CacheWarp: Software-based Fault Injection using Selective State Reset

Ruiyi Zhang; Lukas Gerlach; Daniel Weber; Lorenz Hetterich; Youheng Lü; Andreas Kogler; Michael Schwarz

CacheWarp: Software-based Fault Injection using Selective State Reset

Ruiyi Zhang, Lukas Gerlach, Daniel Weber, Lorenz Hetterich, Youheng Lü, Andreas Kogler, Michael Schwarz

Institute of Information Security (7050)

Publikation: Beitrag in Buch/Bericht/Konferenzband › Beitrag in einem Konferenzband › Begutachtung

Abstract

AMD SEV is a trusted-execution environment (TEE), providing confidentiality and integrity for virtual machines (VMs). With AMD SEV, it is possible to securely run VMs on an untrusted hypervisor. While previous attacks demonstrated architectural shortcomings of earlier SEV versions, AMD claims that SEV-SNP prevents all attacks on the integrity.

In this paper, we introduce CacheWarp, a new software-based fault attack on AMD SEV-ES and SEV-SNP, exploiting the possibility to architecturally revert modified cache lines of guest VMs to their previous (stale) state. Unlike previous attacks on the integrity, CacheWarp is not mitigated on the newest SEV-SNP implementation, and it does not rely on specifics of the guest VM. CacheWarp only has to interrupt the VM at an attacker-chosen point to invalidate modified cache lines without them being written back to memory. Consequently, the VM continues with architecturally stale data. In 3 case studies, we demonstrate an attack on RSA in the Intel IPP crypto library, recovering the entire private key, logging into an OpenSSH server without authentication, and escalating privileges to root via the sudo binary. While we implement a software-based mitigation proof-of-concept, we argue that mitigations are difficult, as the root cause is in the hardware.

Originalsprache	englisch
Titel	Proceedings of the 33nd USENIX Security Symposium
Herausgeber (Verlag)	USENIX Association
Publikationsstatus	Elektronische Veröffentlichung vor Drucklegung. - 30 Sept. 2023
Veranstaltung	33rd USENIX Security Symposium: USENIX Security 2024 - Philadelphia Marriott Downtown, Philadelphia, USA / Vereinigte Staaten Dauer: 14 Aug. 2024 → 16 Aug. 2024 https://www.usenix.org/conference/usenixsecurity24

Konferenz

Konferenz	33rd USENIX Security Symposium: USENIX Security 2024
Kurztitel	USENIX
Land/Gebiet	USA / Vereinigte Staaten
Ort	Philadelphia
Zeitraum	14/08/24 → 16/08/24
Internetadresse	https://www.usenix.org/conference/usenixsecurity24

Zugriff auf Dokument

CacheWarp: Software-based Fault Injection using Selective State ResetAkzeptiertes Autorenmanuskript, 266 KB

Andere Dateien und Links

https://cachewarpattack.com/

EU - FSSec - Grundlagen für nachhaltige Sicherheit
Gruss, D. (Teilnehmer (Co-Investigator))
1/03/23 → 29/02/28
Projekt: Forschungsprojekt

Dieses zitieren

@inproceedings{5507d10494c04b3885669555be819c8c,

title = "CacheWarp: Software-based Fault Injection using Selective State Reset",

abstract = "AMD SEV is a trusted-execution environment (TEE), providing confidentiality and integrity for virtual machines (VMs). With AMD SEV, it is possible to securely run VMs on an untrusted hypervisor. While previous attacks demonstrated architectural shortcomings of earlier SEV versions, AMD claims that SEV-SNP prevents all attacks on the integrity.In this paper, we introduce CacheWarp, a new software-based fault attack on AMD SEV-ES and SEV-SNP, exploiting the possibility to architecturally revert modified cache lines of guest VMs to their previous (stale) state. Unlike previous attacks on the integrity, CacheWarp is not mitigated on the newest SEV-SNP implementation, and it does not rely on specifics of the guest VM. CacheWarp only has to interrupt the VM at an attacker-chosen point to invalidate modified cache lines without them being written back to memory. Consequently, the VM continues with architecturally stale data. In 3 case studies, we demonstrate an attack on RSA in the Intel IPP crypto library, recovering the entire private key, logging into an OpenSSH server without authentication, and escalating privileges to root via the sudo binary. While we implement a software-based mitigation proof-of-concept, we argue that mitigations are difficult, as the root cause is in the hardware.",

