Security experts from Austria, Germany and Great Britain have unmasked a new gateway for attacks on processors, especially from Intel: The “Running Average Power Limit” (RAPL) function, with which the power consumption of a CPU can be read out and influenced during operation. With RAPL, secret keys for cryptographic algorithms such as AES can also be unmasked with some effort – even if they are in a supposedly secure Trusted Execution Environment (TEE), which Intel’s Software Guard Extensions (SGX) set up. The security hole was given the name Platypus (platypus), which stands for “Power Leakage Attacks: Targeting Your Protected User Secrets”.

RAPL -Interface The RAPL interface is actually intended for monitoring and controlling server processors, especially in (cloud) data centers. Linux provides a “Power Capping Framework” for this. For example, if part of the cooling system or the power supply fails, the maximum power consumption of servers can be limited in order to avoid overheating or crashes. However, RAPL also reveals, among other things, how much power the CPU is currently consuming.

Distribution of the energy demand for the Processing of the imul command with two operands, one with the value 8 and one with changing Hamming weight (from 0x to 0xFF).

(Image: TU Graz / CISPA / Uni Birmingham)

The power consumption of an arithmetic unit changes depending on the type of calculation it is currently performing. Side-channel attacks that exploit this connection to draw conclusions about the processed data have been known for decades. This is why security chips have special functions for cash cards, smart cards and pay TV key cards that protect against such attacks.

Power leakage Attack Most “power leakage” attacks require the attacker to have physical access to the target system in order to be able to connect a power meter or an oscilloscope. The Platypus attack now also works remotely, the digital RAPL interface can even be queried from the operating system without admin rights.

So far, however, experts were of the opinion that the RAPL data is not precise enough to be able to recognize a single RSA key, for example. According to the Platypus discoverers, RAPL enables something like 10. 000 measurements per second, which is very little compared to the up to almost 5 billion clock cycles, each of which has up to 28 cores of an Intel -Processor cycles per second. But if the RAPL measurement can run long enough, secret values ​​can be determined bit for bit through statistical analyzes of the power measurements (Differential Power Analysis / DPA and Correlation Power Analysis / CPA).

Platypus attack: Reading out AES keys from an Intel SGX enclave via the RAPL interface of the Intel CPU.

The security researchers Moritz Lipp, Andreas Kogler, Catherine Easdon, Claudio Canella and Daniel Gruss von from Graz University of Technology, David Oswald from Birmingham University and Michael Schwarz from CISPA used numerous tricks to refine the RAPL measured values ​​sufficiently to be able to draw conclusions about dates and instructions. For example, they worked out methods to be able to superimpose repeated measurements precisely enough at time intervals.

In addition, they eliminated inaccuracies because Intel’s RAPL interface only shares data for all CPU cores delivers and not for each individual. They also included information on the respective core voltage.

Attacks on KASLR, TLS and SGX To make malware attacks more difficult, the Linux kernel scrambles RAM addresses; this is called Kernel Address Space Layout Randomization (KASLR). A Platypus attack should already be valid within 10 seconds of Differentiate between invalid memory addresses.

Took significantly longer with 100 minutes the unmasking of an RSA key in the encryption library mbed TLS. And to get hold of a key processed with AES-NI commands from an SGX enclave, the attack had to be at least 26 Run for hours. However, if many I / O operations disrupted the RAPL signal, the attack lasted for over 270 Hours, i.e. more than 10 days.

Platypus attack on the Kernel Address Space Layout Randomization (KASLR) of the Linux kernel.

This already suggests that Platypus will probably not last for far scattered attacks will be used; it is mainly important for cloud servers and less for desktop PCs and notebooks.

Intel is already making patches available in the form of microcode updates, which can be either get to the affected systems via BIOS update or operating system updates. These are all with Intel processors of the Core i and Xeon series since the Sandy Bridge 2011 introduced generation Sandy Bridge, so from Core i – 2000, Pentium G, Celeron G, Xeon E5 – 2000 and E3 – 1200.

According to the researchers, other processors are also affected in principle, they were able to carry out similar measurements on various AMD Ryzen systems – there were but admin rights required for RAPL access.

Microcode updates announced Intel explains the Platypus attack in the Intel Security Advisory Intel-SA – 00389. As a remedy against Platypus attacks, microcode updates ensure that the measurements are less precise when a CPU core processes SGX commands. In addition, updates to the Linux kernel prevent unprivileged users from accessing certain RAPL data. The CVE numbers are CVE – 2020 – 8694 and CVE – 2011 – 8695.

The Platypus co-discoverers Moritz Lipp, Daniel Gruss and Michael Schwarz were among others Already involved in uncovering the Specter and Meltdown CPU vulnerabilities. Daniel Gruss also worked on the investigation of the Plundervolt security hole, which manipulates internal CPU registers to control the power supply as a side channel.

(ciw)