One more reason for Apple to dump Intel processors: Another SGX, kernel data-leak flaw unearthed by experts

[steven36]

Obscure interface lets you monitor chip activity with code as if you were physically plugged into it

 

 

 

Updated Boffins based in Austria, Germany, and the UK have identified yet another data-leaking side-channel flaw affecting Intel processors, and potentially other chips, that exposes cryptographic secrets in memory.

 

In a paper disclosed on Tuesday, computer scientists with Graz University of Technology, University of Birmingham, and CISPA Helmholtz Center for Information Security, describe an attack dubbed "Platypus," which stands for "Power Leakage Attacks: Targeting Your Protected User Secrets."

 

Vulnerability naming is something of an issue in the security community, particularly in cases where the name appears to exaggerate the severity of the the disclosure. "Platypus" thus should be well-received.

 

The paper describes a way to extract confidential data from devices by measuring power consumption fluctuations in Intel chips from Sandy Bridge onward using just software and without the need to physically wire instruments to machines. This means it can be used by malware already on a computer, or a rogue user, to break through protection barriers and observe sensitive information, such as secret kernel data structures and the contents of SGX enclaves.

 

The researchers responsible include Moritz Lipp, Andreas Kogler, David Oswald, Michael Schwarz, Catherine Easdon, Claudio Canella, and Daniel Gruss, some of whom were involved in the 2018 Spectre and Meltdown disclosures.

 

Their attack exploits the unrestricted availability of the Intel Running Average Power Limit (RAPL) software interface, which was introduced in Intel's Sandy Bridge Architecture (2011) and gained Linux support in 2013.

 

"We show that with sufficient statistical evaluation, we can observe variations in power consumption, which distinguish different instructions and different Hamming weights of operands and memory loads," the paper explains. "This enables us to not only monitor the control flow of applications but also to infer data and extract cryptographic keys."

 

A number of computer security experts have managed to conduct similar attacks using external hardware, specifically some electronics and an oscilloscope, to monitor power fluctuations and observe instructions in cryptographic algorithms to extract secret keys. The latest paper's authors point to an attack disclosed in 2016 that required 17 days of measurements to obtain AES-NI keys.

 

This time, the boffins have done a bit better, obtaining AES-NI keys from an SGX enclave and the Linux kernel in somewhere between 26 hours (ideal conditions) to 277 hours (real-world conditions). Also, this latest attack did not require physical access to the computer because it relied on the software-based RAPL interface. The contents of SGX enclaves are supposed to be hidden from even a system's administrators, users, operating system, and other software running on the box. They are designed to hold things like DRM decryption code for media, cryptographic secrets, and so on, that not even the owner and operator of the hardware – which could be a cloud giant or a PC user – can access.

 

With privileged access, the Platypus team claim they can recover RSA private keys from an Mbed TLS implementation within 100 minutes by inferring the instructions executed inside an SGX enclave, and can derandomize kernel address space layout randomization (KASLR) in 20 seconds by observing power consumption variance between valid and invalid kernel addresses.

 

One of the researchers involved, Michael Schwarz, has uploaded a YouTube video demonstrating the technique:

 

Platypus is not a speculative execution flaw – it doesn't exploit the problematic behavior of speculating future instruction paths. Rather, it's a simple side-channel that leaks information useful for compromising system confidentiality.

 

The boffins say they tested their attack on Intel chips but they point to the presence of similar power measurement tools for other microarchitectures, like AMD's RAPL interface which allows instructions executed on AMD Zen CPU cores to be identified and monitored.

 

"This could allow similar attacks on AMD CPUs, e.g., against AMD’s SEV-SNP, where a privileged kernel-space attacker is conceivable," the paper explains, and points to other CPU vendors like Ampere, Arm, Cavium, Hygon, IBM, and Nvidia that offer power measurement interfaces.

 

The researchers say they've disclosed the issue to both Arm and AMD. A spokesperson for AMD didn't immediately respond to a request for comment.

 

Intel on Tuesday published patches for the two CVE-listed vulnerabilities associated with this research (CVE-2020-8694 and CVE-2020-8695), which were responsibly disclosed in advance to the company.