author = "Ruiyi Zhang and Lukas Gerlach and Daniel Weber and Lorenz Hetterich and Youheng L{\"u} and Andreas Kogler and Michael Schwarz",

year = "2023",

month = sep,

day = "30",

language = "English",

booktitle = "Proceedings of the 33nd USENIX Security Symposium",

publisher = "USENIX Association",

address = "United States",

note = "33rd USENIX Security Symposium: USENIX Security 2024, USENIX ; Conference date: 14-08-2024 Through 16-08-2024",

url = "https://www.usenix.org/conference/usenixsecurity24",

}

TY - GEN

T1 - CacheWarp: Software-based Fault Injection using Selective State Reset

AU - Zhang, Ruiyi

AU - Gerlach, Lukas

AU - Weber, Daniel

AU - Hetterich, Lorenz

AU - Lü, Youheng

AU - Kogler, Andreas

AU - Schwarz, Michael

PY - 2023/9/30

Y1 - 2023/9/30

N2 - AMD SEV is a trusted-execution environment (TEE), providing confidentiality and integrity for virtual machines (VMs). With AMD SEV, it is possible to securely run VMs on an untrusted hypervisor. While previous attacks demonstrated architectural shortcomings of earlier SEV versions, AMD claims that SEV-SNP prevents all attacks on the integrity.In this paper, we introduce CacheWarp, a new software-based fault attack on AMD SEV-ES and SEV-SNP, exploiting the possibility to architecturally revert modified cache lines of guest VMs to their previous (stale) state. Unlike previous attacks on the integrity, CacheWarp is not mitigated on the newest SEV-SNP implementation, and it does not rely on specifics of the guest VM. CacheWarp only has to interrupt the VM at an attacker-chosen point to invalidate modified cache lines without them being written back to memory. Consequently, the VM continues with architecturally stale data. In 3 case studies, we demonstrate an attack on RSA in the Intel IPP crypto library, recovering the entire private key, logging into an OpenSSH server without authentication, and escalating privileges to root via the sudo binary. While we implement a software-based mitigation proof-of-concept, we argue that mitigations are difficult, as the root cause is in the hardware.

AB - AMD SEV is a trusted-execution environment (TEE), providing confidentiality and integrity for virtual machines (VMs). With AMD SEV, it is possible to securely run VMs on an untrusted hypervisor. While previous attacks demonstrated architectural shortcomings of earlier SEV versions, AMD claims that SEV-SNP prevents all attacks on the integrity.In this paper, we introduce CacheWarp, a new software-based fault attack on AMD SEV-ES and SEV-SNP, exploiting the possibility to architecturally revert modified cache lines of guest VMs to their previous (stale) state. Unlike previous attacks on the integrity, CacheWarp is not mitigated on the newest SEV-SNP implementation, and it does not rely on specifics of the guest VM. CacheWarp only has to interrupt the VM at an attacker-chosen point to invalidate modified cache lines without them being written back to memory. Consequently, the VM continues with architecturally stale data. In 3 case studies, we demonstrate an attack on RSA in the Intel IPP crypto library, recovering the entire private key, logging into an OpenSSH server without authentication, and escalating privileges to root via the sudo binary. While we implement a software-based mitigation proof-of-concept, we argue that mitigations are difficult, as the root cause is in the hardware.

UR - https://cachewarpattack.com/

M3 - Conference paper

BT - Proceedings of the 33nd USENIX Security Symposium

PB - USENIX Association

T2 - 33rd USENIX Security Symposium: USENIX Security 2024

Y2 - 14 August 2024 through 16 August 2024

ER -

CacheWarp: Software-based Fault Injection using Selective State Reset

Abstract

Konferenz

Zugriff auf Dokument

Andere Dateien und Links

Projekte

EU - FSSec - Grundlagen für nachhaltige Sicherheit

Dieses zitieren