Plundervolt: Flipping Bits from Software without Rowhammer
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 254 | |
| Author | ||
| License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/53143 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
| |
| Keywords |
36C3: Resource Exhaustion103 / 254
1
7
8
9
10
11
24
26
27
28
35
39
40
41
43
44
47
49
50
55
56
60
62
63
64
68
71
72
74
75
77
78
79
82
88
93
99
100
102
106
109
111
112
113
118
119
122
124
125
127
132
133
135
136
137
138
140
141
142
143
144
145
146
150
151
156
157
158
161
162
164
165
166
167
170
173
175
177
179
180
182
183
187
201
202
208
213
219
224
226
233
234
235
237
239
240
241
244
246
247
249
251
253
00:00
Radio-frequency identificationVideoconferencingSingle-precision floating-point formatOpen sourceBroadcast programmingDisintegrationBitComputer programMoment (mathematics)SoftwareCountingSoftware developerOntologyRaw image formatProcess (computing)Computer animationLecture/Conference
00:48
Integrated development environmentBookmark (World Wide Web)CASE <Informatik>Social classContent (media)Information securityInformation privacyUniverse (mathematics)Lecture/Conference
01:49
Line (geometry)File formatLatent heatData miningInformation securityLecture/ConferenceComputer animation
02:42
FrequencyBefehlsprozessorScaling (geometry)Dependent and independent variablesServer (computing)Computer hardwareMathematical optimizationSemiconductor memoryFrequencyComputerSoftwareSemiconductor memoryGame theoryBefehlsprozessorComputer hardwareDynamical systemServer (computing)Cloud computingScaling (geometry)Lecture/Conference
03:27
Semiconductor memoryCodeNormal (geometry)Advanced Encryption StandardArmComputer hardwareArmFrequencyNormal (geometry)CodeTime zoneSign (mathematics)System callKey (cryptography)Range (statistics)SoftwareNormal operatorMobile appVotingLecture/ConferenceDiagramComputer animation
04:45
IntelWater vaporMultiplication signLaptopBefehlsprozessorInternetworkingMemory managementBenchmarkWindowTerm (mathematics)XMLComputer animation
05:38
IntelInternetworkingBitVideo gameMultiplication signAuthorizationHypothesisRepository (publishing)Virtual machineIntelSystem callHand fanCommercial Orbital Transportation ServicesCodeHexagonFlow separationPlanningCache (computing)Sound effectEndliche ModelltheorieCore dumpLatent heatComputer animationLecture/Conference
06:55
Binary multiplierCodeLoop (music)Ferry CorstenComputer animationLecture/ConferenceDiagram
07:33
Computer programCodeKernel (computing)Virtual machinePower (physics)Line (geometry)Maxima and minimaBitFrequencyInternetworkingBefehlsprozessorSensitivity analysisTouchscreenTouch typingLecture/Conference
08:28
Physical systemTouch typingInternetworkingSensitivity analysisCrash (computing)Loop (music)TouchscreenCodeLine (geometry)BitVotingNumber theoryGame theoryComputer clusterLecture/Conference
09:28
Random number generationSoftware testingBitVotingSign (mathematics)Virtual machineProcess (computing)Computer animation
10:25
HypothesisInfinityFrequencyFirefox <Programm>Price indexSelf-organizationData integritySystem callWeb pageSemiconductor memorySeitentabelleKernel (computing)CodeDDR SDRAMSystem programmingLogic gateEncryptionVulnerability (computing)Virtual machineInternetworkingTwitterPoint (geometry)Kernel (computing)Row (database)Different (Kate Ryan album)Perfect groupPasswordSystem callFunctional (mathematics)MereologyDynamic random-access memoryBitLogic gateWeb browserSound effectHydraulic jumpEqualiser (mathematics)Semiconductor memoryPhysical systemINTEGRALWeb pageMathematicsCoprocessorWeb applicationData integrityCartesian coordinate systemInstance (computer science)SeitentabelleOperating systemContent (media)Key (cryptography)Exploit (computer security)Strategy gameIntegrated development environmentBuffer solutionDenial-of-service attackUniform resource locatorPhysicalismCellular automatonDirection (geometry)Phase transitionMultiplicationGoodness of fitStandard deviationDistanceMedical imagingWordTelecommunicationBootingGroup actionMultiplication signInformationSpeech synthesisPointer (computer programming)Hacker (term)CodeComputer hardwareRootFreewareVoltmeterData storage deviceParity (mathematics)Projective planeLeakRight angleSpacetimeRoutingProcess (computing)SoftwareComputer clusterRoboticsVotingMixed realityLevel (video gaming)Channel capacityMaxima and minimaPairwise comparisonComputer iconDiagram
17:54
IterationError messageSpacetimeKernel (computing)Right angleWebsiteGroup actionLine (geometry)
18:37
Public-key cryptographyCryptographyMessage passingAlgorithmWebsitePresentation of a groupRight angleInstance (computer science)Type theory
19:30
RSA (algorithm)CryptographyMessage passingEncryptionTheoremChinese remainder theoremAsynchronous Transfer ModeIterationFormal verificationPublic-key cryptographyModulo (jargon)Prime numberSign (mathematics)EncryptionMessage passingNumber theoryElectronic signatureType theoryPotenz <Mathematik>Hash functionComputerDescriptive statisticsPower (physics)Endliche ModelltheorieMereologyMultiplication signMultiplicationWell-formed formulaRSA (algorithm)Computer programChinese remainder theoremBitWordMathematical optimizationDifferent (Kate Ryan album)Greatest common divisorInstance (computer science)Point (geometry)Right angleVideo gameQueue (abstract data type)Lecture/ConferenceComputer animation
