Intel and AMD Trusted Enclaves, a Foundation For Network Security, Fall To Physical Attacks (arstechnica.com) 96
Researchers have unveiled two new hardware-based attacks, Battering RAM and Wiretap, that break Intel SGX and AMD SEV-SNP trusted enclaves by exploiting deterministic encryption and physical interposers. Ars Technica reports: In the age of cloud computing, protections baked into chips from Intel, AMD, and others are essential for ensuring confidential data and sensitive operations can't be viewed or manipulated by attackers who manage to compromise servers running inside a data center. In many cases, these protections -- which work by storing certain data and processes inside encrypted enclaves known as TEEs (Trusted Execution Enclaves) -- are essential for safeguarding secrets stored in the cloud by the likes of Signal Messenger and WhatsApp. All major cloud providers recommend that customers use it. Intel calls its protection SGX, and AMD has named it SEV-SNP.
Over the years, researchers have repeatedly broken the security and privacy promises that Intel and AMD have made about their respective protections. On Tuesday, researchers independently published two papers laying out separate attacks that further demonstrate the limitations of SGX and SEV-SNP. One attack, dubbed Battering RAM, defeats both protections and allows attackers to not only view encrypted data but also to actively manipulate it to introduce software backdoors or to corrupt data. A separate attack known as Wiretap is able to passively decrypt sensitive data protected by SGX and remain invisible at all times.
Over the years, researchers have repeatedly broken the security and privacy promises that Intel and AMD have made about their respective protections. On Tuesday, researchers independently published two papers laying out separate attacks that further demonstrate the limitations of SGX and SEV-SNP. One attack, dubbed Battering RAM, defeats both protections and allows attackers to not only view encrypted data but also to actively manipulate it to introduce software backdoors or to corrupt data. A separate attack known as Wiretap is able to passively decrypt sensitive data protected by SGX and remain invisible at all times.
Hardware vulnerable to physical attacks (Score:5, Insightful)
Xbox hardware security (Score:1)
Guarding Against Physical Attacks: The Xbox One Story [platformse...summit.com] was written in 2019.
I don't know if the Xbox has been compromised since then, but if it has been, it wasn't easy.
Re: (Score:2)
The XBox is impressive, but it uses a physical ring of defenses. CPU makers don't have that much room.
At most, they can put a capsule of a potent acid, so decapping causes it to physically dissolve the secure area.
Instead, maybe some work should be done on PUFs. This way, the chip doesn't have to contain any secure data. It just uses its unclonable encrypt/decrypt operation to deal with stuff. A name:value lookup for passwords could be infinite because it wouldn't need to be stored in an enclave.
Re: (Score:2)
Correction, can't find the link, but there was a special purpose chip that had a tiny vial in glass of acid to hinder decapping. I can't find the link, so I'll pin [citation needed] on my own post.
Re:Xbox hardware security (Score:4, Funny)
You mean those [wikipedia.org] red [fandom.com] rings [lifewire.com]?
Re: (Score:2)
If it isn't operable, it can't be hacked. /s
Re: (Score:1)
"Back in the day", commercial arcade game machines used anti-tamper mechanics like covering the entire motherboard with epoxy glue, sometimes an inch or more thick.
Re: (Score:2)
Epoxy potting? It is still done. Pretty much every Blu-Ray player has epoxy over the core security chips. Done right, it can actually be useful, as it adds weatherproofing. There is one company that does stuff like that with Raspberry Pis, to make hardened edge computing devices.
Re: (Score:2)
“In short: The memory limitations in the hidden ROM made the system vulnerable in principle. A terribly wrong design and three bugs in the implementation opened three independent backdoors.”
Re: (Score:2)
It actually is a story because of the specific hardware and the role it has (restricting what the user/owner of the machine can do). Users/owners tend to have physical access. Also, after an attack with physical access, one on the whole class of devices without that physical access is often not far behind.
Details matter.
Re: (Score:2)
Okay FP, but "Insightful"? You didn't say anything about the chain of security and the balance of motivation.
