Intel CPU ‘Plundervolt’ Flaw Spills Secrets Through Voltage Manipulation
Yet another security vulnerability has been detailed affecting Intel CPUs by three different European universities. This vulnerability is possible through the operating system's ability to control voltages and processor frequency and allows the manipulation of data within Intel's SGX.
Plundervolt - Tweakers & Overclockers Beware
The newest vulnerability has been dubbed 'Plundervolt' and is identified from the ability to tweak voltage and frequency of Intel CPUs to uncover secure data within Intel's Software Guard Extensions or SGX. The frequency differences cause an alteration of Intel's SGX functioning that may be exploited to uncover user information such as encryption keys. This vulnerability also allows an attacker to reintroduce previous bugs squashed from secure software.
Intel SGX - Sabotaged by Overclocking & Energy Management
Intel SGX, found in all Intel microprocessors since 2015, was intended to be a secure region onboard the CPU that isolates information in 'enclaves' where the CPU has the ability to access sensitive information without running the risk of data exposure to other programs running on the CPU simultaneously, but the functioning of SGX has been compromised through manipulation of hardware functions. SGX enclaves are given dedicated regions of cache within the CPU and are separate from the other functions of the CPU. The same exists at the software level with all SGX data being encrypted.
The ability to compromise SGX was discovered through combining multiple alternate ideologies of previous security vulnerabilities found within Intel CPUs such as Rowhammer, the ability to flip a memory cell's value through electrical charge manipulation, and CLKSCREW, a flaw enabling Dynamic Voltage and Frequency Scaling, or DVFS, to take full control over the CPU.
Plundervolt is a combination of the two. Intel's energy management engine may be used to manipulate voltage and frequency within the SGX enclaves, therefore causing various changes to data inside the SGX enclave. The alterations that occur by doing such are not severe, but they are enough to produce faults or errors within SGX operations. Plundervolt breaks the algorithms designed to protect encrypted data, and with this, data stored within the SGX enclave has the potential to be recovered.
Undervolting an Intel CPU at this time causes an issue of bit flipping within CPU instructions at the hardware level and, as an example, induces additional multiplications or AES rounds (AES-NI). The same goes for overclocking. Increasing voltage and clock rate leads to bit flipping, and on top of that, the result of doing so is much quicker to expose the data within an SGX enclave than comparable attacks such as Spectre, Meltdown, Zombieload, RIDL, and the extensive remainder of vulnerabilities that rely on other methods to retrieve information from other regions of the CPU.
Attacks Are Limited - Only Locally Viable (For Now)
Plundervolt does appear to be one of the more severe vulnerabilities discovered within Intel CPUs, though there is a glimmer of hope, especially for overclockers. The Plundervolt vulnerability may only be exploited locally, at least for now. For Plundervolt to be executed remotely, a program must be run with administrative privileges, and to do this remotely would be quite difficult, though not impossible. Another upside is Plundervolt does not work through virtualization as the host operating system takes control of all energy management over the virtual machines running onboard the CPU.
Affected CPUs & Mitigations
Intel has prepared a method of mitigation in the form of a BIOS and microcode update through Intel's security advisory INTEL-SA-00289. This update allows administrators to disable the dynamic voltage and frequency control interfaces of their systems.
Intel CPUs affected by Plundervolt are as follows:
- 6th Generation Core
- 7th Generation Core
- 8th Generation Core
- 9th Generation Core
- 10th Generation Core
- Xeon E3 V5
- Xeon E3 V6
- Xeon E-2100
- Xeon E-2200