New Plundervolt Attack Impacts Intel Desktop, Server, and Mobile CPUs (zdnet.com) 74
An anonymous reader quotes a report from ZDNet: Academics from three universities across Europe have disclosed today a new attack that impacts the integrity of data stored inside Intel SGX, a highly-secured area of Intel CPUs. The attack, which researchers have named Plundervolt, exploits the interface through which an operating system can control an Intel processor's voltage and frequency -- the same interface that allows gamers to overclock their CPUs. Academics say they discovered that by tinkering with the amount of voltage and frequency a CPU receives, they can alter bits inside SGX to cause errors that can be exploited at a later point after the data has left the security of the SGX enclave. They say Plundervolt can be used to recover encryption keys or introduce bugs in previously secure software. Intel desktop, server, and mobile CPUs are impacted. A full list of vulnerable CPUs is available here. Intel has also released microcode (CPU firmware) and BIOS updates today that address the Plundervolt attack [by allowing users to disable the energy management interface at the source of the attack, if not needed]. Proof-of-concept code for reproducing attacks will be released on GitHub.
Intel's poor management: ANOTHER example! (Score:2)
(My opinions and observations.)
Re: (Score:2)
Re: (Score:2)
Won't work (Score:2)
beat the computer operator with the $5 wrench when they show up until he/she gives you what you need.
The problem here is that we're speaking about security/encryption hardware.
Only the secure chip/secure enclave/TPM actually knows what the keys are and it never exits the hardware.
The operator doesn't have any clue of what the protected keys is, they never got to see it to begin with.
...metaphore : Chip card (Score:2)
Basically think of it as a "chip" bank card.
You can ask the operator about the *PIN* of the card.
But no matter how much *5$ wrench* you're applying to him/her, it's impossible for them to give the actual private cryptographic key hosted in the card's chip, they never had access to it to begin with.
Secure processor and the like are basically chip cards embed into the mother board or into the CPU.
Re: (Score:2)
feed a man for a day vs. teach to fish. (Score:2)
But the point is you don't want the crypto key on the ATM card, you want the money
Getting the money, is the metaphorical "Give a man a fish, you feed him for the day".
You apply some $5 wrench-ing, you git a little bit of money, and they you fast from here, and hope that nobody will track you down and that you didn't get recorded on camera while wrench application happened. If you managed to get away, you get to spend whatever you have left in the pocket.
You need to resume the wrench application on a new person if you want more money.
Or to go back to the subject of TFA: if you run away wi
TL;DR: money quantity (Score:2)
you don't want the crypto key on the ATM card, you want the money. The $5 wrench will get you that...
The $5 wrench will only get you the little bit of money that the currently wrenched user gets out of this peculiar ATM.
The crypto key will get you a clone card that will give you all the money from all the ATM until the card owner's account runs dry or until the owner notices.
If you want a long trickle of money instead of single moderate quantity, you go for the later,.
Software controlled (Score:2)
If you can control the voltage, temperature, or clock speed the CPU is running at,
Which nowaday are controlled by software. You could do these from the other side of the planet just by issuing the correct commands.
you can induce all kinds of errors and bugs
and the thing is, inducing bugs and errors is a much more affordable way to crack open a "secure processor/enclave/TPM/whatever" to steal the private keys (and it's discreet. To anyone else beside the hacker, it looks like an occasionnal glitch) compared to what "physical access" would require (steal the chip, desolder it, delid it, and play with an electron microscope. Which a
Re: (Score:2)
None of these attacks are remote exploits. And security experts will always tell you that if someone has physical access to your machine, there is no security.
False.
Have you got any more misinformation to "share"?
Re: (Score:3)
Not crypto chips (Score:2)
If you give someone root access to your machine you are screwed anyway - your every keystroke and file access is available.
You only have full access to *THE OS* running on the machine.
That's still good for a lot of things (e.g.: you mention keystrokes) - though you're seldom going to *see* any keystroke on a server.
But that's not goot for stuff which is locked inside *dedicated hardware*.
Crypto chips / secure processor / secure enclaves / TPM /all that shit...
You can't read-write from it, even if you're root on the OS.
The private key is never supposed to leave the dedicate hardware. It's never visible to the OS.
Think glorified
Re: (Score:2)
Maybe not root access, and certainly not physical access. If you can run arbitrary code on the machine (e.g. Javascript in the browser) you have a chance of exploiting this.
The attack uses two previously remotely exploitable techniques. One involves rapidly accessing certain patterns of memory in order to corrupt it, and the other involves making the CPU change frequency and core voltage by repeatedly hitting it with light and then heavy loads. The former has been demonstrated in Javascript already, I'm not
Re: (Score:2)
If you give someone root access to your machine you are screwed anyway - your every keystroke and file access is available.
That's what privilege escalation exploits are for. They are not uncommon.
