One more reason for Apple to dump Intel processors: Another SGX, kernel data-leak flaw unearthed by experts

Updated Boffins based in Austria, Germany, and the UK have identified yet another data-leaking side-channel flaw affecting Intel processors, and potentially other chips, that exposes cryptographic secrets in memory.

In a paper disclosed on Tuesday, computer scientists with Graz University of Technology, University of Birmingham, and CISPA Helmholtz Center for Information Security, describe an attack dubbed "Platypus," which stands for "Power Leakage Attacks: Targeting Your Protected User Secrets."

Vulnerability naming is something of an issue in the security community, particularly in cases where the name appears to exaggerate the severity of the the disclosure. "Platypus" thus should be well-received.

The paper describes a way to extract confidential data from devices by measuring power consumption fluctuations in Intel chips from Sandy Bridge onward using just software and without the need to physically wire instruments to machines. This means it can be used by malware already on a computer, or a rogue user, to break through protection barriers and observe sensitive information, such as secret kernel data structures and the contents of SGX enclaves.

The researchers responsible include Moritz Lipp, Andreas Kogler, David Oswald, Michael Schwarz, Catherine Easdon, Claudio Canella, and Daniel Gruss, some of whom were involved in the 2018 Spectre and Meltdown disclosures.

Their attack exploits the unrestricted availability of the Intel Running Average Power Limit (RAPL) software interface, which was introduced in Intel's Sandy Bridge Architecture (2011) and gained Linux support in 2013.

"We show that with sufficient statistical evaluation, we can observe variations in power consumption, which distinguish different instructions and different Hamming weights of operands and memory loads," the paper explains. "This enables us to not only monitor the control flow of applications but also to infer data and extract cryptographic keys."

A number of computer security experts have managed to conduct similar attacks using external hardware, specifically some electronics and an oscilloscope, to monitor power fluctuations and observe instructions in cryptographic algorithms to extract secret keys. The latest paper's authors point to an attack disclosed in 2016 that required 17 days of measurements to obtain AES-NI keys.

This time, the boffins have done a bit better, obtaining AES-NI keys from an SGX enclave and the Linux kernel in somewhere between 26 hours (ideal conditions) to 277 hours (real-world conditions). Also, this latest attack did not require physical access to the computer because it relied on the software-based RAPL interface. The contents of SGX enclaves are supposed to be hidden from even a system's administrators, users, operating system, and other software running on the box. They are designed to hold things like DRM decryption code for media, cryptographic secrets, and so on, that not even the owner and operator of the hardware – which could be a cloud giant or a PC user – can access.

With privileged access, the Platypus team claim they can recover RSA private keys from an Mbed TLS implementation within 100 minutes by inferring the instructions executed inside an SGX enclave, and can derandomize kernel address space layout randomization (KASLR) in 20 seconds by observing power consumption variance between valid and invalid kernel addresses.

One of the researchers involved, Michael Schwarz, has uploaded a YouTube video demonstrating the technique:

Youtube Video

Platypus is not a speculative execution flaw – it doesn't exploit the problematic behavior of speculating future instruction paths. Rather, it's a simple side-channel that leaks information useful for compromising system confidentiality.

The boffins say they tested their attack on Intel chips but they point to the presence of similar power measurement tools for other microarchitectures, like AMD's RAPL interface which allows instructions executed on AMD Zen CPU cores to be identified and monitored.

"This could allow similar attacks on AMD CPUs, e.g., against AMD’s SEV-SNP, where a privileged kernel-space attacker is conceivable," the paper explains, and points to other CPU vendors like Ampere, Arm, Cavium, Hygon, IBM, and Nvidia that offer power measurement interfaces.

The researchers say they've disclosed the issue to both Arm and AMD. A spokesperson for AMD didn't immediately respond to a request for comment.

Intel on Tuesday published patches for the two CVE-listed vulnerabilities associated with this research (CVE-2020-8694 and CVE-2020-8695), which were responsibly disclosed in advance to the company.

"Today, we published INTEL-SA-0389 providing details and mitigation guidance to protect against potential information leakage from Intel SGX using the Running Average Power Limit (RAPL) Interface which is provided by most modern processors," an Intel spokesperson said in a statement provided to The Register. "We coordinated with industry partners and released microcode updates for these vulnerabilities through our normal Intel Platform Update (IPU) process."

Intel's patch alters its software so that instead of providing actual power consumption measurements, it offers data generated from a predictive model. As a result, the power consumption differences that occur when instructions handle data and operands can no longer be discerned.

An update to the Linux powercap driver has been devised to limit unprivileged access to the Intel RAPL MSRs (machine specific registers). On macOS and Windows, access to the Intel RAPL requires the installation of the Intel Power Gadget, so neither of those two operating systems have to mount a native defense against Platypus.

In short, install the latest firmware for your Intel-powered computer to get Chipzilla's fixes, and update and reboot your Linux machines, or limit use of Power Gadget on other systems, if Platypus is a concern for you. ®

Updated to add

In a statement to The Register, AMD said it is working to address security weaknesses introduced by its implementation of RAPL. “In line with industry partners, AMD has updated the RAPL interface to require privileged access,” a spokesperson said. “The change is in the process of being integrated into Linux distributions.”