Researchers have devised a new way to remotely steal cryptographic keys from Intel CPUs, even when the CPUs are running software monitoring extensions, the in-silicon protection that should create a trusted enclave impervious to such attacks.
PLATYPUS, as the researchers call the attack, uses a new vector to open one of the most basic side channels, a form of exploit that uses physical characteristics to deduce secrets stored in a piece of hardware. While most power channels require physical access for attackers to measure electricity consumption, PLATYPUS can do this remotely by exploiting the Running Average Power Limit. This Intel interface, abbreviated as RAPL, allows users to monitor and control the energy flowing through CPUs and memory.
Leaky keys and much more
An international team of researchers unveiled Tuesday a way to use RAPL to observe enough clues about the instructions and data flowing through a CPU to infer values being loaded. Using PLATYPUS, the researchers can leak crypto keys from SGX enclaves and the operating system, break the exploit mitigation known as Address Space Layout Randomization, and establish a secret channel for secretly exfiltrating data. Chips starting with Intel’s Sandy Bridge architecture are vulnerable.
In an email, lead researcher Moritz Lipp of the Graz University of Technology wrote:
Attacks that exploit variations in device power consumption typically require the adversary to have physical access to the device. The attacker would attach a power meter with probes to the device to measure energy consumption. However, modern processors come with a built-in power meter and allow unauthorized users to read the readings from the software. We now show that this interface can be used to recover cryptographic keys processed on the machine.
In response to the findings, Intel is making significant changes to RAPL on Tuesday. The former requires elevated privileges to access the interface in Linux, whereas previously the open source operating system provided access without privileges (both Windows and OS X require a special driver to be installed).
Even when privileges or a special driver are required, attackers can still use privileged code to execute the exploits, an attack that would fit SGX’s threat model, which is designed to be safe even when the operating system is compromised.
To address this, Intel is also introducing a second microcode-level fix that, when SGX is enabled, reduces reported power consumption. When developers use crypto algorithms that are time-constant, meaning the number of operations performed is independent of input size, the solution prevents RAPL from being used to derive instructions or data to be processed by a CPU.
Intel officials wrote in a statement: “Today we have published INTEL-SA-0389 detailing and guidance on mitigating potential information leaks from Intel SGX using the Running Average Power Limit (RAPL) interface provided by most modern processors. We coordinated with industry partners and released microcode updates for these vulnerabilities through our normal Intel Platform Update (IPU) process.”
The company said that while there is no evidence the vulnerabilities have been exploited, it is issuing new attestation keys for affected chip platforms. Intel has more mitigation guidance here.
Chipmakers an eyesore
Tuesday’s findings are just the latest to challenge the security of CPUs, which are one of the most basic building blocks of all computers. Processor side channels are nothing new, but the attacks known as Specter and Meltdown nearly three years ago ushered in a new era of CPU attacks that could be exploited in more realistic scenarios. Since then, researchers have come up with a steady stream of exploits, including some that undermine the security guarantee of Intel’s proprietary SGX technology.
Side channels are clues resulting from differences in timing, data caching, power consumption, or other manifestations that occur when different commands or operations are executed. Attackers exploit the differences to deduce secret commands or data flowing through a piece of hardware. One of the most common forms of side channel is the amount of electricity required to complete a given task. More recently, that energy consumption has largely given way to speculative execution, the side channel used by Specter and Meltdown.
The researchers behind PLATYPUS found that the RAPL interface reported power consumption with enough granularity to deduce vital secrets. Key among those secrets are cryptokeys implemented by AES-NI, a set of instructions that Intel says is more resistant to side-channel attacks. Another revealed secret involves RSA keys processed by SGX.
The researchers also used the interface to discern other secret information, including different Hamming weights, defined as the number of non-zero bits in a binary number. Derivative operations also occur “intra-cache”, providing a greater degree of granularity than many side-channel attacks. The researchers were also able to use PLATYPUS to derandomize ASLR protections, a capability that attackers could combine with software exploits to make them much more powerful.
Much more menacing
On a website explaining the attack, investigators wrote:
In classic power side-channel attacks, an attacker usually has physical access to a victim device. Using an oscilloscope, the attacker monitors the device’s energy consumption. With interfaces such as Intel RAPL, physical access is not required no longer because the measurements are directly accessible from software. Previous work has already shown limited information leakage caused by the Intel RAPL interface. Mantel et al. showed that it is possible to distinguish whether different cryptographic keys have been processed by the CPU. Paiva et al. established a secret channel by modulating the power consumption of the DRAM.
Our research shows that the Intel RAPL interface can be exploited in much more threatening scenarios. We show that, in addition to distinguishing different keys, it is also possible reconstruct full cryptographic keys. We demonstrate this Restore AES keys of the side channel resilient AES-NI implementation, as well as RSA keys from an Intel SGX enclave. In addition, we distinguish different Hamming weights of operands or memory loads, threatening implementations of constant-time cryptographic algorithms. To mitigate PLATYPUS, unauthorized access to power consumption has been revoked with an OS update. However, with Intel SGX, a compromised operating system falls within the threat model, making this mitigation insufficient. Therefore, Intel has released microcode updates that change the way power consumption is reported when Intel SGX is enabled on the system. Instead of actual energy measurements, it relies on a model-based approach, so that the same instructions with different data or operands cannot be distinguished from each other.
Intel and beyond
While PLATYPUS attacks Intel processors, the researchers said built-in power meters in competing chips could also likely be exploited to launch similar attacks. For example, the interface in modern AMD CPUs measures power at the individual core level. In addition, AMD Rome CPUs running Linux kernel version 5.8 and above did not require access rights. An update to the Xen virtual machine on Tuesday now requires privileges to access RAPL on both Intel and AMD CPUs.
PLATYPUS is short for Power Leakage Attacks: Targeting Your Protected User Secrets. The researchers chose the name because they said platypuses are “fascinating animals” that can “detect electrical signals with their beak.”
The findings – from researchers at Graz University of Technology, CISPA Helmholtz Center for Information Security and the University of Birmingham – are impressive and far-reaching. As such, Tuesday’s paper is required reading for any organization that relies on SGX to keep data or computers secure. For everyone else, there is significantly less urgency, as long as all available patches are installed. Updates that fix the vulnerabilities – which are tracked as CVE-2020-8694 and CVE-2020-8695 – are being released by Linux distributors and PC manufacturers. They should be installed as soon as they are available.