Re: (Score:2)
As I read this (and reread it, then read it a third time), it seems that if I drop the voltage to the CPU, this obscure little portion of the processor will have it's contents corrupted... And?
So what?
Academics say they discovered that by tinkering with the amount of voltage and frequency a CPU receives, they can alter bits inside SGX to cause errors that can be exploited at a later point after the data has left the security of the SGX enclave.
Can they alter bits in a known, controlled manner to reliably force their desired data into the SGX "enclave"? No.
They say Plundervolt can be used to recover encryption keys or introduce bugs in previously secure software.
Really? Recover encryption keys? I'd like to see that is real life, not some theoretical example. Show me using this "Plundervolt" hack they can go in, read the contents of the SGX "enclave" and re
Re: (Score:2)
Not true.
https://plundervolt.com/ [plundervolt.com]
Does an attacker need physical access to my computer for this?
No. The undervolting interface is accessible from software, so if a remote attacker can become root in the untrusted OS, she can also mount the Plundervolt attack. In any case, note that attackers with physical access would also be in the threat model of SGX (e.g. to protect against malicious cloud providers).
Re: (Score:2)
Woops drinkypoo beat me to it. Oh well!
Re: (Score:2)
Getting root on a system with direct access to control the CPUs voltages, you can do pretty much anything, including gdb to read out any process. If you've been given that sort of access, you probably got an entire physical CPU assigned to your VM. If not, your hypervisor should intercept the calls to reduce power and balance that with the needs of other VM's.
Re: (Score:2)
SGX was supposed to prevent that scenario from being problematic. It failed.
Re: (Score:2)
Enough is enough (Score:3)
Either Apple needs to switch to AMD CPUs, or switch to their own ARM CPUs.
Re: (Score:2)
Re: (Score:2)
The point is that Apple needs to wake up and drop Intel as the supplier of CPUs for their Macs, or switch to the rumoured in-house ARM CPUs made for Macs.
I don't care what Microsoft does, although they appear to be switching to ARM too, at least in some of their latest units.
Re: (Score:2)
It cracks me up you dweebs always think AMD chips are more secure. Until recently nobody gave a shit about AMD chips enough to try these types of exploits, and they are still not major targets because they have no numbers in the data centers.
I tell you what, go peruse AMD's errata and tell me how amazing they are...Then factor in how much less time and money they spend in validation.
I agree Macs should switch to ARM, though. I fucking hate Apple and really think that would be the final nail in the coffin fo
Re: (Score:1)
Nobody is saying Intel CPUs are 0% secure and AMD are 100% secure. But AMD CPUs are more secure than Intel CPUs because they have less flaws and they also have less serious/critical flaws overall.
Re: (Score:2)
BS, researchers have been testing all the same exploits on AMD CPUs that they find in Intel CPUs. See above post about CTS Labs/Ryzenfall as well.
Re: (Score:2)
First of all, a lot of exploits can be modified to run on AMD chips, second, for a lot of this, AMD has a different architecture, or in case of the virtual machine extensions, no compatible architecture at all. Hence why you won't see AMD in the corporate datacenter, because VMWare and co isn't optimized to run on them, if you can get them to reliably work in the first place.
So it is probable that you'll find similar exploits, but because they're only in gaming rigs, who cares.
Re: (Score:2)
Only in gaming rigs? How wrong can you be?
Re: (Score:2)
Intel essentially bribed (or created, depending on whom you ask) an Israeli "security firm" to gin up similar exploits targeting AMD CPUs:
https://www.theinquirer.net/in... [theinquirer.net]
Though others have speculated that Intel had nothing to do with CTS Labs (alleging it was a stock manipulation scheme), it really does seem like Intel may have just been doing it as a PR move to make their own vulnerabilities look less-bad in comparison (notably Meltdown). AMD has since patched all the "vulnerabilities".
Re: (Score:2)
Because currently they have a single source agreement with Intel. Other SI's can more easily switch cpu vendor. Apple has a contract.
more pci-e lower price the mac pro is DOA (Score:2)
more pci-e lower price the mac pro is DOA with intel and it's high price.
An AMD threadripper an smoke that thing at more then half the cost. With 64 true cpu pci-e lanes.
Re: Enough is enough (Score:2)
Re: (Score:2)
These days, Apple talks mostly about data security and all-day battery life, not performance.
Re: (Score:2)
If Apple were to switch to AMD CPUs, would Intel really care? I mean, it represents a nice chunk of change I'm sure, but it's not like losing an OEM with about 15% of the market will cause Intel to do anything in response.
Losing Apple would cut Intel CPU sales by less than 15% - they could make that up by upping the price on their next few processor generations by 15%.
Link: https://www.statista.com/stati... [statista.com]
And of course every product that Apple cut over to AMD would likely require extensive re-engineering f
Re: (Score:1)
Either Apple needs to switch to AMD CPUs, or switch to their own ARM CPUs.