22:39
Inclusion mapRSA (algorithm)DecimalIterationRandom numberCodeInternetworkingTouchscreenTelebankingCommutatorSource codeComputer animation
23:18
Function (mathematics)Control flowCAN busCryptographyEncryptionMessage passingData storage deviceRoundingAdvanced Encryption StandardShift operatorInformationSingle-precision floating-point formatDifferential (mechanical device)Mathematical analysisTouch typingPublic-key cryptographyEncryptionMereologyCASE <Informatik>InternetworkingError messageSource codeSingle-precision floating-point formatState of matterIntegral elementKey (cryptography)Instance (computer science)Function (mathematics)Message passingDifferent (Kate Ryan album)Hidden Markov modelMixed realityAlgorithmInheritance (object-oriented programming)Roundness (object)MathematicsCryptographyData storage deviceMatrix (mathematics)Differential (mechanical device)Multiplication signWell-formed formulaBitSymmetric-key algorithmRow (database)Open sourceVideo gamePropagatorControl flowQuicksortCuboidRight angleSource codeComputer animation
27:10
Advanced Encryption StandardEncryptionEinstein field equationsCodeEncryptionRoundness (object)Loop (music)MultiplicationMultiplication signIntelKey (cryptography)Order (biology)Open sourceFunction (mathematics)InternetworkingGoodness of fitDifferential (mechanical device)Mathematical analysis2 (number)BitRandomizationCASE <Informatik>Game theoryWeightPresentation of a groupSource codeWater vaporCiphertextJSON
29:35
CryptographySemiconductor memoryCompilerGoodness of fitCryptographySemiconductor memoryBitPointer (computer programming)FrequencyMultiplicationAddress spaceAsynchronous Transfer ModeCompilation albumMaxima and minimaPoint (geometry)Right angleSign (mathematics)Limit (category theory)
31:07
Semiconductor memoryLimit (category theory)Asynchronous Transfer ModeRight angleDiagramStatement (computer science)MappingSemiconductor memoryPointer (computer programming)Web pageWebsiteComputer animation
32:03
Semiconductor memorySemiconductor memoryWeb pageLine (geometry)Source codePointer (computer programming)Point (geometry)SpacetimeCryptographyKey (cryptography)Computer animation
32:50
CryptographyKey (cryptography)Advanced Encryption StandardIdeal (ethics)Point (geometry)Moment (mathematics)VideoconferencingMobile WebWhiteboardWebsiteData integrityRSA (algorithm)Semiconductor memoryCodeFreewarePoint (geometry)Semiconductor memoryCryptographyKey (cryptography)VoltmeterType theoryGoodness of fitElectronic signatureWritingINTEGRALProcess (computing)Web 2.0CodeWebsiteVideoconferencingCuboidArmComputerSoftware development kitComputer animation
35:29
Data storage deviceWeightPublic domainWebsiteHand fanTwitter2 (number)Copyright infringementWeightSlide ruleComputer animation
36:31
RSA (algorithm)Advanced Encryption StandardSemiconductor memoryComputer animation
37:20
SoftwareGroup actionGodArithmetic meanSlide rule
38:02
Symbol tableInternetworkingLine (geometry)FrequencyFunction (mathematics)Multiplication signCoprocessorDigital electronicsNumber theoryBitData storage devicePoint (geometry)Cycle (graph theory)Process (computing)Computer animationLecture/Conference
39:34
Semiconductor memoryINTEGRALGoodness of fitCodeGroup actionDecision theoryWordResultantNormal (geometry)Number theoryFrequencyCartesian coordinate systemComputer hardwareEndliche ModelltheorieoutputComputer architectureBefehlsprozessorControl flowFunction (mathematics)Right angleComputer programAreaRootArmMechanism designInformation securityPointer (computer programming)Representation (politics)SpeicheradresseIterationData conversionSimilarity (geometry)Physical systemVoltmeterTheoryOrder (biology)Interactive televisionComputer wormWeightAngleInternetworkingComputerModal logicExclusive orEncryptionSquare numberReal numberIntelPerspective (visual)Point (geometry)Lecture/Conference
44:36
Goodness of fitFrequencyMultiplication signQuicksortCombinational logicNumber theoryComputerDifferent (Kate Ryan album)Point (geometry)Endliche ModelltheorieIntelLecture/Conference
45:34
SoftwarePointer (computer programming)Electric generatorTraffic reportingNumber theoryRSA (algorithm)Information securityCryptographySoftware bugMultiplicationPhysical systemSoftwareTotal S.A.Normal (geometry)CodeVulnerability (computing)Point cloudRight angleCASE <Informatik>Data conversionIdentity managementMagnetic stripe cardVirtual machineUniverse (mathematics)Pairwise comparisonSimilarity (geometry)Point (geometry)Process (computing)Game theoryComputerBenchmarkImplementationOvalFrictionPlastikkarteDemosceneLecture/Conference
49:15
Chaos theoryEvent horizonComputer animation
Transcript: English(auto-generated)
00:22
Next talk it's called flipping bits from software without raw hammer small reminder raw hammer use It still is a software based fault attack. It was published in 2015 Their account their countermeasures development. We are still in the process of deploying diesel everywhere and
