CacheWarp: Software-based Fault Injection using Selective State Reset

Ruiyi Zhang; Lukas Gerlach; Daniel Weber; Lorenz Hetterich; Youheng Lü; Andreas Kogler; Michael Schwarz

CacheWarp: Software-based Fault Injection using Selective State Reset

Ruiyi Zhang, Lukas Gerlach, Daniel Weber, Lorenz Hetterich, Youheng Lü, Andreas Kogler, Michael Schwarz

Institute of Applied Information Processing and Communications (7050)

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

AMD SEV is a trusted-execution environment (TEE), providing confidentiality and integrity for virtual machines (VMs). With AMD SEV, it is possible to securely run VMs on an untrusted hypervisor. While previous attacks demonstrated architectural shortcomings of earlier SEV versions, AMD claims that SEV-SNP prevents all attacks on the integrity.

In this paper, we introduce CacheWarp, a new software-based fault attack on AMD SEV-ES and SEV-SNP, exploiting the possibility to architecturally revert modified cache lines of guest VMs to their previous (stale) state. Unlike previous attacks on the integrity, CacheWarp is not mitigated on the newest SEV-SNP implementation, and it does not rely on specifics of the guest VM. CacheWarp only has to interrupt the VM at an attacker-chosen point to invalidate modified cache lines without them being written back to memory. Consequently, the VM continues with architecturally stale data. In 3 case studies, we demonstrate an attack on RSA in the Intel IPP crypto library, recovering the entire private key, logging into an OpenSSH server without authentication, and escalating privileges to root via the sudo binary. While we implement a software-based mitigation proof-of-concept, we argue that mitigations are difficult, as the root cause is in the hardware.

Original language	English
Title of host publication	Proceedings of the 33nd USENIX Security Symposium
Publisher	USENIX Association
Publication status	Accepted/In press - 30 Sept 2023
Event	33rd USENIX Security Symposium: USENIX Security 2024 - Philadelphia Marriott Downtown, Philadelphia, United States Duration: 14 Aug 2024 → 16 Aug 2024 https://www.usenix.org/conference/usenixsecurity24

Conference

Conference	33rd USENIX Security Symposium: USENIX Security 2024
Abbreviated title	USENIX
Country/Territory	United States
City	Philadelphia
Period	14/08/24 → 16/08/24
Internet address	https://www.usenix.org/conference/usenixsecurity24

Access to Document

CacheWarp: Software-based Fault Injection using Selective State ResetAccepted author manuscript, 266 KB

Cite this

@inproceedings{5507d10494c04b3885669555be819c8c,

title = "CacheWarp: Software-based Fault Injection using Selective State Reset",

abstract = "AMD SEV is a trusted-execution environment (TEE), providing confidentiality and integrity for virtual machines (VMs). With AMD SEV, it is possible to securely run VMs on an untrusted hypervisor. While previous attacks demonstrated architectural shortcomings of earlier SEV versions, AMD claims that SEV-SNP prevents all attacks on the integrity.In this paper, we introduce CacheWarp, a new software-based fault attack on AMD SEV-ES and SEV-SNP, exploiting the possibility to architecturally revert modified cache lines of guest VMs to their previous (stale) state. Unlike previous attacks on the integrity, CacheWarp is not mitigated on the newest SEV-SNP implementation, and it does not rely on specifics of the guest VM. CacheWarp only has to interrupt the VM at an attacker-chosen point to invalidate modified cache lines without them being written back to memory. Consequently, the VM continues with architecturally stale data. In 3 case studies, we demonstrate an attack on RSA in the Intel IPP crypto library, recovering the entire private key, logging into an OpenSSH server without authentication, and escalating privileges to root via the sudo binary. While we implement a software-based mitigation proof-of-concept, we argue that mitigations are difficult, as the root cause is in the hardware.",

author = "Ruiyi Zhang and Lukas Gerlach and Daniel Weber and Lorenz Hetterich and Youheng L{\"u} and Andreas Kogler and Michael Schwarz",

