Why it matters: Researchers at the Technical University of Berlin have shown that AMD's Secure Encrypted Virtualization (SEV) technology can be bypassed by manipulating the input voltages, thereby compromising the technology, similar to previous attacks against its Intel counterpart.
SEV relies on the Secure Processor (SP), a humble arm Cortex-A5, to create a trust base in AMD EPYC CPUs (Naples, Rome and Milan – Zen 1 to 3).
The research paper – with the amusing but eloquent title "One Glitch to Rule Them All: Fault Injection Attacks Against AMD’s Secure Encrypted Virtualization" – describes how an attacker could compromise the SP in order to retrieve encryption keys or execute arbitrary code.
“By manipulating the input voltage of AMD systems on a chip (SoCs), we induce an error in the bootloader of the read-only memory (ROM) of the AMD-SP, which gives us full control over this root-of-trust . "
Conventional wisdom often follows the mantra that any system that an attacker has physical access to may as well be compromised. However, since SEV is supposed to protect virtual machines from the hypervisor itself (and also from each other), it should offer a level of security against these situations – for example by protecting VMs from a fraudulent administrator in a cloud environment.
The position required to carry out such an attack is quite demanding; Access to a cloud computing company in a role that enables server access at the hardware level, with the wisdom to do so without arousing suspicion. The equipment required is much less ambitious, however, requiring only a microcontroller and flash programmer, which can be purchased between the two for well under $ 50.
Intel's comparable Software Guard Extensions technology has previously been shown to be susceptible to voltage fault attacks (as well as many others). Plundervolt used built-in voltage scaling interfaces that are commonly used in undervolting, and when those were locked down, researchers found that external voltage manipulation could produce similar results. This method, called VoltPillager, ultimately inspired the researchers at TU Berlin to test AMD's SEV in this way.
Intel decided not to contain VoltPillager because hardware-level attacks would be beyond the scope of the SGX threat model, causing researchers to question the security that entrusts sensitive computations to a third-party cloud.
Now that its main competitor has proven to be similarly vulnerable for all three EPYC generations – albeit codenamed the dramatic vulnerability that is still pending – those questions are only sharper.