Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Data Storage Intel Hardware Technology

New Plundervolt Attack Impacts Intel Desktop, Server, and Mobile CPUs (zdnet.com) 74

An anonymous reader quotes a report from ZDNet: Academics from three universities across Europe have disclosed today a new attack that impacts the integrity of data stored inside Intel SGX, a highly-secured area of Intel CPUs. The attack, which researchers have named Plundervolt, exploits the interface through which an operating system can control an Intel processor's voltage and frequency -- the same interface that allows gamers to overclock their CPUs. Academics say they discovered that by tinkering with the amount of voltage and frequency a CPU receives, they can alter bits inside SGX to cause errors that can be exploited at a later point after the data has left the security of the SGX enclave. They say Plundervolt can be used to recover encryption keys or introduce bugs in previously secure software. Intel desktop, server, and mobile CPUs are impacted. A full list of vulnerable CPUs is available here. Intel has also released microcode (CPU firmware) and BIOS updates today that address the Plundervolt attack [by allowing users to disable the energy management interface at the source of the attack, if not needed]. Proof-of-concept code for reproducing attacks will be released on GitHub.
This discussion has been archived. No new comments can be posted.

New Plundervolt Attack Impacts Intel Desktop, Server, and Mobile CPUs

Comments Filter:
  • Wow! ANOTHER example of poor management at Intel. My comment yesterday about poor management at Intel: What CAUSED Intel's insufficient management? [slashdot.org]

    (My opinions and observations.)
    • by Dunbal ( 464142 ) *
      None of these attacks are remote exploits. And security experts will always tell you that if someone has physical access to your machine, there is no security.
      • None of these attacks are remote exploits. And security experts will always tell you that if someone has physical access to your machine, there is no security.

        False.

        Does an attacker need physical access to my computer for this? [plundervolt.com]

        No. The undervolting interface is accessible from software, so if a remote attacker can become root in the untrusted OS, she can also mount the Plundervolt attack. In any case, note that attackers with physical access would also be in the threat model of SGX (e.g. to protect against malicious cloud providers).

        Have you got any more misinformation to "share"?

        • He's half right. This is not a remote exploit, instead of "physical access" he should have said "root access", that's all. If you give someone root access to your machine you are screwed anyway - your every keystroke and file access is available.
          • If you give someone root access to your machine you are screwed anyway - your every keystroke and file access is available.

            You only have full access to *THE OS* running on the machine.
            That's still good for a lot of things (e.g.: you mention keystrokes) - though you're seldom going to *see* any keystroke on a server.
            But that's not goot for stuff which is locked inside *dedicated hardware*.

            Crypto chips / secure processor / secure enclaves / TPM /all that shit...

            You can't read-write from it, even if you're root on the OS.
            The private key is never supposed to leave the dedicate hardware. It's never visible to the OS.

            Think glorified

          • by AmiMoJo ( 196126 )

            Maybe not root access, and certainly not physical access. If you can run arbitrary code on the machine (e.g. Javascript in the browser) you have a chance of exploiting this.

            The attack uses two previously remotely exploitable techniques. One involves rapidly accessing certain patterns of memory in order to corrupt it, and the other involves making the CPU change frequency and core voltage by repeatedly hitting it with light and then heavy loads. The former has been demonstrated in Javascript already, I'm not

          • If you give someone root access to your machine you are screwed anyway - your every keystroke and file access is available.

            That's what privilege escalation exploits are for. They are not uncommon.

      • by kenh ( 9056 )

        As I read this (and reread it, then read it a third time), it seems that if I drop the voltage to the CPU, this obscure little portion of the processor will have it's contents corrupted... And?

        So what?

        Academics say they discovered that by tinkering with the amount of voltage and frequency a CPU receives, they can alter bits inside SGX to cause errors that can be exploited at a later point after the data has left the security of the SGX enclave.

        Can they alter bits in a known, controlled manner to reliably force their desired data into the SGX "enclave"? No.

        They say Plundervolt can be used to recover encryption keys or introduce bugs in previously secure software.

        Really? Recover encryption keys? I'd like to see that is real life, not some theoretical example. Show me using this "Plundervolt" hack they can go in, read the contents of the SGX "enclave" and re

      • Not true.

        https://plundervolt.com/ [plundervolt.com]

        Does an attacker need physical access to my computer for this?

        No. The undervolting interface is accessible from software, so if a remote attacker can become root in the untrusted OS, she can also mount the Plundervolt attack. In any case, note that attackers with physical access would also be in the threat model of SGX (e.g. to protect against malicious cloud providers).

        • Woops drinkypoo beat me to it. Oh well!

        • by guruevi ( 827432 )

          Getting root on a system with direct access to control the CPUs voltages, you can do pretty much anything, including gdb to read out any process. If you've been given that sort of access, you probably got an entire physical CPU assigned to your VM. If not, your hypervisor should intercept the calls to reduce power and balance that with the needs of other VM's.

    • All I can say is that's an impressive comment chain.
  • by DontBeAMoran ( 4843879 ) on Tuesday December 10, 2019 @06:40PM (#59506164)

    Either Apple needs to switch to AMD CPUs, or switch to their own ARM CPUs.

    • by fleabay ( 876971 )
      What's the point of that comment? There is no need to single out Apple as needing to change.
      • The point is that Apple needs to wake up and drop Intel as the supplier of CPUs for their Macs, or switch to the rumoured in-house ARM CPUs made for Macs.

        I don't care what Microsoft does, although they appear to be switching to ARM too, at least in some of their latest units.

        • It cracks me up you dweebs always think AMD chips are more secure. Until recently nobody gave a shit about AMD chips enough to try these types of exploits, and they are still not major targets because they have no numbers in the data centers.