As regards your focus on physical security, it's actually one of the links in the chain that is relatively easy to reinforce and track. I think the weakest link usually turns out to be the people. (Interesting recent evidence from the human misuse of Enigma by many of the German soldiers in WW II. Any interest in the citation of the book? (I didn't think so.))
For number two I would actually rate comp
Re: (Score:2)
The good part of this: (Score:4, Insightful)
This will actually make it easier for security companies to analyze malware that uses SGX and SEV.
Frankly, I find these to be misfeatures as the people who actually want these are slinging DRM.
Re: (Score:2)
Frankly, I find these to be misfeatures as the people who actually want these are slinging DRM.
Or you know, protecting encryption keys from computer-nabbed-by-the-FBI style attacks.
Not that I perceive a large uhhh, demand for that... I can definitely think of at least 1 person sitting in jail who really wishes he had SGX on his machine.
Re: (Score:2)
Yep, because the FBI would never get access to the keys. What universe are you living in? Because it is not this one.
Re: (Score:2)
This is pretty simple.
There's a hole right now in how things like full-disk-encryption work.
The keys are stored long-term in the TPM, where they cannot be extracted from (they're encrypted there)
However, those keys must be put plain-for-everyone-to-see into system RAM to actually do the encrypting/decrypting.
Things like SGX close that hole. Period.
I'm living in a universe where I understand the technology I opine about, which is indeed a very fucking different one from the one you live in.
Re: (Score:2)
What are you talkig about? Are you using SOFTWARE encryption?
Re: (Score:2)
Re: (Score:2)
Seriously? I would really think not. Bitlocker and LUKS, for example, a lot faster with hardware-based encryption, which for AES every modern AMD64 CPU (and some others) have. I did not find any numbers for Bitlocker, probably because it is hard to switch off AES hardware under Windows. For LUKS it is about a factor of 10x faster.
Seems your knowledge is a tiny bit outdated.
Re: (Score:2)
Seriously? I would really think not. Bitlocker and LUKS, for example, a lot faster with hardware-based encryption
We've talke past each other.
I assumed you were talking about drive-controller located encryption.
You seem to be referring now to AES-NI, which requires the keys to be in RAM.
I.e., for the purpose of our discussion- the AES instructions are absolutely still software encryption.
Re: (Score:2)
Or you know, protecting encryption keys from computer-nabbed-by-the-FBI style attacks.
If you are worried about the FBI accessing your computer then there are larger issues at play that have nothing to do with computing security. Particularly, you are doing something illegal.
I can definitely think of at least 1 person sitting in jail who really wishes he had SGX on his machine.
Who? I ask because you SGX is only effective for an active process that is executing. Also, as another poster pointed out, just because one avenue is closed doesn't mean another will not be taken.
Re: (Score:3)
Re: (Score:2)
"you are doing something illegal" or of the wrong political party
You seemed to have missed the sentence directly before this where I wrote "If you are worried about the FBI accessing your computer then there are larger issues at play that have nothing to do with computing security."
Re: (Score:2)
It can be extended to all computer security.
If you need a password on your computer, there are larger issues at play that have nothing to do with computing security.
Seriously, drink more coffee, try to get those fucking cylinders firing between your ears, and try again.
Re: (Score:2)
If you are worried about the FBI accessing your computer then there are larger issues at play that have nothing to do with computing security. Particularly, you are doing something illegal.
Don't be this stupid.
"Only criminals need protection from the Government" is a fucking stupid position to have. Do you really need me to explain and demonstrate why?
Who? I ask because you SGX is only effective for an active process that is executing. Also, as another poster pointed out, just because one avenue is closed doesn't mean another will not be taken.
SGX is effective for anything stored in RAM.
This includes encryption keys that were never in the clear until they were put there- think full-disk-encryption keys.
That's who. [fbi.gov]
Ever watch the documentary? They had like 6 agents when they took him down just to stop him from putting his computer to sleep, which would have wiped the ephemeral keys
Re: (Score:2)
Ross William Ulbricht hired a hitman to kill someone. Not exactly a shining star for your point.