year = "2023",

month = sep,

day = "30",

language = "English",

booktitle = "Proceedings of the 33nd USENIX Security Symposium",

publisher = "USENIX Association",

address = "United States",

note = "33rd USENIX Security Symposium: USENIX Security 2024, USENIX ; Conference date: 14-08-2024 Through 16-08-2024",

url = "https://www.usenix.org/conference/usenixsecurity24",

}

TY - GEN

T1 - CacheWarp: Software-based Fault Injection using Selective State Reset

AU - Zhang, Ruiyi

AU - Gerlach, Lukas

AU - Weber, Daniel

AU - Hetterich, Lorenz

AU - Lü, Youheng

AU - Kogler, Andreas

AU - Schwarz, Michael

PY - 2023/9/30

Y1 - 2023/9/30

N2 - AMD SEV is a trusted-execution environment (TEE), providing confidentiality and integrity for virtual machines (VMs). With AMD SEV, it is possible to securely run VMs on an untrusted hypervisor. While previous attacks demonstrated architectural shortcomings of earlier SEV versions, AMD claims that SEV-SNP prevents all attacks on the integrity.In this paper, we introduce CacheWarp, a new software-based fault attack on AMD SEV-ES and SEV-SNP, exploiting the possibility to architecturally revert modified cache lines of guest VMs to their previous (stale) state. Unlike previous attacks on the integrity, CacheWarp is not mitigated on the newest SEV-SNP implementation, and it does not rely on specifics of the guest VM. CacheWarp only has to interrupt the VM at an attacker-chosen point to invalidate modified cache lines without them being written back to memory. Consequently, the VM continues with architecturally stale data. In 3 case studies, we demonstrate an attack on RSA in the Intel IPP crypto library, recovering the entire private key, logging into an OpenSSH server without authentication, and escalating privileges to root via the sudo binary. While we implement a software-based mitigation proof-of-concept, we argue that mitigations are difficult, as the root cause is in the hardware.

AB - AMD SEV is a trusted-execution environment (TEE), providing confidentiality and integrity for virtual machines (VMs). With AMD SEV, it is possible to securely run VMs on an untrusted hypervisor. While previous attacks demonstrated architectural shortcomings of earlier SEV versions, AMD claims that SEV-SNP prevents all attacks on the integrity.In this paper, we introduce CacheWarp, a new software-based fault attack on AMD SEV-ES and SEV-SNP, exploiting the possibility to architecturally revert modified cache lines of guest VMs to their previous (stale) state. Unlike previous attacks on the integrity, CacheWarp is not mitigated on the newest SEV-SNP implementation, and it does not rely on specifics of the guest VM. CacheWarp only has to interrupt the VM at an attacker-chosen point to invalidate modified cache lines without them being written back to memory. Consequently, the VM continues with architecturally stale data. In 3 case studies, we demonstrate an attack on RSA in the Intel IPP crypto library, recovering the entire private key, logging into an OpenSSH server without authentication, and escalating privileges to root via the sudo binary. While we implement a software-based mitigation proof-of-concept, we argue that mitigations are difficult, as the root cause is in the hardware.

UR - https://cachewarpattack.com/

M3 - Conference paper

BT - Proceedings of the 33nd USENIX Security Symposium

PB - USENIX Association

T2 - 33rd USENIX Security Symposium: USENIX Security 2024

Y2 - 14 August 2024 through 16 August 2024

ER -

CacheWarp: Software-based Fault Injection using Selective State Reset

Abstract

Conference

Access to Document

Other files and links

Fingerprint

EU - FSSec - Foundations for Sustainable Security

Cite this

CacheWarp: Software-based Fault Injection using Selective State Reset

Abstract

Conference

Access to Document

Other files and links

Fingerprint

Projects

EU - FSSec - Foundations for Sustainable Security

Cite this