Jump to content

‘Plundervolt’ attack breaches chip security with a shock to the system


NelsonG

Recommended Posts

Today’s devices have been secured against innumerable software attacks, but a new exploit called Plundervolt uses distinctly physical means to compromise a chip’s security. By fiddling with the actual amount of electricity being fed to the chip, an attacker can trick it into giving up its innermost secrets.

It should be noted at the outset that while this is not a flaw on the scale of Meltdown or Spectre, it is a powerful and unique one and may lead to changes in how chips are designed.

There are two important things to know in order to understand how Plundervolt works.

The first is simply that chips these days have very precise and complex rules as to how much power they draw at any given time. They don’t just run at full power 24/7; that would drain your battery and produce a lot of heat. So part of designing an efficient chip is making sure that for a given task, the processor is given exactly the amount of power it needs — no more, no less.

The second is that Intel’s chips, like many others now, have what’s called a secure enclave, a special quarantined area of the chip where important things like cryptographic processes take place. The enclave (here called SGX) is inaccessible to normal processes, so even if the computer is thoroughly hacked, the attacker can’t access the data inside.

The creators of Plundervolt were intrigued by recent work by curious security researchers who had, through reverse engineering, discovered the hidden channels by which Intel chips manage their own power.

Hidden, but not inaccessible, it turns out. If you have control over the operating system, which many attacks exist to provide, you can get at these “Model-Specific Registers,” which control chip voltage, and can tweak them to your heart’s content.

Modern processors are so carefully tuned, however, that such tweak will generally just cause the chip to malfunction. The trick is to tweak it just enough to cause the exact kind of malfunction you expect. And because the entire process takes place within the chip itself, protections against outside influence are ineffective.

plundervolt.pngThe Plundervolt attack does just this, using the hidden registers to very slightly change the voltage going to the chip at the exact moment that the secure enclave is executing an important task. By doing so they can induce predictable faults inside SGX, and by means of these carefully controlled failures cause it and related processes to expose privileged information. It can even be performed remotely, though of course full access to the OS is a prerequisite.

In a way it’s a very primitive attack, essentially giving the chip a whack at the right time to make it spit out something good, like it’s a gumball machine. But of course it’s actually quite sophisticated, since the whack is an electrical manipulation on the scale of millivolts, which needs to be applied at exactly the right microsecond.

The researchers explain that this can be mitigated by Intel, but only through updates at the BIOS and microcode level — the kind of thing that many users will never bother to go through with. Fortunately for important systems there will be a way to verify that the exploit has been patched when establishing a trusted connection with another device.

Intel, for its part, downplayed the seriousness of the attack. “We are aware of publications by various academic researchers that have come up with some interesting names for this class of issues, including “VoltJockey” and “Plundervolt,” it wrote in a blog post acknowledging the existence of the exploit. “We are not aware of any of these issues being used in the wild, but as always, we recommend installing security updates as soon as possible.”

Plundervolt is one of a variety of attacks that have emerged recently taking advantage of the ways that computing hardware has evolved over the last few years. Increased efficiency usually means increased complexity, which means increased surface area for non-traditional attacks like this.

The researchers who discovered and documented Plundervolt hail from the UK’s University of Birmingham, Graz University of Technology in Austria, and KU Leuven in Belgium. They are presenting their paper at IEEE S&P 2020.

Techcrunch?d=2mJPEYqXBVI Techcrunch?d=7Q72WNTAKBA Techcrunch?d=yIl2AUoC8zA Techcrunch?i=I6tFHfZ87H4:P7XK84WUkn0:-BT Techcrunch?i=I6tFHfZ87H4:P7XK84WUkn0:D7D Techcrunch?d=qj6IDK7rITs
I6tFHfZ87H4

View the full article

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Our picks

    • Wait, Burning Man is going online-only? What does that even look like?
      You could have been forgiven for missing the announcement that actual physical Burning Man has been canceled for this year, if not next. Firstly, the nonprofit Burning Man organization, known affectionately to insiders as the Borg, posted it after 5 p.m. PT Friday. That, even in the COVID-19 era, is the traditional time to push out news when you don't want much media attention. 
      But secondly, you may have missed its cancellation because the Borg is being careful not to use the C-word. The announcement was neutrally titled "The Burning Man Multiverse in 2020." Even as it offers refunds to early ticket buyers, considers layoffs and other belt-tightening measures, and can't even commit to a physical event in 2021, the Borg is making lemonade by focusing on an online-only version of Black Rock City this coming August.    Read more...
      More about Burning Man, Tech, Web Culture, and Live EventsView the full article
      • 0 replies
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
×
×
  • Create New...