Re: (Score:2)
If you're trying to turn this into a moral argument, then you've already lost it.
There were 2 aspects of my argument.
1) If you think it's a moral argument, you're stupid. Let me know if you need me to demonstrate why.
2) It is absolutely a thing that the Government takes advantage of.
You've mixed those two together. The fact that who they did it to was a piece of shit does not invalidate the fact that the Government also goes after political enemies.
Re: (Score:2)
If you're trying to turn this into a moral argument, then you've already lost it.
LOL! Nothing like declaring yourself the winner.
The fact that who they did it to was a piece of shit does not invalidate the fact that the Government also goes after political enemies.
You're not wrong but SGX will not stop them. It may slow them down but it will not stop them. This is why I wrote that "[i]f you are worried about the FBI accessing your computer then there are larger issues at play that have nothing to do with computing security."
Re: (Score:2)
LOL! Nothing like declaring yourself the winner.
You declared me the winner too, would you like to know how?
You're not wrong but SGX will not stop them. It may slow them down but it will not stop them. This is why I wrote that "[i]f you are worried about the FBI accessing your computer then there are larger issues at play that have nothing to do with computing security."
It will absolutely stop them until they've got a reasonable side channel to pull the keys.
No one on this planet is breaking AES-256 in stride.
As you said, I'm not wrong. And that's because I'm not.
You judge the future abuses of a Government by what it does to the most evil people in society today.
Re: (Score:2)
It will absolutely stop them until...
https://imgs.xkcd.com/comics/s... [xkcd.com]
Re: (Score:2)
Maybe if they start shipping us down to Guantanamo.
For right now, anyway, if they seize your shit in an attempt at some kind of parallel construction, encryption protects you.
It's true that it will also protect bad guys.
That doesn't justify weakening security or adding back doors. You British or some shit?
Re: (Score:2)
Yes. This is exclusively about Digital Restriction Management. No surprise Microsoft is behind this crap.
Re: (Score:2)
Microsoft isn't behind SGX and it isn't even particularly useful for DRM. It's mostly used for isolating stuff on virtualised servers, hence not being present on Core CPUs, only Xeon.
Re: (Score:2)
MS is behind the Pluton security processor on AMD. But it looks like this stuff has gotten even more complex and non-transparent and there are now several TEEs on some CPUs. Thanks for pointing that out.
Re: (Score:2)
Ya, root-of-trust- SO BAD! CAN'T HAVE THAT!
You need to accept that what is good for the goose is good for the gander.
Which are you?
Pluton is just a TPM. It isn't some kind of dark and evil thing. You have control over the trust root. It just enforces that it can't be fucked with by anyone but you.
Re: (Score:2)
Re: (Score:2)
DRM? Those are for securing VMs, not DRM.
That is a use case for servers. However, DRM is the primary use case for clients. Guess where it was deployed and utilized first? (Hint: not servers)
Re: (Score:2)
Not only are you just full of shit, I think you also might be legitimately stupid.
Re: (Score:2)
Re: (Score:2)
It's just too bad that he's wrong.
* The first Intel chips to support SGX were released on August 5, 2015.
* The first Ultra HD Blu-ray Discs (which need it) were officially released on February 14, 2016.
* Windows 10's Virtualization-Based Security (VBS) does not use Intel SGX.
You two are going to be good friends at being wrong.
Re: (Score:2)
QEMU added support for SGX emulation (as a test) in 2014.
WolfSSL added support in 2016.
I love that you picked out some Windows 10 feature that no professional knows or gives a fuck about.
I'll go as far as to argue that if you know what "Windows 10's VBS" is, then SGX wasn't for you, and your only interface with it probably was via DRM.
Re: (Score:2)
It's too bad that I'm not.
Not by your perspective but by your perspective "your regular OS" is Linux.
I love that you picked out some Windows 10 feature that no professional knows or gives a fuck about.
It depends on your perspective. You obviously haven't supported a Windows business environment.
