Send email Copy Email Address

Annabelle Theobald

CISPA researchers discover new security vulnerability in AMD SEV technology

So-called Secure Encrypted Virtualization (SEV) was developed by AMD with the primary goal of making its cloud services more secure. But even the latest versions of the security feature, SEV-ES (Encrypted State) and SEV-SNP (Secure Nested Paging), were vulnerable to a software-based attack until recently. This was discovered by CISPA researcher Ruiyi Zhang, who works in the team of CISPA- Faculty Dr. Michael Schwarz. He constructed a type of attack called CacheWarp, which in the worst case enables attackers to gain comprehensive access rights to data and even the possibility to manipulate it - something that was not possible with previous attack techniques. Zhang was supported by his research team at CISPA and Andreas Kogler from Graz University of Technology. According to AMD, the vulnerability has now been fixed with an update.

The use of large cloud platforms is booming. "Cloud services offer companies the flexibility to purchase computing power and storage space whenever they need it," explains Ruiyi Zhang. The security of these services is crucial but has been compromised in the past by the discovery of vulnerabilities and the potential for attacks. "Cloud services are based on so-called virtualization, which can save hardware components and, as a result, staff," Zhang says. According to the researcher, virtualization means the creation of several virtual machines on a single physical computer. Virtual machines are basically software-based computers equipped with everything a regular computer has: its own memory, a CPU, and an operating system. Virtualization can thus turn one computer with the necessary computing power into many.

Security feature with vulnerabilities

The distribution of resources and the corresponding separation of processes is handled by the so-called hypervisor. This software distributes resources such as memory and computing power and isolates the operating systems. The hypervisor thus acts as a kind of host for the virtual machines. To prevent it from becoming a point of attack, the processor manufacturer AMD introduced the first generation of Secure Encrypted Virtualization (SEV). The idea behind SEV: For each running virtual machine, the memory is encrypted with a separate key, which is supposed to make overlapping data access and access by an untrustworthy hypervisor or one that has been taken over by attackers impossible. "Several security vulnerabilities were quickly identified. In addition, SEV and SEV-ES initially used encryption without an identity check, which allowed for data manipulation. Also, not all parts of the memory were encrypted," explains Michael Schwarz. The CISPA faculty is an expert for security vulnerabilities in CPUs and was involved in the discovery of several of such vulnerabilities, including Spectre, Meltdown and ZombieLoad. AMD reacted to the problems by further developing SEV into the features SEV-ES (Encrypted State) and, most recently, SEV-SNP (Secure Nested Paging). According to AMD, SEV-SNP provides a strong memory integrity, which should prevent hypervisor attacks.

A few lines of code

About half a minute, access to a server room and a few lines of code is all that Zhang would need to gain access to all the virtual machines and to view and modify everything he wants with administrator rights. Finding out how exactly this is possible took several months of work. "According to our knowledge, CacheWarp is the only software-based attack so far that can defeat SEV-SNP like that," Zhang explains.

A computer travels through time

"First, we need to be able to log into a system. For this purpose, we employ a method that we called TimeWarp," Schwarz says. According to the researcher, this method utilizes the fact that in certain scenarios, computers memorize which code they need to execute next. "We can reset what the computer has memorized as the next step. This makes the computer execute code that it executed before because it reads an outdated so-called return address from memory. The computer thus travels back in time. However, the old code is executed with new data, which leads to unexpected effects. If you use this method cleverly, you can change the program logic," Schwarz explains. Zhang adds: "TimeWarp thus allows us to change the program logic in a virtual machine such that we can log in without knowing the password."

0 represents success

Combined with the second method, so-called Dropforge, it is also possible to manipulate the cache and reset changes made on data. "Even if it doesn’t seem intuitive, this even allows you to be granted administrator rights. This is achieved by exploiting details of the program logic," Schwarz says. In computer science, a "0" often represents success, whereas other values represent potential error codes. According to Schwarz, "0" is also the default value for data if no different value is stored. "When the system tests whether the respective user is an administrator or not, the query will return "0" if you are an administrator. If you are not an administrator, a different value will be returned. With "Dropforge", this return value can be reset. No matter if you are an administrator or not, the memory will contain the initial value of "0". The system then assumes that you are an administrator," Schwarz explains. "With this combination, we have unlimited access to the virtual machine," Zhang adds.

Trust is good

In their paper "CacheWarp: Software-based Fault Injection Selective State Reset", the researchers not only describe the attack methods but also suggest a compiler-based solution to mitigate the attacks. In addition, they want to provide an open source testing tool for the vulnerability. "We don't want to rely on the statement that something is secure. We want to be able to verify it," Schwarz explains. Since discovering CacheWarp, the researchers have been in communication with AMD: The manufacturer has indicated to them that the vulnerability has been fixed by now.

The research team led by Michael Schwarz has created its own website for more information on CacheWarp.

Paper: “CacheWarp: Software-based Fault Injection using Selective State Reset” by Ruiyi Zhang (CISPA), Lukas Gerlach (CISPA), Daniel Weber (CISPA), Lorenz Hetterich CISPA, Youheng Lü (Independent), Andreas Kogler (Graz University of Technology), Michael Schwarz (CISPA)

Full Paper