One Glitch to Rule Them All: Fault Injection Attacks Against AMD's Secure Encrypted Virtualization

AMD Secure Encrypted Virtualization (SEV) offers protection mechanisms for virtual machines in untrusted environments through memory and register encryption. To separate security-sensitive operations from software executing on the main x86 cores, SEV leverages the AMD Secure Processor (AMD-SP). This paper introduces a new approach to attack SEV-protected virtual machines (VMs) by targeting the AMD-SP. We present a voltage glitching attack that allows an attacker to execute custom payloads on the AMD-SPs of all microarchitectures that support SEV currently on the market (Zen 1, Zen 2, and Zen 3). The presented methods allow us to deploy a custom SEV firmware on the AMD-SP, which enables an adversary to decrypt a VM's memory. Furthermore, using our approach, we can extract endorsement keys of SEV-enabled CPUs, which allows us to fake attestation reports or to pose as a valid target for VM migration without requiring physical access to the target host. Moreover, we reverse-engineered the Versioned Chip Endorsement Key (VCEK) mechanism introduced with SEV Secure Nested Paging (SEV-SNP). The VCEK binds the endorsement keys to the firmware version of TCB components relevant for SEV. Building on the ability to extract the endorsement keys, we show how to derive valid VCEKs for arbitrary firmware versions. With our findings, we prove that SEV cannot adequately protect confidential data in cloud environments from insider attackers, such as rogue administrators, on currently available CPUs.

[1]  Olaf Spinczyk,et al.  FAIL*: An Open and Versatile Fault-Injection Framework for the Assessment of Software-Implemented Hardware Fault Tolerance , 2015, 2015 11th European Dependable Computing Conference (EDCC).

[2]  Colin O'Flynn,et al.  Fault Injection using Crowbars on Embedded Systems , 2016, IACR Cryptol. ePrint Arch..

[3]  Sascha Wessel,et al.  SEVered: Subverting AMD's Virtual Machine Encryption , 2018, EuroSec@EuroSys.

[4]  Mengyuan Li,et al.  Exploiting Unprotected I/O Operations in AMD's Secure Encrypted Virtualization , 2019, USENIX Security Symposium.

[5]  Frank Piessens,et al.  Plundervolt: How a Little Bit of Undervolting Can Create a Lot of Trouble , 2020, IEEE Security & Privacy.

[6]  Marc F. Witteman,et al.  Controlling PC on ARM Using Fault Injection , 2016, 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[7]  Thomas Trouchkine,et al.  Fault Injection Characterization on Modern CPUs , 2019, WISTP.

[8]  Manos Antonakakis,et al.  The SEVerESt Of Them All: Inference Attacks Against Secure Virtual Enclaves , 2019, AsiaCCS.

[9]  Jesse Fang,et al.  Secure Encrypted Virtualization is Unsecure , 2017, ArXiv.

[10]  Jean-Pierre Seifert,et al.  Insecure Until Proven Updated: Analyzing AMD SEV's Remote Attestation , 2019, CCS.

[11]  Mathias Morbitzer,et al.  Exploiting Interfaces of Secure Encrypted Virtual Machines , 2020, ArXiv.

[12]  Thomas Eisenbarth,et al.  SEVurity: No Security Without Integrity : Breaking Integrity-Free Memory Encryption with Minimal Assumptions , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[13]  Manuel Huber,et al.  Extracting Secrets from Encrypted Virtual Machines , 2019, CODASPY.

[14]  Yongqiang Lyu,et al.  VoltJockey: A New Dynamic Voltage Scaling-Based Fault Injection Attack on Intel SGX , 2021, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[15]  Andrea Höller,et al.  QEMU-Based Fault Injection for a System-Level Analysis of Software Countermeasures Against Fault Attacks , 2015, 2015 Euromicro Conference on Digital System Design.

[16]  Ronan Lashermes,et al.  Electromagnetic fault injection against a complex CPU, toward new micro-architectural fault models , 2021, J. Cryptogr. Eng..

[17]  Thomas Eisenbarth,et al.  undeSErVed trust: Exploiting Permutation-Agnostic Remote Attestation , 2021, 2021 IEEE Security and Privacy Workshops (SPW).

[18]  UNDERSTANDING POWER MANAGEMENT AND PROCESSOR PERFORMANCE DETERMINISM , 2018 .

[19]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[20]  Yifan Lu Injecting Software Vulnerabilities with Voltage Glitching , 2019, ArXiv.

[21]  Robert Buhren,et al.  Security Analysis of Encrypted Virtual Machines , 2016, VEE.

[22]  G. Cathebras,et al.  Supply voltage glitches effects on CMOS circuits , 2006, International Conference on Design and Test of Integrated Systems in Nanoscale Technology, 2006. DTIS 2006..

[23]  Lidong Chen,et al.  Recommendation for Key Derivation Using Pseudorandom Functions (Revised) , 2009 .

[24]  Tommaso Frassetto,et al.  V0LTpwn: Attacking x86 Processor Integrity from Software , 2019, USENIX Security Symposium.

[25]  Flavio D. Garcia,et al.  VoltPillager: Hardware-based fault injection attacks against Intel SGX Enclaves using the SVID voltage scaling interface , 2021, USENIX Security Symposium.

[26]  Sergej Proskurin,et al.  SEVerity: Code Injection Attacks against Encrypted Virtual Machines , 2021, 2021 IEEE Security and Privacy Workshops (SPW).