          I tell you what, go peruse AMD's errata and tell me how amazing they are...Then factor in how much less time and money they spend in validation.

          I agree Macs should switch to ARM, though. I fucking hate Apple and really think that would be the final nail in the coffin fo

          • by Anonymous Coward

            Nobody is saying Intel CPUs are 0% secure and AMD are 100% secure. But AMD CPUs are more secure than Intel CPUs because they have less flaws and they also have less serious/critical flaws overall.

          • Intel essentially bribed (or created, depending on whom you ask) an Israeli "security firm" to gin up similar exploits targeting AMD CPUs:

            https://www.theinquirer.net/in... [theinquirer.net]

            Though others have speculated that Intel had nothing to do with CTS Labs (alleging it was a stock manipulation scheme), it really does seem like Intel may have just been doing it as a PR move to make their own vulnerabilities look less-bad in comparison (notably Meltdown). AMD has since patched all the "vulnerabilities".

      • Because currently they have a single source agreement with Intel. Other SI's can more easily switch cpu vendor. Apple has a contract.

    • more pci-e lower price the mac pro is DOA with intel and it's high price.

      An AMD threadripper an smoke that thing at more then half the cost. With 64 true cpu pci-e lanes.

    • There are no performance competitive ARM CPUs....
    • by kenh ( 9056 )

      If Apple were to switch to AMD CPUs, would Intel really care? I mean, it represents a nice chunk of change I'm sure, but it's not like losing an OEM with about 15% of the market will cause Intel to do anything in response.

      Losing Apple would cut Intel CPU sales by less than 15% - they could make that up by upping the price on their next few processor generations by 15%.

      Link: https://www.statista.com/stati... [statista.com]

      And of course every product that Apple cut over to AMD would likely require extensive re-engineering f

    • Either Apple needs to switch to AMD CPUs, or switch to their own ARM CPUs.

      Who gives a fuck what Apple does?
      How is this even relevant?

    • Your comment is like if there was a story came up that a delivery vehicle in use by most carriers (USPS, UPS, FedEx, and Amazon) had some kind of exploit that people could use to find out where and when other peoples' stuff is being delivered and you said "Enough is enough, FedEx needs to switch to a different vehicle." You're not wrong, but it's kind of weird that you singled out one specific company for a general issue affecting many companies.
      • I singled out Apple because privacy and security is one of the things they keep talking about and have been for the last few years.

        Who gives a fuck what Dell or HP does? Fucking nobody, that's who. For these corporate-level types, data breaches are only the cost of doing business.

  • by KermodeBear ( 738243 ) on Tuesday December 10, 2019 @06:44PM (#59506176) Homepage

    Many of these attacks at the CPU level seem to affect Intel but not AMD. Is this just a matter of reporting / perception, are researchers not targeting AMD, or does Intel have a systemic problem with their design process?

    • by andydread ( 758754 ) on Tuesday December 10, 2019 @07:58PM (#59506334)
      yeah it's actually most of them only affect Intel CPU. the few that affects other CPUs such as spectre affected ALL out of order CPUs including Arm and Power.
      • yeah it's actually most of them only affect Intel CPU. the few that affects other CPUs such as spectre affected ALL out of order CPUs including Arm and Power.

        POWER7-9 were also vulnerable to MELTDOWN, though of course IBM has mitigations.

    • intel sat on there ass with raid keys and other rips offs for years when they Where better then AMD till zen.

    • by AHuxley ( 892839 )
      NSA Inside.
    • by tlhIngan ( 30335 )

      Many of these attacks at the CPU level seem to affect Intel but not AMD. Is this just a matter of reporting / perception, are researchers not targeting AMD, or does Intel have a systemic problem with their design process?

      It's probably because of how pervasive Intel is. You have to remember that AMD is rather niche, only becoming more popular very recently (past couple of years). Prior to this, AMD was pretty much a budget desktop option that people knew was there but wasn't concerned with.

      It takes a while t

      • Someone does not remember history. Prior to 2006 (Conroe), AMD had the fastest desktop and server x86 CPUs in the world, and did so for a period of several years. AMD started bleeding marketshare badly in 2011.

        • Comment removed based on user account deletion
          • Comment removed based on user account deletion
          • AMD has always been niche, and for the last ten years it's been the "budget" option. Before that it was the Discover card of CPUs

            That was only during the K6 era, when they had an incompatible FPU. The rest of the time it was more like AmEx.

          • 20%+ of the world x86 market share is not niche. Not even close. AMD could have sold more had they not been capacity-constrained in the pre-GF days and had Intel not used underhanded tactics to prevent more OEMs from adopting their chips.

    • by AmiMoJo ( 196126 )

      It's Intel's focus on speed over security that is the problem, and with the latest AMD parts they have now lost the speed advantage too.

      In this case they are trying to make transitions between states happen too quickly. Frequency ramps up or down and core voltage changes with it. Great for extending battery life while keeping burst performance good, but unfortunately they are doing it too aggressively and the result is corrupted data in the CPU's supposedly secure enclave.

  • with all these patches applied to make it as secure as it was supposed to be. =/
    My Z80 didn't have all these security issues.

    • by Dunbal ( 464142 ) *
      Yeah but your Z80 was marginally faster than your adding machine. Today's computers are faster than supercomputers were back then. Even after all the "security patches".
      • Your Z80 was marginally faster than your adding machine.

        I'd like to see an adding machine run Super Mario Land or Metroid II.

  • "a new attack that impacts the integrity of data stored inside Intel SGX, a highly-secured area of Intel CPUs"

    well, it's not that 'highly-secured', is it?

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...