Researchers in Austria have discovered a vulnerability in Intel processors that uses a power meter built into the chips.
The team at Graz University of Technology exploited the unprivileged access to the meter, exposing the processor’s power consumption to infer data and extract cryptographic keys.
With classical power side channel attacks, an adversary typically attaches an oscilloscope to monitor the energy consumption of a device. With the Intel Sandy Bridge CPUs in 2015, Intel introduced the Running Average Power Limit (RAPL) interface that allows monitoring and controlling the power consumption of the CPU and DRAM in software. Unfortunately, the current implementation of the Linux driver gives every unprivileged user access to its measurements, and the team developed a tool called Platypus to demonstrate the risks.
Luckily, the update interval of the RAPL interface is low compared to real oscilloscopes. The RAPL interface has a bandwidth of 20 kHz, whereas oscilloscopes are in the range of multiple GHz. Moreover, the values are filtered using a running average, making it harder to infer any useful data.
The team used the Platypus tool to look at the variations in the power consumption to distinguish different instructions and different weights of operands and memory loads, allowing inference of loaded values. The tool can further infer intra-cacheline control flow of applications, break KASLR, leak AES-NI keys and establish an independent covert channel into the chip.
The key to this exploit is Intel’s Software Guard eXtensions (SGX) which creates isolated environments in the computer’s memory, called enclaves. SGX acts like a secure vault in the processor itself, combining strong encryption and hardware-level isolation to safeguard enclave programs, and the data they operate on, even against very advanced types of malware that compromise the operating system, hypervisor, or firmware (BIOS).
The researchers combined the Platypus power analysis tool with precise execution control of SGX-Step. This overcame the hurdle of the limited measuring capabilities of Intel RAPL by repeatedly executing single instructions inside the SGX enclave. Using this technique, the team recovered RSA keys processed by mbed TLS from an SGX enclave.
On Linux, the powercap framework provides unprivileged access to the Intel RAPL counters. With a recent security update, this access is revoked, and an unprivileged attacker can not retrieve power measurements anymore.
However, this update does not protect against a privileged side channel attack using a compromised operating system targeting Intel SGX. To mitigate attacks in this scenario, Intel released microcode updates to affected processors in servers, PCs and laptops. These updates change the way the energy consumption is reported if Intel SGX is enabled on the system. Instead of actual energy measurements, it falls back to a model-based approach, such that same instructions with different data or operands can not be distinguished. This means if the enclave follows the Intel guide lines and uses constant-time cryptographic implementations, an adversary should not be able to recover any secrets of the enclave.
Related articles on power side channel attacks
Other articles on eeNews Europe