INTEL CPUs are once again in the limelight when it comes to security vulnerabilities. Recently international security researchers, including a team of experts from the University of Birmingham, discovered a new security vulnerability in Intel processors that makes it possible to access sensitive data using power side-channel attacks.
The new exploit uses fluctuations in software power consumption to access sensitive data, such as cryptographic keys. This type of attack is dubbed as PLATYPUS.
Platypus is an acronym for “Power Leakage Attacks: Targeting Your Protected User Secrets”, whereas RAPL stands for Running Average Power Limit. Platypus targets the RAPL interface of Intel processors, and RAPL on the other hand allows the firmware or software applications to monitor and check the exact power consumption figure in the CPU as well as the DRAM.
The attacker can remotely steal cryptographic keys from Intel CPUs, even when the CPUs run software guard extensions/SGX, the built-in silicon protection.
As also reported by Phoronix, Intel has just released a new CPU microcode update, version 20201110. This update applies to a number of Intel’s CPUs, all the way spanning from 6th Gen Core series processors to 11th Gen CPUs. This new update patches almost 40 security holes, including this PLATYPUS vulnerability.
The Researchers at the Institute of Applied Information Processing and Communications at Graz University of Technology have been working intensively with similar power-based side channels for almost 20 years. Together with colleagues from the University of Birmingham and the Helmholtz Center for Information Security (CISPA), the researchers have now discovered a new vulnerability.
At https://platypusattack.com, they describe a method dubbed as PLATYPUS that allows power side-channel attacks even without physical access. Affected devices include desktop PCs, laptops and cloud computing servers from Intel and AMD.
“Using PLATYPUS, we demonstrate that we can observe variations in the power consumption to distinguish different instructions and different Hamming weights of operands and memory loads, allowing inference of loaded values,” researchers said.
The above ‘loaded values’ actually refer to the data loaded in the CPU such as encryption keys, passwords, sensitive documents, or any other type of information (as applicable).
Accessing such kind of data is usually protected by a slew of security measures, such as kernel address space layout randomization (KASLR) or hardware-isolated trusted execution environments (TEEs), similar to Intel’s SGX.
However, the researchers say that Platypus allows an attacker to bypass all these security systems. It does this by looking at variations in the power consumption values. Using PLATYPUS, the researchers can leak crypto keys from SGX enclaves and the operating system, break the exploit mitigation known as Address Space Layout Randomization, and establish a covert channel for secretly exfiltrating data. Chips starting with Intel’s Sandy Bridge CPU architecture and beyond are vulnerable.
To quote lead researcher Moritz Lipp of Graz University of Technology:
“Typically, attacks exploiting variances in the power consumption of devices required the adversary to have physical access to the device. The attacker would attach a power meter with probes to the device to measure its energy consumption. However, modern processors come with a power meter built-in and allow unprivileged users to read out its measurements from software. We now show that this interface can be exploited to recover cryptographic keys processed on the machine.”
However, most importantly according to the research team, Platypus attacks work on Linux systems the best, but attacks on Windows and macOS are also possible. LINUX seems to be more vulnerable because the ‘Linux kernel’ ships with the powercap framework, which is a universal driver for interacting with RAPL interfaces and other power capping APIs. This easily allows for reading the power consumption values.
For the attack on Windows and macOS, in these cases, the Intel Power Gadget app must be installed on the attacked device, which will then allow attackers to interact with the RAPL interface.
The researchers used two key approaches. First, they used the RAPL interface (Running Average Power Limit), which is built into Intel and AMD CPUs. In the second approach, the group misuses Intel’s security function Software Guard Extensions (SGX).
The researchers then combined these two techniques and, using a compromised operating system targeting Intel SGX, made the processor execute certain instructions tens of thousands of times within an SGX enclave, an isolated environment where data and critical programs are secure.
They then measured the power consumption of each of these commands using the RAPL interface, and the fluctuations in the measured values made it possible for them to reconstruct data and cryptographic keys.
Dr David Oswald, senior lecturer in Cyber Security at the University of Birmingham, said that “PLATYPUS attacks show that power side channels – which were previously only relevant to small embedded devices like payment cards – are a relevant threat to processors in our laptops and servers”.
“Our work connects the dots between two research areas and highlights that power side channel leakage has much wider relevance than previously thought,” he added.
These types of attacks were often difficult to execute as they required accurate power measurements which were difficult to execute using malware. That is why attackers were known to require physical access to the target device, as well as specific measurement tools – such as an oscilloscope.
In response to the findings, Intel on Tuesday is making key changes to RAPL. Intel is also introducing a second fix at the microcode level that, when SGX is enabled, limits energy consumption that’s reported.
Intel officials wrote in a statement: “Today, we published INTEL-SA-0389 providing details and mitigation guidance to protect against potential information leakage from Intel SGX using the Running Average Power Limit (RAPL) Interface which is provided by most modern processors. We coordinated with industry partners and released microcode updates for these vulnerabilities through our normal Intel Platform Update (IPU) process.”
The company said that, while there’s no indication the vulnerabilities have been exploited, it’s issuing new attestation keys for affected chip platforms. Platypus attacks aimed at Intel SGX enclaves work regardless of the underlying OS as the attackers are going after the (separate) SGX enclave, and not the underlying OS and its (separate) CPU memory.
As a side note, in case you didn’t know platypus is an animal, which has the ability to sense electrical current with its bill.
Researchers say that Platypus works against Intel’s servers, desktops, and laptop CPUs. Intel has confirmed that some mobile and embedded CPUs are also impacted. The chipmaker has released microcode (CPU firmware) updates to block Platypus attacks, which the company has made available to industry partners to include in their products’ next security updates.
The Linux kernel has also shipped an update. It’s likely that Microsoft and other OS vendors will also include automated updates having this new microcode.
Lastly, the microcode update also fixes few issues not related to security, such as Intel Ice Lake CPUs crashing or hanging due to VT-d and USB Type-C issues, along with a Xeon Cascade Lake fix for interrupts when a core exits the C6 state.
Processor side channels are nothing new, but the attacks known as Spectre and Meltdown almost three years ago ushered in a new era of CPU attacks that could be exploited in more realistic scenarios. Since then, researchers have devised a steady trickle of exploits, including some that undermine the security assurance of Intel’s proprietary SGX technology.
Side channels are clues that stem from differences in timing, data caching, power consumption, or other manifestations that occur when different commands or operations are being carried out. Attackers exploit the differences to infer secret commands or data flowing through a piece of hardware.
Among the most common form of side channel is the amount of electricity required to complete a given task. More recently, that energy consumption has largely given way to speculative execution, the side channel used by Spectre and Meltdown.
If you are interested, the full PDF research paper detailing this Platypus attack can be accessed from here.
Stay tuned for more!