Re: (Score:2)
It depends on your perspective. You obviously haven't supported a Windows business environment.
Correct. I have people under me who handle that part of my responsibilities.
SGX does not factor into your Windows business environment. Period, unless you're arguing that the ability to watch Blu-Rays is a business environment concern.
Nobody isn't arguing that SGX will be used by people concerned about DRM.
What's good for the goose is good for the gander.
There's no way to improve our security without also being able to improve theirs.
That is not a rational argument for throwing away improvement in sec
Re: (Score:2)
Incorrect. It was deployed first on your regular OS to securely store user keys.
If that is true then which part of Windows used it and when was it released? I would point out that 4K UHD blu-ray discs started being released in Q4 of 2015.
Re: (Score:2)
Userspace tools predate even final release of the hardware (2014), and started appearing as soon as there was kernel support.
Like 10 people on this planet watch Blu-ray discs on a fucking PC.
I can't remember the last time I owned a computer with an optical drive.
Re: (Score:2)
Oh come on. I use Linux exclusively but even I'm not arrogant enough to call it people's "regular OS".
Re: (Score:2)
You literally just said it was your regular OS.
If you deal with servers, you almost exclusively deal in Linux.
Now gauge the marketing material. [intel.com]
Are they selling to my grandma, or are they selling to me?
Re: (Score:2)
Why not?
https://en.wikipedia.org/wiki/... [wikipedia.org]
If you deal with servers, you almost exclusively deal in Linux.
That's fine but if you go back and read what I wrote then you'll see I wasn't talking about servers.
"That is a use case for servers. However, DRM is the primary use case for clients. Guess where it was deployed and utilized first? (Hint: not servers)"
Re: (Score:2)
That's fine but if you go back and read what I wrote then you'll see I wasn't talking about servers.
That's not a distinction you get to make if we're talking about linux.
Guess where it was deployed and utilized first? (Hint: not servers)
It was deployed on Linux. That means servers. And desktops, such as your own.
Tell me what you see in common with those CPUs. [intel.com]
When you're done, estimate the amount of Windows installations on those kinds of CPUs.
Re: (Score:2)
That's fine but if you go back and read what I wrote then you'll see I wasn't talking about servers.
That's not a distinction you get to make if we're talking about linux.
I wasn't talking about Linux, you were.
Guess where it was deployed and utilized first? (Hint: not servers)
It was deployed on Linux. That means servers. And desktops, such as your own.
I was actually a bit curious about this claim and I can't seem to locate any information to confirm that SGX use on Linux.
Linux Kernel support came in April 25th 2016: https://lkml.iu.edu/hypermail/... [iu.edu]
GCC didn't even have support for SGX until nearly 2017: https://www.phoronix.com/news/... [phoronix.com]
QEmu SGX support seems to have been added in 2021 if what I saw in repo history is accurate.
I did find OpenSGX "An Open Platform for SGX Research" a research tool for emulating an SGX
Re: (Score:2)
Incorrect. It was deployed first on your regular OS to securely store user keys.
Nope. Windows 10's Credential Guard uses Virtualization-Based Security (VBS) which does not use Intel SGX.
Oh and then there's this:
* The first Intel chips to support SGX were released on August 5, 2015.
* The first Ultra HD Blu-ray Discs (which need it) were officially released on February 14, 2016.
Not only are you just full of shit, I think you also might be legitimately stupid.
LOL!
Re: (Score:2)
I'm sorry you use an inferior operating system.
This is what people who aren't using trash-tier OS' were using SGX for. [wolfssl.com]
Re: (Score:2)
wtf is this shit about Windows 10?
That's what most people would call their "regular OS" in 2015.
I'm sorry you use an inferior operating system.
I've been a Linux user since Win98 decided it wasn't going play nice with Linux about 25 years ago. That said, I don't consider Linux to be what people consider "your regular OS" because I know almost everyone is still hooked to Microsoft.
Re: (Score:2)
That's what most people would call their "regular OS" in 2015.
Most people have no idea what AVX512 is, and would never run an application that uses it, either.