00:41
Now our two speakers are going to talk about a new software base fault attack to execute commands inside the SGX environment our speakers Professor Daniel gross from the University of cards and kid Murak researching at the University of Birmingham
01:08
The content of this talk is actually in her first published paper published at IEEE I don't know accepted at IEEE Security and privacy next year in case you do not come from the academic world This always is big deal if this is your first paper even more is please welcome then both of you try to solve and enjoy the talk
01:32
Hello Let's get started. This is my favorite recent attack It's called clock screw. And the reason that it's my favorite is
01:44
It created a new class of fault attacks Fault attacks, I I know that fault attacks You take these oscilloscopes and check the voltage line and then you drop the voltage for now You see this is why this one is cool because you don't need any equipment at all
02:02
Adrian Tang He created this wonderful attack that uses DVFS What's that FS? I don't know don't violate format specifications I asked my boyfriend this morning what he thought DVFS stood for and he said I'm Darth Vader fights Skywalker
02:23
And I'm also wearing his t-shirt specially for him as well. Maybe maybe this is more technical maybe Dazzling vault for security like SGX. No, it's not that either Mine was the one I came up this morning was a drink vodka feel silly
02:40
It's not that either it stands for Dynamic voltage and frequency scaling and what that means really simply is changing the voltage and changing the frequency of your CPU Why do you want to do this? Why would anyone want to do this? Well Games want fast computers. I am sure there are a few people out here who will want a really fast computer
03:01
Cloud servers want high assurance and low running costs And what do you do if your hardware gets hot you're going to need to modify them And actually finding a voltage and frequency that work together is pretty difficult And so all the manufacturers have done to make this easier is they've created a way to do this from software
03:22
They created memory mapped registers you modify this from software And it has an impact on the hardware and that's what this wonderful clocks crew screw attack did But they found something else out, which is you may have heard of Trusts own trust zone is in an enclave in ARM chips that should be able to protect your data
03:47
But if you can modify the frequency and voltage of the whole core, then you can modify it for both trust zone and normal code And this is their attack in software They modified the frequency to make it outside of the normal operating range and they induced faults
04:05
And so in an ARM chip Running on a mobile phone They managed to get out an AES key from within trust zone. They should not be able to do that They were able to trick trust zone into loading a self-signed app. You should not be able to do that
04:23
And that made this ARM attack Really interesting this year another Another attack came out called vault jockey and this also Attacked ARM chips, but instead of looking at frequency on ARM chips. They were looking at voltage on ARM chips
04:49
We're thinking what about Intel Okay, so Intel actually I know something about Intel because I had this nice laptop from HP
05:01
I really liked it But it has this had this problem that was going too hot all the time and I couldn't even work without Shutting it's shutting down all the time because of the heat problem So what I did was I under vaulted the CPU and actually this worked for me for several years I used this under vaulted for several years. You can also see this
05:20
I just took this from somewhere on the internet and they compared with under vaulting and without under vaulting and you can see that the Benchmark score improves by under vaulting because you don't run into the thermal thermal throttling that often So there are different tools to do that on Linux you or in Windows you could use RM clock
05:43
There's also throttle stop on Linux. There's the Linux Intel under vault GitHub repository and there's one more actually Adrian Tang who I don't know if you know, I'm a bit of a fan. He was the lead author on clock screw He wrote his PhD thesis and in the appendix He talked about under vaulting on Intel machines and how you do it
06:04
And I wish I'd read that before I started the paper that would have saved me an awful lot of time But thank you to the people on the internet for making my life a lot easier because what we discovered Was there is this magic model specific register? and it's called
06:21
hex 150 and This enables you to change the voltage the people on the internet did work for me. So I know how it works You first of all tell it the plane IDX what it is you want to raise the voltage or lower the voltage We discovered that the core and the cache are on the same plane
06:42
