX enclaves, and present proof-of-concept key-recovery attacks against cryptographic algorithms running inside SGX.

The microcontroller-based board VoltPillager devised by the researchers is based on the Teensy 4.0 microcontroller board, it is a low-cost device that can be built for $30.

The attack devised by the researchers requires full control over the BIOS and operating system.

Experts pointed out that the patches for the CVE-2019-11157 vulnerability (Plundervolt) don’t protect against VoltPillager because they simply disable the software undervolting interface, but the hardware interface remains active.

“We have proven that this attack vector is practical by recovering RSA keys from an enclaved application, and have shown that other fundamental operations such as multiplication and memory/cache writes can be faulted as well.” continues the paper. “These lead to novel memory safety vulnerabilities within SGX, which are not detected by SGX’s memory protection mechanisms,”

Experts presented the results of their study to Intel on March 13, 2020, but the company doesn’t plan to fix the problem because the SGX threat model does not include hardware hardware-based attacks.

“… opening the case and tampering of internal hardware to compromise SGX is out of scope for SGX threat model. Patches for CVE-2019-11157 (Plundervolt) were not designed to protect against hardware-based attacks as per the threat model,” states the Intel’s reply.

“The results in this paper, together with the manufacturer’s decision to not mitigate this type of attack, prompt us to reconsider whether the widely believed enclaved execution promise of outsourcing sensitive computations to an untrusted, remote plat-form is still viable,” the researchers conclude.

Pierluigi Paganini

(SecurityAffairs – hacking, VoltPillager)

The post VoltPillager: Hardware-based fault injection attacks against Intel SGX enclaves appeared first on Security Affairs.