CounterSEVeillance: Performance-Counter Attacks on AMD SEV-SNP

Stefan Gast*, Hannes Weissteiner, Robin Leander Schröder, Daniel Gruss

*Korrespondierende/r Autor/-in für diese Arbeit

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem KonferenzbandBegutachtung

Abstract

Confidential virtual machines (VMs) promise higher security by running the VM inside a trusted execution environment (TEE). Recent AMD server processors support confidential VMs with the SEV-SNP processor extension. SEV-SNP provides guarantees for integrity and confidentiality for confidential VMs despite running them in a shared hosting environment.

In this paper, we introduce CounterSEVeillance, a new side-channel attack leaking secret-dependent control flow and operand properties from performance counter data. Our attack is the first to exploit performance counter side-channel leakage with single-instruction resolution from SEV-SNP VMs and works on fully patched systems. We systematically analyze performance counter events in SEV-SNP VMs and find that 228 are exposed to a potentially malicious hypervisor. CounterSEVeillance builds on this analysis and records performance counter traces with an instruction-level resolution by single-stepping the victim VM using APIC interrupts in combination with page faults. We match CounterSEVeillance traces against binaries, precisely recovering the outcome of any secret-dependent conditional branch and inferring operand properties. We present four attack case studies, in which we exemplarily showcase concrete exploitable leakage with 6 of the exposed performance counters. First, we use CounterSEVeillance to extract a full RSA-4096 key from a single Mbed TLS signature process in less than 8 minutes. Second, we present the first side-channel attack on TOTP verification running in an AMD SEV-SNP VM, recovering a 6-digit TOTP with only 31.1 guesses on average. Third, we show that CounterSEVeillance can leak the secret key from which the TOTPs are derived from the underlying base32 decoder. Fourth and finally, we show that CounterSEVeillance can also be used to construct a plaintext-checking oracle in a divide-and-surrender-style attack. We conclude that moving an entire VM into a setting with a privileged adversary increases the attack surface, given the vast amounts of code not vetted for this specific security setting.
Originalspracheenglisch
TitelNetwork and Distributed System Security (NDSS) Symposium 2025
Seitenumfang16
PublikationsstatusAngenommen/In Druck - Feb. 2025
VeranstaltungNetwork and Distributed System Security Symposium 2025: NDSS 2025 - San Diego, USA / Vereinigte Staaten
Dauer: 23 Feb. 202528 Feb. 2025
https://www.ndss-symposium.org/ndss2025/

Konferenz

KonferenzNetwork and Distributed System Security Symposium 2025
KurztitelNDSS 2025
Land/GebietUSA / Vereinigte Staaten
OrtSan Diego
Zeitraum23/02/2528/02/25
Internetadresse

ASJC Scopus subject areas

  • Informatik (sonstige)

Fields of Expertise

  • Information, Communication & Computing

Fingerprint

Untersuchen Sie die Forschungsthemen von „CounterSEVeillance: Performance-Counter Attacks on AMD SEV-SNP“. Zusammen bilden sie einen einzigartigen Fingerprint.

Dieses zitieren