I've been a Linux user since Win98 decided it wasn't going play nice with Linux about 25 years ago. That said, I don't consider Linux to be what people consider "your regular OS" because I know almost everyone is still hooked to Microsoft.
You're a linux user, and you think SGX is for DRM?
That's really sad. It used to be that linux was where the smart people ended up. I suppose the tinfoilers were always a component, but it feels like they're growing.
Re: (Score:2)
You're a linux user, and you think SGX is for DRM?
Yes because hiding something from the kernel instead of asking the kernel to keep it safe tells me that you do not trust the kernel. If you do not truth the kernel then you are either doing DRM, executing malware, or are using ultraparanoid computing. Intel's interest in security has been lackluster at best (have you seen how many of their extensions have been disabled?) which tells me it's primary purpose was DRM.
Re: (Score:2)
Yes because hiding something from the kernel instead of asking the kernel to keep it safe tells me that you do not trust the kernel.
Uh, why would you?
If you do not truth the kernel then you are either doing DRM, executing malware, or are using ultraparanoid computing.
Lots of computing needs to be ultraparanoid.
If it's not, then you should not be dealing with PII.
Intel's interest in security has been lackluster at best (have you seen how many of their extensions have been disabled?) which tells me it's primary purpose was DRM.
Ya, lots of DRM concerns on Xeons. [intel.com]
No, you're a fucking nut.
Re: (Score:2)
Uh, why would you?
Because that's the normal security model.
Lots of computing needs to be ultraparanoid.
If it's not, then you should not be dealing with PII.
At this point, I don't know of any company using enclaved processes to secure PII. "Should"/"should not" is an argument but "does"/"does not" reflects reality.
Ya, lots of DRM concerns on Xeons.
Do not distort my position: "That is a use case for servers. However, DRM is the primary use case for clients." [slashdot.org]
Re: (Score:2)
Re: (Score:2)
What an ignorant claim. https://www.techpowerup.com/29... [techpowerup.com]
If an attacker has physical access to my DIMMS (Score:2)
Re: (Score:3)
Right, for most of us this probably isn't particularly relevant. But, if you're employed by a cloud vendor possessing contracts with a national government... then maybe you do need to think about this.
Re: If an attacker has physical access to my DIMMS (Score:2)
If you are a government actor depending on a cloud vendor you have bigger problems.
Re: (Score:2)
That's a dumb take. The US has been writing cloud computing contracts for TOP SECRET content for years, to say nothing of public web sites. Australia and New Zealand have specific infosec guidance (their Information Security Manuals) that not only recommend particular controls when using cloud vendors, but that encourage use of cloud vendors, CDNs, and similar services to improve availability of government-provided information and services.
Everyone should have contingency plans and fallback capabilities,
Re: If an attacker has physical access to my DIMM (Score:2)
Processing secure data is simply not one of those cases.
Re: (Score:2)
... if you trust pseudonymous Internet randos over the US intelligence community and DoD, at least.
https://www.nextgov.com/modern... [nextgov.com]
https://www.cnbc.com/2022/12/0... [cnbc.com]
These clouds have multiple layers of security, several of which reduce the likelihood that someone will install an interposer in a server undetected. (Or, in the case of the Wiretap photo, job up a logic analyzer to a compromised server.) Cloud vendors are also likely to have moved quicker to DDR5, which isn't vulnerable to either of these attac
Re: (Score:2)
none of this is "top secret"
private cloud infrastructure is not public cloud infrastructure.
Re: (Score:2)
Sorry, it's not dumb since it has already caused problems.
Re: (Score:2)
It's an even dumber take to insist that things can only be done if they are done perfectly.
Re: (Score:2)
Re: (Score:2)
It can affect us directly. The Secure Enclave on a phone can be all that keeps data away from the hands of bad guys on a stolen phone. The TPM might be the only thing that keeps company data out of the hands of nation-state tier level thieves. Yes, it sounds like overkill, but might as well do it right, because you never know.
