Extracting Secrets from Encrypted Virtual Machines

by   Mathias Morbitzer, et al.

AMD SEV is a hardware extension for main memory encryption on multi-tenant systems. SEV uses an on-chip coprocessor, the AMD Secure Processor, to transparently encrypt virtual machine memory with individual, ephemeral keys never leaving the coprocessor. The goal is to protect the confidentiality of the tenants' memory from a malicious or compromised hypervisor and from memory attacks, for instance via cold boot or DMA. The SEVered attack has shown that it is nevertheless possible for a hypervisor to extract memory in plaintext from SEV-encrypted virtual machines without access to their encryption keys. However, the encryption impedes traditional virtual machine introspection techniques from locating secrets in memory prior to extraction. This can require the extraction of large amounts of memory to retrieve specific secrets and thus result in a time-consuming, obvious attack. We present an approach that allows a malicious hypervisor quick identification and theft of secrets, such as TLS, SSH or FDE keys, from encrypted virtual machines on current SEV hardware. We first observe activities of a virtual machine from within the hypervisor in order to infer the memory regions most likely to contain the secrets. Then, we systematically extract those memory regions and analyze their contents on-the-fly. This allows for the efficient retrieval of targeted secrets, strongly increasing the chances of a fast, robust and stealthy theft.


page 1

page 2

page 3

page 4


SEVered: Subverting AMD's Virtual Machine Encryption

AMD SEV is a hardware feature designed for the secure encryption of virt...

Evaluation of Live Forensic Techniques in Ransomware Attack Mitigation

Memory was captured from a system infected by ransomware and its content...

Deriving ChaCha20 Key Streams From Targeted Memory Analysis

There can be performance and vulnerability concerns with block ciphers, ...

One Glitch to Rule Them All: Fault Injection Attacks Against AMD's Secure Encrypted Virtualization

AMD Secure Encrypted Virtualization (SEV) offers protection mechanisms f...

Keyshuffling Attack for Persistent Early Code Execution in the Nintendo 3DS Secure Bootchain

We demonstrate an attack on the secure bootchain of the Nintendo 3DS in ...

Exploiting Interfaces of Secure Encrypted Virtual Machines

Cloud computing is a convenient model for processing data remotely. Howe...

Virtual Coset Coding for Encrypted Non-Volatile Memories with Multi-Level Cells

PCM is a popular backing memory for DRAM main memory in tiered memory sy...

Please sign up or login with your details

Forgot password? Click here to reset