AMD Secure Encrypted Virtualization Canceled by Electrical Attack • The Register
AMD’s Secure Encrypted Virtualization (SEV) scheme is not as secure as the name suggests.
Boffins of the Technische Universität Berlin devised an attack that defeats the primary purpose of this secure silicon chamber technology: to protect virtual machine data from malicious administrators in cloud environments.
In a document titled “One Glitch to Rule Them All: Fault Injection Attacks Against AMD’s Secure Encrypted Virtualization”, Robert Buhren, Hans Niklas Jacob, Thilo Krachenfels and Jean-Pierre Seifert of the Security in Telecommunications group of TU Berlin, describe how they managed to go up a tension attack by injection of faults.
This shock to the system allowed them to recover secret encryption keys and execute arbitrary code on all AMD chips with secure processors (SPs).
“By manipulating the input voltage of AMD on-chip (SoC) systems, we are inducing an error in the AMD-SP’s read-only memory (ROM) boot loader, which allows us to have full control. on this root of trust, ”the researchers explain in their article.
The attack was inspired by a separate cunning plan, dubbed the Voltpillager, used to defeat Intel’s Software Guard Extensions (SGX), a similar secure enclave system for the x86 microarchitecture.
As with SGX, the SEV attack relies on inexpensive, out-of-the-box components: a Teensy µController (microcontroller) at around $ 30 and a flash programmer at $ 12. The non-hardware prerequisites are more of a problem: they include insider access to a cloud computing company, the ability to connect wires to the server’s motherboard without arousing suspicion, and some technical skills.
The register asked AMD for comment. A spokesperson pointed to the physical access requirement to stress that this was not a remote attack scenario, but had nothing to say otherwise.
SEV uses the Secure Processor, a microcontroller that provides the basis for trust in AMD Naples (Zen 1), Rome (Zen 2) and Milan (Zen 3) chips and manages the lifecycle of the VM. It is supposed to protect the data of the hypervisor VM and other VMs.
But by lowering the voltage applied while running the AMD-SP’s ROM bootloader, the researchers were able to extract the chip trust keys (CEKs), which can be used to mount fully remote attacks. .
The boffins also managed to defeat a new key version scheme introduced by the SEV Secure Nested Paging (SEV-SNP) extension last year. [PDF]. By using the electrical problem to extract the seed values from the versioned chip trust key (VCEK), they were able to derive the valid VCEKs for all possible combinations of firmware versions. This represents the first publicly disclosed attack on the SEV-SNP extension, they claim.
The document suggests two possible mitigation paths. One is to modify the software or hardware to detect voltage modulation to prevent execution in the presence of faults.
The other involves adding specific circuits to defend against voltage issues. Researchers observe that this is already a routine for smart cards, and report a recent Nvidia patent for an inter-domain voltage fault detection circuit that can be implemented in an SoC. ®