Re: If an attacker has physical access to my DIMMS (Score:2)
The motherboard is the second level of defense. The case is the third. The rack is the fourth, the cage is the fifth. The armed guard is the sixth.
Physical attacks are readily mitigated by those with the will.
Re: (Score:2)
Battering RAM (Score:3)
Dredge in flour, then beaten eggs, then dried bread crumbs, preferably Panko. Deep-fry until golden brown.
Code signing is not security (Score:3)
Just because you have a "security enclave" doesn't mean it has anything to do with security for user data. In virtually all cases we've seen in reality so far, this kind of technology is used for securing business models against the interests of the users. Effectively they facilitate attacks against the user rather than hinder them. The most prominent example, of course, is DRM.
So please skip the nonsense. In the rare event you actually need some sort of hardware security, get a hardware security module.
Re: (Score:2)
Indeed. Also note that actually reasonably secure systems (Linux, if managed competently, for example or the xBSDs) do not even use this "security" hardware because it is not needed. This "secure" hardware is not an asset, it is a problem.
Re: (Score:2)
PHYSICAL access (Score:4, Interesting)
>"In the age of cloud computing, protections baked into chips from Intel, AMD, and others are essential for ensuring confidential data and sensitive operations can't be viewed or manipulated by attackers who manage to compromise servers running inside a data center."
These are PHYSICAL attacks that require getting physically to the server (keys/locks/cameras/security guards/alarms), taking the server power down (service loss/downtime alerts/network monitoring), removing it from the rack, opening it, installing special/rare/custom/foreign hardware, closing it back up, installing it back on the rack, applying power, and booting it back up again. How is that happening in data centers for "cloud computing"? How is this actually relevant for any realistic security model?
The ONLY realistic value in this information is when trying to protect CLIENT machines FROM THE CLIENT'S OWNERS. You know, where the owner of the equipment has access and wants more access to their own stuff. Yes, as others have pointed out, probably from hacking DRM. Oh, the world is ending...
Re: (Score:2)
It could happen rather easily: e.g. the government could compel a datacenter to provide access to a rack server of its customer. Or a datacenter worker could be bribed to do it. Power outage can be explained by a power distribution malfunction.
E.g. Signal uses Azure and SGX is a component of their security, for dealing with things like contact discovery. But surely nobody would be interested in compromising Signal..
You're probably need to be quite a high-value target be attacked this way.
Why not have fully encrypted RAM? (Score:2)
Why has no-one made a computer (or if they have, why is it not more widely known or used) that works like, say, the Xbox One and Xbox Series where the CPU has a unique (and unreadable by any software) key burnt into it at manufacture time and any access to RAM is encrypted using that key and some hardware encryption.
Done right, it would be impossible for any attacks that rely on reading or writing the contents of RAM other than through the CPU memory controller (and the encryption hardware) to even work.
May
Re:Why not have fully encrypted RAM? (Score:4, Informative)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
This article is about defeating part of it.
Re: (Score:2)
One more reason for my next CPU to be AMD and not Intel.
Re: (Score:2)
It makes me sad though. Intel used to make great stuff.
Oh, but I think Intel does have its own memory encryption system. I'm just blanking on the name.
Oh lord who cares (Score:2)
Yeah, I got bad news, if someone is able to get access to your hardware for long enough to install an interposer AND get it to work (the signal integrity engineering at modern RAM speeds borders on magic, and an interposer throws God* only knows how many nanohenries of mutual inductance wrenches into the machinery), they've got time to do a LOT of things.
*and by God I mean the milli
I hope they publish all keys (Score:2)
This crap has to stop. Security-by-obscurity has no place in competent engineering.
Love the clickbait summary... (Score:2)
Firstly, requiring physical access is a massive barrier. You'd have to have a massively lucrative target to even risk trying to find what machine in a data center to (reading an article)...
Put in a device that sits between the memory and the CPU. Yea, nobody is going to notice somebody replacing all the memory in a machine with some random parts. Oh, of course that doesn't mess with the signaling at all and the BIOS will post perfectly with some janky ribbon cable setup.
And then, just sent the data via cell