V0LTpwn: Attacking x86 Processor Integrity from Software

by   Zijo Kenjar, et al.

Fault-injection attacks have been proven in the past to be a reliable way of bypassing hardware-based security measures, such as cryptographic hashes, privilege and access permission enforcement, and trusted execution environments. However, traditional fault-injection attacks require physical presence, and hence, were often considered out of scope in many real-world adversary settings. In this paper we show this assumption may no longer be justified. We present V0LTpwn, a novel hardware-oriented but software-controlled attack that affects the integrity of computation in virtually any execution mode on modern x86 processors. To the best of our knowledge, this represents the first attack on x86 integrity from software. The key idea behind our attack is to undervolt a physical core to force non-recoverable hardware faults. Under a V0LTpwn attack, CPU instructions will continue to execute with erroneous results and without crashes, allowing for exploitation. In contrast to recently presented side-channel attacks that leverage vulnerable speculative execution, V0LTpwn is not limited to information disclosure, but allows adversaries to affect execution, and hence, effectively breaks the integrity goals of modern x86 platforms. In our detailed evaluation we successfully launch software-based attacks against Intel SGX enclaves from a privileged process to demonstrate that a V0LTpwn attack can successfully change the results of computations within enclave execution across multiple CPU revisions.


Fault Attacks on Secure Embedded Software: Threats, Design and Evaluation

Embedded software is developed under the assumption that hardware execut...

EM-Fault It Yourself: Building a Replicable EMFI Setup for Desktop and Server Hardware

EMFI has become a popular fault injection (FI) technique due to its abil...

PMFault: Faulting and Bricking Server CPUs through Management Interfaces

Apart from the actual CPU, modern server motherboards contain other auxi...

The Impostor Among US(B): Off-Path Injection Attacks on USB Communications

USB is the most prevalent peripheral interface in modern computer system...

Synergia: Hardening High-Assurance Security Systems with Confidential and Trusted Computing

High-assurance security systems require strong isolation from the untrus...

A Secure Design Pattern Approach Toward Tackling Lateral-Injection Attacks

Software weaknesses that create attack surfaces for adversarial exploits...

SideLine: How Delay-Lines (May) Leak Secrets from your SoC

To meet the ever-growing need for performance in silicon devices, SoC pr...

Please sign up or login with your details

Forgot password? Click here to reset