SEVurity: No Security Without Integrity : Breaking Integrity-Free Memory Encryption with Minimal Assumptions

Wilke, Luca; Wichelmann, Jan; Morbitzer, Mathias; Eisenbarth, Thomas

doi:10.1109/sp40000.2020.00080

Cited by 30 publications

(29 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Researchers have already presented security issues in AMD SEV and SEV-ES under the threat model of a malicious HV. The discovered vulnerabilities rely on the missing protection of Second Level Address Translation [30,47] and missing memory integrity protection from software attacks [25,43,61]. Both issues are addressed in the designs of AMD SEV-SNP and Intel TDX.…”

Section: Related Workmentioning

confidence: 99%

“…These solutions enhance the security of VMs, as the VM no longer depends on the HV's security or on the integrity of the cloud provider. While recent research has uncovered security issues specific to the design of the SEV technologies [21,22,25,30,42,43,46,47,60,61], little research has been done in analyzing the VM's software under this new threat model [52]. Specifically, only limited effort has been spent on analyzing security risks due to drivers which communicate with devices controlled by the now untrusted HV.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

VIA: Analyzing Device Interfaces of Protected Virtual Machines

Hetzelt¹,

Radev²,

Buhren³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Both AMD and Intel have presented technologies for confidential computing in cloud environments. The proposed solutions -AMD SEV (-ES, -SNP) and Intel TDX -protect Virtual Machines (VMs) against attacks from higher privileged layers through memory encryption and integrity protection. This model of computation draws a new trust boundary between virtual devices and the VM, which in so far lacks thorough examination. In this paper, we therefore present an analysis of the virtual device interface and discuss several attack vectors against a protected VM. Further, we develop and evaluate VIA, an automated analysis tool to detect cases of improper sanitization of input recieved via the virtual device interface. VIA improves upon existing approaches for the automated analysis of device interfaces in the following aspects: (i) support for virtualization relevant buses, (ii) efficient Direct Memory Access (DMA) support and (iii) performance. VIA builds upon the Linux Kernel Library and clang's libfuzzer to fuzz the communication between the driver and the device via MMIO, PIO, and DMA. An evaluation of VIA shows that it performs 570 executions per second on average and improves performance compared to existing approaches by an average factor of 2706. Using VIA, we analyzed 22 drivers in Linux 5.10.0-rc6, thereby uncovering 50 bugs and initiating multiple patches to the virtual device driver interface of Linux. To prove our findings' criticality under the threat model of AMD SEV and Intel TDX, we showcase three exemplary attacks based on the bugs found. The attacks enable a malicious hypervisor to corrupt the memory and gain code execution in protected VMs with SEV-ES and are theoretically applicable to SEV-SNP and TDX. CCS CONCEPTS• Security and privacy → Virtualization and security.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

VIA: Analyzing Device Interfaces of Protected Virtual Machines

Hetzelt¹,

Radev²,

Buhren³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…The whitepaper [27] does not explain the mode of operation in detail, but only states that AES with an 128-bit key and a physical address-based tweak is used. In [18,44] it is shown that early versions use the Xor-Encrypt (XE) or Xor-Encrypt-Xor (XEX) encryption mode with static, low entropy tweak values, while later versions use stronger, randomized tweak values. In addition, none of the encryption modes offer integrity protection.…”

Section: A Amd Sevmentioning

confidence: 99%

“…The general idea is very similar to the approach presented in [44], where the authors leverage control over the first and last bytes of 16-byte blocks to stitch together a sequence of "payload" instructions and direct jumps, which they subsequently use to build an encryption oracle within the VM. However, we cannot change a block's content here, as this would be detected during attestation.…”

Section: B Constructing Malicious Code Gadgetsmentioning

confidence: 99%

“…A fundamental challenge for TEEs is having to guarantee their promises against attackers with system level privileges, resulting in a large variety of attacks [15,16,32,37,42,44]. In this work, we extend the arsenal of attacks against TEEs and in particular against AMD SEV, with an attack targeting and circumventing its very core of trust, the remote attestation.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

undeSErVed trust: Exploiting Permutation-Agnostic Remote Attestation

Wilke,

Wichelmann,

Sieck

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

The ongoing trend of moving data and computation to the cloud is met with concerns regarding privacy and protection of intellectual property. Cloud Service Providers (CSP) must be fully trusted to not tamper with or disclose processed data, hampering adoption of cloud services for many sensitive or critical applications. As a result, CSPs and CPU manufacturers are rushing to find solutions for secure and trustworthy outsourced computation in the Cloud. While enclaves, like Intel SGX, are strongly limited in terms of throughput and size, AMD's Secure Encrypted Virtualization (SEV) offers hardware support for transparently protecting code and data of entire VMs, thus removing the performance, memory and software adaption barriers of enclaves. Through attestation of boot code integrity and means for securely transferring secrets into an encrypted VM, CSPs are effectively removed from the list of trusted entities. There have been several attacks on the security of SEV, by abusing I/O channels to encrypt and decrypt data, or by moving encrypted code blocks at runtime. Yet, none of these attacks have targeted the attestation protocol, the core of the secure computing environment created by SEV. We show that the current attestation mechanism of Zen 1 and Zen 2 architectures has a significant flaw, allowing us to manipulate the loaded code without affecting the attestation outcome. An attacker may abuse this weakness to inject arbitrary code at startup-and thus take control over the entire VM execution, without any indication to the VM's owner. Our attack primitives allow the attacker to do extensive modifications to the bootloader and the operating system, like injecting spy code or extracting secret data. We present a full end-to-end attack, from the initial exploit to leaking the key of the encrypted disk image during boot, giving the attacker unthrottled access to all of the VM's persistent data.

show abstract

PwrLeak: Exploiting Power Reporting Interface for Side-Channel Attacks on AMD SEV

Wang

Zhang

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

SEVurity: No Security Without Integrity : Breaking Integrity-Free Memory Encryption with Minimal Assumptions

Cited by 30 publications

References 18 publications

VIA: Analyzing Device Interfaces of Protected Virtual Machines

VIA: Analyzing Device Interfaces of Protected Virtual Machines

undeSErVed trust: Exploiting Permutation-Agnostic Remote Attestation

PwrLeak: Exploiting Power Reporting Interface for Side-Channel Attacks on AMD SEV

Contact Info

Product

Resources

About