VoltPillager Attack Can Manipulate Intel CPUs’ Secure SGX Enclaves

Recently, researchers presented their study about the PLATYPUS attack that could steal data from the Intel CPUs. Now, another team of researchers has come up with VoltPillager attack that controls CPU core voltage to breach CPU security.

VoltPillager Attack Aims At Intel CPUs

Researchers from the University of Birmingham, UK, have devised a hardware-based attack that threatens the security of Intel CPUs. Dubbed VoltPillager, the attack merely utilizes a $30 tool to compromise the security and integrity of Intel SGX enclaves.

Briefly, the attack strategy relies on controlling the CPU core voltage. For this, they have developed a tool through which they inject commands to the Serial Voltage Identification (SVID) bus between the CPU and the voltage regulator on the motherboard.

Due to the lack of authentication for SVID packets, they could successfully run their own codes inside the SGX enclave. Eventually, they succeeded in recovering the cryptographic keys from the secure enclaves.

Moreover, they also discovered faults that contributed to compromising the security and integrity of SGX enclaves.

The following video demonstrates a possible attack scenario.

No ‘Straightforward’ Mitigation Possible

In 2019, a similar attack strategy surfaced online dubbed Plundervolt (CVE-2019-11157) that achieved similar results via software. A patch already exists for his bug. However, it won’t apply to VoltPillager given that it doesn’t rely on software

Regarding the mitigation of this hardware-based attack model, the researchers explained that it “is not straightforward’.

Our results may require a rethink of the widely assumed SGX adversarial model, where a cloud provider hosting SGX machines is assumed to be untrusted but has physical access to the hardware.

The only limitation with VoltPillager is that it required physical access to the target system. Hence, it’s exploitation in the wild is unlikely given that it cannot be performed remotely.

While the team reported the matter to Intel, they denied a fix since the attack revolves around hardware tampering which they consider out of scope.

The team has set up a website disclosing the VoltPillager attack alongside sharing the technical details in a research paper and on GitHub. They will also present these findings at the Usenix Security 2021.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients