An international team of white hat researchers has successfully corrupted the integrity of Intel Software Guard Extensions (SGX) on Intel Core processors with a software-based fault injection attack aptly dubbed “Plundervolt.” Using Plundervolt, attackers can recover keys from cryptographic algorithms (including the AES-NI instruction set extension) and induce memory safety vulnerabilities into bug-free enclave code.
As the researchers explain, Intel SGX is a set of security-related instruction codes that are integrated into modern Intel CPUs. Essentially, SGX shields sensitive operations inside so-called enclaves. In theory, the contents of these enclaves are protected and cannot be accessed or modified from outside the enclave. This includes an attacker who has root privileges in the normal (untrusted) operating system.
“[However], modern processors are being pushed to perform faster than ever before – and with this comes increases in heat and power consumption,” the researchers state on the Plundervolt website. “To manage this, many chip manufacturers allow frequency and voltage to be adjusted as and when needed. But more than that, they offer the user the opportunity to modify the frequency and voltage through privileged software interfaces.”
Plundervolt, says the researchers, demonstrates how these vulnerable software interfaces can be maliciously exploited to undermine system security.
“Plundervolt carefully controls the processor’s supply voltage during an enclave computation, inducing predictable faults within the processor package. Consequently, even Intel SGX’s memory encryption/authentication technology cannot protect against Plundervolt,” the researchers write in an in-depth paper detailing the exploit. “In multiple case studies, we show how the induced faults in enclave computations can be leveraged in real-world attacks to recover keys from cryptographic algorithms (including the AES-NI instruction set extension) or to induce memory safety vulnerabilities into bug-free enclave code.”
It should be noted that a malicious attacker does not require physical access to execute Plundervolt.
“The undervolting interface is accessible from software, so if a remote attacker can become root in the untrusted OS, [the attacker] can also mount the Plundervolt attack,” the researchers add. “In any case, attackers with physical access would also be in the threat model of SGX (e.g. to protect against malicious cloud providers).”
Protecting against Plundervolt-like techniques
Plundervolt is a technique that enables an attacker to manipulate the voltage of Intel chips and extract information by exploiting Intel’s Secure Guard Extensions (SGX) feature. Plundervolt highlights the real-world challenges of designing processors that satisfy both performance and security demands. This is because the complexity of modern CPUs creates an incalculable number of potential vulnerabilities that can be taken advantage of by an attacker.
To protect CPUs against techniques like Plundervolt, we recommend implementing a secure co-processor that is siloed away from the primary, general performance processor. A purpose-built security co-processor can be hardened against a wide range of attack vectors, including side-channel attacks and voltage manipulation. This paradigm allows the primary processor to be designed uncompromisingly for performance — with sensitive operations safeguarded in a dedicated security co-processor.