Another SGX, kernel data-leak flaw unearthed by experts • The Register

Updated boffins in Austria, Germany and the United Kingdom have identified another error in the side channel that affects both the Intel processors and possibly other chips that reveal cryptographic secrets in memory.

In an article published on Tuesday, computer scientists from Graz University of Technology, the University of Birmingham and the Helmholtz Centre for Information Security CISPA describe the Platypus attack, which stands for Power Leakage Attacks : Assignment of your protected user secrets.

Identifying vulnerabilities is a problem in a security community, especially if the identification seems excessive given the seriousness of the information disclosed. So the platypus must be well received.

This article describes a way to extract sensitive data from devices by measuring power fluctuations on Intel Sandy Bridge chips and beyond with simple software, without having to physically connect the devices to the machines. This means it can be used by malware already present on the computer or by an unauthorized user to break down security barriers and control sensitive information such as kernel data structures and the content of SGX-enclaves.

Intel celebrates the security of the Ice Lake Xeon processors, which are still unprotected from threats due to their unavailability


The researchers responsible for the project are Moritz Lipp, Andreas Kogler, David Oswald, Michael Schwartz, Catherine Izdon, Claudio Canella and Daniel Gruss, some of whom participated in the opening of Performance and Meltdown 2018.

Their attack takes advantage of the unlimited availability of Intel’s Running Average Power Limit (RAPL) software interface, introduced with the Intel Sandy Bridge architecture (2011) and supported by Linux in 2013.

We show that with sufficient statistical analysis we can observe variations in power consumption that distinguish between different instructions and different weights of spinning operands and memory usage, explains the paper. This allows us not only to monitor the application management process, but also to draw conclusions about the data and extract cryptographic keys.

A number of computer security specialists have been able to carry out similar attacks using external devices, in particular certain electronic devices and an oscilloscope, to monitor performance and follow the instructions of cryptographic algorithms to extract secret keys. The authors of the last article refer to an attack discovered in 2016, during which measures were taken for 17 days to obtain the AES-NI keys.

This time the botfins did a little better, with the AES-NI keys of the SGX enclave and the Linux kernel in about 26 hours (ideal conditions) to 277 hours (real conditions). Moreover, this last attack did not require physical access to the computer because it was based on the RAPL software interface. The contents of the SGX slaves themselves must be hidden from system administrators, users, the operating system and other software running on the box. They are designed to store items such as decryption of media DRM codes, cryptographic secrets, etc. that even the owner and operator of the device – it can be a cloud giant or a PC user – cannot access.

With privileged access, the Platypus team claims to be able to retrieve private RSA keys from the Mbed-TLS in 100 minutes, derive the execution of commands within the SGX-enclave, and de-andomize the randomization of the kernel address space (CASLR) in 20 seconds, observing the difference in power consumption between valid and invalid kernel addresses.

One of the researchers, Michael Schwartz, has posted a video on YouTube showing this technique:

YouTube video

Platypus is not a speculative execution error – it does not take advantage of the problematic behavior of those who speculate on future instructions. Rather, it is only a side channel through which information useful to endanger the privacy of the system is made public.

Bofins claims to have tested its attacks on Intel chips, but points to similar performance measurement tools for other microarchitectures, such as AMD’s RAPL interface, which identifies and follows the instructions carried out on the cores of the AMD Zen processor.

The apple of the toothed apple:… MacBook Air and Pro, the Mac mini runs on its own M1 chips instead of the Intelchip.


This can lead to similar attacks on AMD processors, such as AMD’s SEV-SNP, where an attack on the core space is possible, as explained in the article, and other processor manufacturers such as Ampere, Arm, Cavium, Hygon, IBM and Nvidia allegedly provide interfaces for performance measurement.

Researchers say they solved this problem with the arm and AMD. An MDA spokesperson did not respond immediately to the request for comment.

Intel released patches on Tuesday for two vulnerabilities related to this investigation (CVE-2020-8694 and CVE-2020-8695), which were responsibly reported to the company in advance.

We published INTEL-SA-0389 today, which contains detailed instructions on how to protect against possible information leaks from Intel SGX using the RAPL (Running Average Power Limit) interface provided by most modern processors, said an Intel representative in a statement provided to the registry. We have coordinated with our industry partners and released firmware updates for these vulnerabilities as part of the normal Intel Platform Update (IPU) process.

The Intel patch modifies the software to deliver data generated from a predictive model rather than actual power consumption measurements. As a result, it is no longer possible to determine the differences in energy consumption that occur when processing instructions with data and operands.

To limit unprivileged access to Intel RAPL MSRs (machine-specific registries), a driver update for Linux Powercap has been developed. In Macros and Windows, access to Intel RAPL requires the installation of the Intel Power Gadget, so none of these operating systems need to install the built-in platypus protection.

In short: Install the latest firmware for your Intel computer to get Chipzilla patches and update and reboot your Linux machines, or limit the use of Power Gadget on other systems if Platypus bothers you. ®

Updated to add

In the message sent to the Registry, the MDA stated that it is working to address the safety deficiencies caused by the implementation of the ALPR. In line with its industry partners, AMD has updated its RAPL interface to provide privileged access, the spokesman said. The change will be integrated into Linux distributions.

Related Tags: