Intel SGX users need CPU microcode patch to block PLATYPUS secrets-leaking attack

Researchers have devised a new method that allows potential attackers to leak sensitive information such as encryption keys from the Linux kernel’s memory and Intel SGX enclaves. The attack, dubbed PLATYPUS, abuses a legitimate CPU interface for monitoring and controlling the power consumption.

“Using PLATYPUS, we demonstrate that we can observe variations in the power consumption to distinguish different instructions and different Hamming weights of operands and memory loads, allowing inference of loaded values,” the team of researchers from the Graz University of Technology, the University of Birmingham in UK, and CISPA Helmholtz Center for Information Security said on a website dedicated to the attack. “PLATYPUS can further infer intra-cacheline control flow of applications, break KASLR, leak AES-NI keys from Intel SGX enclaves and the Linux kernel, and establish a timing-independent covert channel.”

Power consumption as side channel

Over the past several years researchers have identified several features in modern CPUs that can be used as a side channel to extract sensitive information from computers. Side-channel attacks involve analyzing differences in how computers systems and their components behave when performing various operations on different types of data. For example, differences in the timings between cryptographic operations can be used to reconstruct secret keys bit by bit. Similarly, keystrokes can be reconstructed by analyzing the sounds between key presses.

Side-channel attacks can be slow because they require many observations and their success depends on the amount of input/output noise in the measurements. One side-channel method is called differential power analysis and involves analyzing the variations in a system’s power consumption when performing operations. This type of attack usually requires physical access to the target system, but that’s not the case for PLATYPUS because it relies on Intel’s Running Average Power Limit (RAPL) interface, which is accessible through OS drivers.

RAPL is the equivalent of a built-in power meter and is present in Intel CPUs starting with Sandy Bridge (second generation) microarchitecture. It also exists in AMD CPUs since the Zen microarchitecture and CPUs from ARM and NVIDIA also have on-board energy meters. While PLATYPUS was developed for and confirmed on Intel CPUs, processors from other manufacturers might also be vulnerable to some variation of this attack method.

The attack was particularly bad on Linux systems, because the powercap framework of the Linux kernel allowed unprivileged access to the RAPL interface, which means any malicious application could potentially abuse it. In response to PLATYPUS, which is tracked as CVE-2020-8694 and CVE-2020-8695, the Linux kernel developers released a security update that revokes unprivileged access to energy consumption data.

On Windows and macOS, reading measurements from RAPL requires users to install the Intel Power Gadget so the risk of leaking data from the kernel memory space by unprivileged applications is mitigated by default. However, there is one scenario where PLATYPUS has a devastating impact, even when privileged access is required to execute it: the Intel SGX secure enclave.

Impact on Intel SGX

Intel SGX is a memory isolation technology present in modern Intel CPUs that implements a trusted execution environment (TEE) that’s supposed to keep certain data secure even in the case of a complete OS compromise. Intel SGX is meant to protect cryptographic keys at all times because operations using those keys are performed in the secure environment that is completely separate from the OS and has its own isolated memory space. In other words, an attacker who obtains access to the OS kernel’s memory does not also gain access to the SGX memory.

“In our work, we combine PLATYPUS with precise execution control of SGX-Step,” the researchers said. “As a result, we overcome the hurdle of the limited measuring capabilities of Intel RAPL by repeatedly executing single instructions inside the SGX enclave. Using this technique, we recover RSA keys processed by Mbed TLS from an SGX enclave.”

The Linux kernel patches and the attack’s limitations on Windows and macOS do not block privileged access to RAPL. So, to address the attack scenario against SGX, Intel released microcode updates for the affected CPUs that need to be installed on systems and servers that rely on this technology. Intel’s patch changes the way energy consumption is reported if Intel SGX is enabled.

“Instead of actual energy measurements, it falls back to a model-based approach, such that same instructions with different data or operands cannot be distinguished,” the researchers said. “Thus, if the enclave follows the Intel guidelines and uses constant-time cryptographic implementations, an adversary should not be able to recover any secrets of the enclave.”

Recovering RSA private keys using the PLATYPUS attack from an Mbed TLS implementation running in Intel SGX can take up to 100 minutes, while recovering keys from an AES-NI implementation in an SGX enclave can take between 26 and 277 hours. Breaking the kernel address space layout randomization (KASLR), a kernel feature meant to make the exploitation of memory flaws harder, can be broken within 20 seconds with PLATYPUS

On Wednesday, AMD also confirmed that it’s making changes to its RAPL interface driver to require privileged access and the change is in the process of being integrated into Linux distributions. The company is tracking this issue as CVE-2020-12912.

More technical information about the attack and its implementation is available in a research paper.