 

"Today, we published INTEL-SA-0389 providing details and mitigation guidance to protect against potential information leakage from Intel SGX using the Running Average Power Limit (RAPL) Interface which is provided by most modern processors," an Intel spokesperson said in a statement provided to The Register. "We coordinated with industry partners and released microcode updates for these vulnerabilities through our normal Intel Platform Update (IPU) process."

 

Intel's patch alters its software so that instead of providing actual power consumption measurements, it offers data generated from a predictive model. As a result, the power consumption differences that occur when instructions handle data and operands can no longer be discerned.

 

An update to the Linux powercap driver has been devised to limit unprivileged access to the Intel RAPL MSRs (machine specific registers). On macOS and Windows, access to the Intel RAPL requires the installation of the Intel Power Gadget, so neither of those two operating systems have to mount a native defense against Platypus.

 

In short, install the latest firmware for your Intel-powered computer to get Chipzilla's fixes, and update and reboot your Linux machines, or limit use of Power Gadget on other systems, if Platypus is a concern for you. ®

Updated to add

In a statement to The Register, AMD said it is working to address security weaknesses introduced by its implementation of RAPL. “In line with industry partners, AMD has updated the RAPL interface to require privileged access,” a spokesperson said. “The change is in the process of being integrated into Linux distributions.

 

Source

[steven36]

New side-channel attacks allow access to sensitive data on Intel CPUs

 

 

An international team of security researchers is presenting new side-channel attacks (CVE-2020-8694 and CVE-2020-8695), which use fluctuations in software power consumption to access sensitive data on Intel CPUs.

 

Intel and power side-channel attacks

Power side-channel attacks are attacks that exploit fluctuations in power consumption to extract sensitive data such as cryptographic keys. Because power measurements by malware were previously very inaccurate, such attacks required physical access to the target device and special measurement tools such as an oscilloscope.

 

New research, led by the Institute of Applied Information Processing and Communications (IAIK) together with the University of Birmingham and the Helmholtz Center for Information Security (CISPA), shows a method that allows power side-channel attacks that can access sensitive data with unprecedented accuracy – even without physical access.

 

The team have demonstrated their method can affect devices including desktop PCs, laptops and cloud computing servers from Intel and AMD.

 

“PLATYPUS attacks show that power side channels – which were previously only relevant to small embedded devices like payment cards – are a relevant threat to processors in our laptops and servers. Our work connects the dots between two research areas and highlights that power side channel leakage has much wider relevance than previously thought,” said Dr David Oswald, senior lecturer in cybersecurity at the University of Birmingham.

RAPL interface and SGX enclaves as key

The researchers used two key approaches. In the first, they used the RAPL interface (Running Average Power Limit), which is built into Intel and AMD CPUs. This interface monitors the energy consumption in the devices and ensures that they don’t overheat or consume too much power. RAPL has been configured so that power consumption can be logged even without administrative rights. This means that the measured values can be read out without any authorizations.

 

In the second approach, the group misuses Intel’s security function Software Guard Extensions (SGX). This functionality moves data and critical programs to an isolated environment (called an enclave) where they are secure – even if the normal operating system is already compromised by malware.

Combination leads to (un)desired result

The researchers combined these two techniques in their methods of attack. Using a compromised operating system targeting Intel SGX, they made the processor execute certain instructions tens of thousands of times within an SGX enclave. The power consumption of each of these commands was measured via the RAPL interface. The fluctuations in the measured values finally allow to reconstruct data and cryptographic keys.

 

In further scenarios, the researchers also show that even attackers without administrative rights can attack the operating system and steal secret data from it.

New security updates resolve the threat

The TU Graz computer scientists Moritz Lipp, Andreas Kogler and Daniel Gruss together with their ex-colleague Michael Schwarz (researching at CISPA in Saarbrücken since summer 2020) and with David Oswald from the University of Birmingham informed Intel about their discoveries in November 2019. The company has now developed solutions that users should definitely adopt.

 

A security update for operating systems permits access to the RAPL measurement functions only with administrator rights. And further updates for the affected processors themselves ensure that the power consumption is returned in such a way that the subtle differences in the power consumption of programs are no longer visible.

 

Source