SEVurity: No Security Without Integrity : Breaking Integrity-Free Memory Encryption with Minimal Assumptions

One reason for not adopting cloud services is the required trust in the cloud provider: As they control the hypervisor, any data processed in the system is accessible to them. Full memory encryption for Virtual Machines (VM) protects against curious cloud providers as well as otherwise compromised hypervisors. AMD Secure Encrypted Virtualization (SEV) is the most prevalent hardware-based full memory encryption for VMs. Its newest extension, SEV-ES, also protects the entire VM state during context switches, aiming to ensure that the host neither learns anything about the data that is processed inside the VM, nor is able to modify its execution state. Several previous works have analyzed the security of SEV and have shown that, by controlling I/O, it is possible to exfiltrate data or even gain control over the VM’s execution. In this work, we introduce two new methods that allow us to inject arbitrary code into SEV-ES secured virtual machines. Due to the lack of proper integrity protection, it is sufficient to reuse existing ciphertext to build a high-speed encryption oracle. As a result, our attack no longer depends on control over the I/O, which is needed by prior attacks. As I/O manipulation is highly detectable, our attacks are stealthier. In addition, we reverse-engineer the previously unknown, improved Xor-Encrypt-Xor (XEX) based encryption mode, that AMD is using on updated processors, and show, for the first time, how it can be overcome by our new attacks.

[1]  Jesse Fang,et al.  Secure Encrypted Virtualization is Unsecure , 2017, ArXiv.

[2]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[3]  Felix C. Freiling,et al.  Lest we forget: Cold-boot attacks on scrambled DDR3 memory , 2016, Digit. Investig..

[4]  Ittai Anati,et al.  Innovative Technology for CPU Based Attestation and Sealing , 2013 .

[5]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[6]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[7]  Jean-Pierre Seifert,et al.  Insecure Until Proven Updated: Analyzing AMD SEV's Remote Attestation , 2019, CCS.

[8]  Jean-Pierre Seifert,et al.  Fault Attacks on Encrypted General Purpose Compute Platforms , 2016, CODASPY.

[9]  Sascha Wessel,et al.  SEVered: Subverting AMD's Virtual Machine Encryption , 2018, EuroSec@EuroSys.

[10]  Jaehyuk Huh,et al.  Architectural support for secure virtualization under a vulnerable hypervisor , 2011, 2011 44th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[11]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[12]  Manuel Huber,et al.  Extracting Secrets from Encrypted Virtual Machines , 2019, CODASPY.

[13]  Shay Gueron,et al.  Memory Encryption for General-Purpose Processors , 2016, IEEE Security & Privacy.

[14]  Robert Buhren,et al.  On the Detectability of Control Flow Using Memory Access Patterns , 2018 .

[15]  Robert Buhren,et al.  Security Analysis of Encrypted Virtual Machines , 2016, VEE.

[16]  Juan del Cuvillo,et al.  Using innovative instructions to create trustworthy software solutions , 2013, HASP '13.

[17]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[18]  Manos Antonakakis,et al.  The SEVerESt Of Them All: Inference Attacks Against Secure Virtual Enclaves , 2019, AsiaCCS.

[19]  Yutao Liu,et al.  Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks , 2013, 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA).

[20]  Mengyuan Li,et al.  Exploiting Unprotected I/O Operations in AMD's Secure Encrypted Virtualization , 2019, USENIX Security Symposium.

[21]  Weidong Shi,et al.  A comparison study of intel SGX and AMD memory encryption technology , 2018, HASP@ISCA.

[22]  Reetuparna Das,et al.  Cold Boot Attacks are Still Hot: Security Analysis of Memory Scramblers in Modern Processors , 2017, 2017 IEEE International Symposium on High Performance Computer Architecture (HPCA).