So you have to modify them both, but it has no effect there together I guess in the future they'll be separate and Then you modify the offset to say I want to raise it by this much or lower it by this much So I thought let's have a go let's write a little bit of code Here is the code
07:03
The smart people amongst you may have noticed something I Suspect even Even my appalling see even I would recognize that that loop should never exit I'm just multiplying the same thing again and again and again and again and again and
07:23
Expecting it to exit that shouldn't happen. Well, let's look at what happened So I'm going to show you what I did oh There we go So the first thing I'm going to do is I'm going to Set the frequency to be one thing because I'm gonna play with voltage and if I'm gonna play with voltage
07:46
I want the frequency to be set So it's quite easy using CPU power You set the maximum and the minimum to be one gigahertz and now my machine is running it exactly one gigahertz Now we'll look at the bit of code that you need to under vault again. I didn't do the work
08:04
Thank you to the people on the internet for doing this You put the MSR into the kernel and let's have a look at the code Does that look right? Oh, it does looks much better up there Yes, it's that one line of code
08:22
That is the one line of code you need to open and then we're gonna write to it and again, why is it doing that? We have a touch sensitive screen here I'm going to touch it again
08:51
That's the line of code that's going to open it and that's how you write to it And again, the people on the internet did the work for me and told me how I had to write that So we're gonna do here is I'm just gonna under vault and I'm gonna under vault
09:02
Multiplying did beef by this really big number. I'm starting at minus 252 millivolts and we're just gonna see if I ever get out of this loop But surely the system would just crash right? You'd hope so, wouldn't you? Let's see. There we go. We've got a fault. I
09:22
Was a bit gobsmacked when that happened because the system didn't crash so that that doesn't look too good So the question now is what is the so you show some voltage here some under vaulting Yeah, what under vaulting is actually required to get a bit flip. Well, we did a lot of tests We would we didn't just multiply by dead beef. We also multiplied by random numbers
09:42
So here I'm going to just generate two random numbers one is going up to f f f f f f and one is going up To f f f and I'm just gonna try different again I'm gonna try under vaulting to see if I get different bit flips. And again, I got the same bit flip So I'm getting the same
10:00
one single bit flip there Okay, so maybe it's only ever gonna be one bit flip. Ah, I got a different bit flip and Again a different bit flip and it's you'll notice that always appear to be bits together next to one another So to answer Daniel's question, I crashed my machine a lot in the process of doing this, but I wanted to know what were good values to under volt out and
10:25
Here they are we tried for all the frequencies we tried what was the base voltage and then when was the point at which we got the first fault and once we've done that it Made everything really easy We just made sure we didn't go under that and ended up with a kernel panic on the machine crashing
10:41
So this is already great And I think so this this looks like it is exploitable and the first thing That you need when you are working on a vulnerability is The name and the logo and maybe a website everything like that and Really people on the internet agree with me like this tweet
11:07
Yes, so we need a name and a logo We don't need to go on then go on then. What's your idea? So I thought this is like it's like row hammer We are flipping bits but with voltage so I call it volt hammer and I already have a logo for it
11:23
We're not we're not giving it a logo no, I think we need a logo because people can relate more to To the images there for to the logo that we have Reading a word is much more complicated than seeing a logo somewhere. It's better for communication You make it easier to talk about your vulnerability
11:44
Yeah, and the name same thing How would you like to call it like under vaulting on Intel to induce flips in? Multiplications to then run an exploit. No, that's not a good vulnerability name and speaking of the name if We choose a fancy name. We might even make it into TV shows like row hammer
12:06
The hacker used a d-ram row hammer exploit To gain criminal privileges. Hey Chuck. Yeah, I've got something for you So this was in designated survivor in March 2018 and this guy just got shot So hopefully we won't get shot
12:23
But actually we have also been working so my group has been working on row hammer and presented this in 2015 here at CCC in Hamburg back then And it was row hammer JS and we call it root privileges for web apps because we showed that you can do this from JavaScript in a browser looks pretty much like this we hammer the memory a bit and then we see bit flips in the memory
12:45
