Researchers from the Technische Universität Berlin have demonstrated that AMD’s Secure Encrypted Virtualisation (SEV) technology can be defeated by manipulating input voltages, compromising the technology in a similar way to previous attacks against its Intel counterpart.
SEV relies on the Secure Processor (SP), a humble Arm Cortex-A5, to provide a root of trust in AMD EPYC CPUs (Naples, Rome and Milan — Zen 1 through 3).
The research paper — toting the amusing-yet-wordy title of “One Glitch to Rule Them All: Fault Injection Attacks Against AMD’s Secure Encrypted Virtualization” — describes how an attacker could compromise the SP to retrieve encryption keys or execute arbitrary code.
“By manipulating the input voltage to AMD systems on a chip (SoCs), we induce an error in the read-only memory (ROM) bootloader of the AMD-SP, allowing us to gain full control over this root-of-trust.”
Conventional wisdom often follows the mantra that any system that an attacker has physical access to may as well be already compromised. But as SEV is supposed to shield virtual machines from the hypervisor itself (as well as from one another), it should provide a layer of security against those situations — for example, guarding VMs from a rogue admin in a cloud environment.
The position required to execute such an attack is rather exacting; access to a cloud computing company in a role that allows server access at the hardware level, with the smarts to pull it off without arousing suspicion. However, the gear required is much less ambitious, merely needing a microcontroller and a flash programmer that can be acquired for firmly under $50 between the two.
Intel’s comparable Software Guard Extensions technology has been previously demonstrated to be vulnerable to voltage-fault attacks (as well as many others). Plundervolt used built-in voltage scaling interfaces commonly used in undervolting, and when those were locked down researchers found that external voltage manipulation could achieve similar results. That method, dubbed VoltPillager, ended up inspiring the TU Berlin researchers to test AMD’s SEV in this manner.
Intel decided not to try and mitigate VoltPillager, stating that hardware-level attacks were beyond the scope of the SGX threat model, leading the researchers to call into question the safety entrusting sensitive computation to a third-party cloud.
Now that their primary competitor has been found similarly susceptible across all three EPYC generations — albeit with its dramatic vulnerability codename still pending — those questions are only more pointed.