Who gives a fuck what Apple does?
How is this even relevant?
Re: (Score:3)
Re: (Score:2)
I singled out Apple because privacy and security is one of the things they keep talking about and have been for the last few years.
Who gives a fuck what Dell or HP does? Fucking nobody, that's who. For these corporate-level types, data breaches are only the cost of doing business.
Systemic Design Problems or Something Else? (Score:5, Insightful)
Many of these attacks at the CPU level seem to affect Intel but not AMD. Is this just a matter of reporting / perception, are researchers not targeting AMD, or does Intel have a systemic problem with their design process?
Re: (Score:1)
AMD has security issues also, they've "burned" us too.
They aren't the saviors
Re:Systemic Design Problems or Something Else? (Score:5, Informative)
AMD has security issues also, they've "burned" us too.
There are fewer AMD-only vulns, and most of the attacks that work against both AMD and Intel are much more serious on Intel, both in scope and in cost of mitigation.
Re: (Score:2)
a sandwich with a bit of shit in it is still a shit sandwich. we're being asked to buy and enjoy shit sandwiches by both AMD and Intel
Re: (Score:2)
Z80
Re: (Score:2)
we're being asked to buy and enjoy shit sandwiches by both AMD and Intel
No we're not, you can freely choose not to buy either one. Also, the analogy is failing... The case with Intel is that as new vulnerabilities are being discovered all the time, the chances that there are ones that haven't been discovered and/or disclosed by white hats but are being exploited by black hats is a lot higher.
Re: (Score:2)
If you knew anything about Spectre - the one vulnerability with variants that credibly threatened modern AMD systems - you'd realize that you're equating "shit sandwich" with "CPUs that have branch predictors and speculative execution".
Do you want branch predictors? Then you get Spectre. There's no way around it. If you want a "more secure" CPU, you want something in-order with no branch predictors/speculative execution.
https://en.wikipedia.org/wiki/... [wikipedia.org]
AMD has done the best that they realistically can to
Re: (Score:2)
Virtual +1 informative.
Re: (Score:2)
Absolutely false, you can have branch prediction without the vulnerabilities. There are several ways around it. You spew ignorance.
Re: (Score:2)
Name them. Spectre fundamentally targets speculative execution due to branch misprediction. Or did you not read the linked article?
Re: (Score:2)
Re: Systemic Design Problems or Something Else? (Score:2)
Re:Systemic Design Problems or Something Else? (Score:4, Informative)
Re: (Score:3)
yeah it's actually most of them only affect Intel CPU. the few that affects other CPUs such as spectre affected ALL out of order CPUs including Arm and Power.
POWER7-9 were also vulnerable to MELTDOWN, though of course IBM has mitigations.
intel sat on there ass with raid keys and other ri (Score:2)
intel sat on there ass with raid keys and other rips offs for years when they Where better then AMD till zen.
Re: (Score:1)
Re: (Score:2)
It's probably because of how pervasive Intel is. You have to remember that AMD is rather niche, only becoming more popular very recently (past couple of years). Prior to this, AMD was pretty much a budget desktop option that people knew was there but wasn't concerned with.
It takes a while t
Re: (Score:2)
Someone does not remember history. Prior to 2006 (Conroe), AMD had the fastest desktop and server x86 CPUs in the world, and did so for a period of several years. AMD started bleeding marketshare badly in 2011.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
AMD has always been niche, and for the last ten years it's been the "budget" option. Before that it was the Discover card of CPUs
That was only during the K6 era, when they had an incompatible FPU. The rest of the time it was more like AmEx.
Re: (Score:2)
20%+ of the world x86 market share is not niche. Not even close. AMD could have sold more had they not been capacity-constrained in the pre-GF days and had Intel not used underhanded tactics to prevent more OEMs from adopting their chips.
Re: (Score:2)
Re: (Score:2)
Like I said - it was a time period between about 2004 and spring 2006. They rose very quickly. They even had a Superbowl ad at one point.
Re: (Score:1)
It's Intel's focus on speed over security that is the problem, and with the latest AMD parts they have now lost the speed advantage too.
In this case they are trying to make transitions between states happen too quickly. Frequency ramps up or down and core voltage changes with it. Great for extending battery life while keeping burst performance good, but unfortunately they are doing it too aggressively and the result is corrupted data in the CPU's supposedly secure enclave.
My 3GHz cpu now runs like a Z80 (Score:2)
with all these patches applied to make it as secure as it was supposed to be. =/
My Z80 didn't have all these security issues.
Re: (Score:3)
Re: (Score:2)
I'd like to see an adding machine run Super Mario Land or Metroid II.
highly secured (Score:2)
"a new attack that impacts the integrity of data stored inside Intel SGX, a highly-secured area of Intel CPUs"
well, it's not that 'highly-secured', is it?
Re: (Score:2)
I guess it depends on who's definition of "highly-secured" you use.