So how does this work because Maybe for another fault attack software-based fault attack the only other software-based fault attack that we know So these are related to DVFS and this is a different effect So what we do here is we look at the d-ram and the d-ram is organized in multiple rows
13:03
And we will access these rows these rows consist of so-called cells which are Capacitors and transistors each and they store one bit of information each and the row buffer the row size Usually is something like eight kilobytes and then when you read something you copy it to the row buffer
13:20
So it works pretty much like this you read from a row you copy it to the row buffer The problem now is these capacitors leak over time So you need to refresh them frequently and they have also a maximum refresh interval defined in a standard to guarantee Data integrity now the problem is that cells leak fast upon proximate excesses and that means
13:42
If you access two locations in proximity to a third location Then the third location might flip a bit without accessing it and this has been exploited in different exploits So the usual strategies maybe maybe we can use some of them So the usual strategies here are searching for a page with a bit flip
14:03
So you search for it then you find some ah, there's a flip here then you Release the page with the flip in the next step Now this memory is free and now you allocate a lot of target pages for instance page tables And then you hope that the target page is placed there If it's a page table for instance like this and you induce a bit flip
14:23
So before it was pointing to user page, then it was pointing to no page at all because we may be unmapped it And the page that we induce the bit flip now is actually the one storing all the PTEs here So the one in the middle Stored down there and this one now has a bit flip and then our pointer to our own user page
14:45
Changes due to the bit flip and points to hopefully another page table because we filled the memory with page tables another direction that we could go here is Flipping bits in code for instance if you think about a password comparison, you might have a jump equal check here and
15:06
the jump equal check if you flip one bit it Transforms into a different instruction and fortunately. Oh this already looks interesting. Ah Perfect changing the password check into a password incorrect check. I will always be rude
15:22
And Yeah, that's basically it so these are two directions that we might look at For row hammer. That's also maybe a question for row hammer Why why would we even care about other fault attacks because row hammer works on DDR3 It works on DDR4. It works on ECC memory. Does it how does it deal with sgx?
15:44
Yeah, yeah sgx Yes, so maybe we should first explain what sgx is Sgx is a so-called TE trusted execution environment on Intel processors and Intel designed it this way that you have an untrusted part and
16:01
This runs on top of an operating system inside an application and inside the application You can now create an enclave and the enclave runs in a trusted part Which is supported by the hardware the hardware is the trust encore for this trusted enclave and the enclave now you can from the untrusted part you can call into the enclave via a call gate pretty much like a system call and in there you
16:24
Execute a trusted function then you return to this Untrusted part and then you can continue doing other stuff and the operating system has no direct access to this trusted part This is also protected against all kinds of other attacks for instance physical attacks
16:41
If you look at the memory that it uses, maybe I have 16 gigabytes of RAM Then there is a small region for the EPC The enclave page cache the memory that enclaves use and it's encrypted and integrity protected and I can't tamper with it So for instance if I want to mount a cold boot attack pull out the DRAM put it in another machine and read out
17:03
What content it has I can't do that because it's encrypted and I don't have the key the key is in the processor quite bad so What happens if we have bit flips in the EPC good question? We Tried that the integrity check phase it locks up the memory controller
17:23
Which means no further memory accesses whatsoever run through this system? Everything stays where it is and the system hearts basically, it's no exploit. It's just denial of service. Ah So maybe X GX can save us. So what I want to know is
17:43
Rohammer clearly failed because of the integrity check is my attack where I can flip bits Is this gonna work inside s GX? I don't think so because they have the integrity protection, right? So what I'm gonna do is run the same thing in the right hand side is user space and in the left hand side is the enclave as you can see I'm running at minus
18:05
261 millivolts no error minus 262 no error minus two Fingers crossed we don't get a kernel panic Do you see that thing at the bottom? That's a bit flip inside the enclave. Oh
18:24
Yeah, that's bad. Thank you Yeah And it's the same bit flip that I was getting in user space. That is also really interesting I have an idea so it's surprising that it works right, but I have an idea this is basically doing the same thing as
18:42
Clock through Clock screw but on s GX, right? Yeah, and I thought maybe you didn't like the previous logo Maybe it was just too much. So I came up with something more to come up with and yet he's come up with Yes, SGX screw. How do you like it? No We don't even have an attack. We can't have a logo before we have an attack
19:02
The logo is important, right? I mean, how would you? Present this on a website without a logo. Well, first of all, I need an attack What am I going to attack with this? I have an idea what we could attack. So for instance, we could attack crypto RSA RSA is a crypto algorithm It's a public key crypto algorithm and you can encrypt or sign messages
19:25
you can you can send this over an untrusted channel and then you can Also verify so this is actually a type which should be decrypt There Encrypt verify messages with a public key or decrypt sign messages with a private key
19:45
So, how does this work Yeah, basically it's based on exponentiation modulo a number and this number is computed from two prime numbers so you
20:00
for the signature part, which is Similar to the decryption basically you take the hash of the message and then Take it to the power of D modulo N the public modulus and Then you have the signature and everyone can verify that
20:22
That this is actually Later on can verify this because the exponent part is public So N is also public so we can later on do this now There is one optimization which is quite nice, which is Chinese remainder theorem
20:41
And this this part is really expensive It takes a long time So it's much a lot faster if you split this in multiple parts For instance in if you split it in two parts you do two of those exponentiations But with different numbers with smaller numbers and then it's cheaper. It takes fewer rounds
21:01
And if you do that You of course have to adapt the formula up here to compute the signature Because you now put it together out of the two pieces of the signature that you compute Okay So this looks quite complicated But the point is we want to mount a fault attack on this. So what happens if we fault this?
21:25
Let's assume we have two signatures which are not identical right s and s prime and We basically only need to know that in one of them a fault occurred So the first is something the other is something else
21:43
we don't care, but what you see here is that both are multiplied by Q plus s 2 and if you Subtract one from the other. What do you get you get? Something multiplied with Q There is something else that is multiplied with Q which is P and N is public
22:01
So what we can do now is we can compute the greatest common divisor of This and N and get Q. Okay, so I'm I'm interested to see if I didn't understand a word of that But I'm interested to see if I can use this to mount an attack. So how am I going to do this? Well
22:22
I'll write a little RSA decrypt program and what I'll do is I'll use the same bit of Multiplication that I've been using before and when I get a bit flip Then I'll do the decryption. All this is happening inside SGX inside the enclave So let's have a look at this
22:42
First of all, I'll show you the code that I wrote Again copied from the internet. Thank you So there it is, I'm gonna trigger the fault I'm gonna I'm gonna wait for the trigger of fault. Then I'm gonna do a decryption. Well, let's have a quick look at the code Which should be exactly the same as it was right at the very beginning when we started this. Yeah, there's my dead beef
23:07
Written slightly differently, but there's my dead beef So now this is ever so slightly messy on the screen, but I hope you're gonna see this so minus 239 fine still fine
23:21
Still fun. I'll just pause there. You can see at the bottom I've written meh all fine if you're wondering so what we're looking at here is a correct Decryption and you can see inside the enclave I'm initializing P and I'm initializing Q and those are part of the private key I shouldn't be able to get those so 239 isn't really working. Let's try going up to minus 240
23:45
Ooh, ooh, ooh RSA error RSA error Okay, so this should work for the attack then so let's have a look again. I copied some Somebody's attack on the internet where they very kindly it's called the Lenstra attack
24:00
And again, I got I got an output. I don't know what it is Because I didn't understand any of that crypto stuff But let me have a look in the source code and see if that exists anywhere in the source code inside the enclave It does I found P and if I found P I can find Q so just to summarize what I've done
24:22
from a bit flip I have got The private key out of the SGX enclave and I shouldn't be able to do that Yes, yes, and I think I have an idea so you didn't like I know where this is going Yes, didn't like the previous
24:42
Name so I came up with something more cute and relatable maybe So I thought this is an attack on RSA. So I called it move faster My under vaulting fault attack on RSA. That's not even a logo. That's just a picture of a lion
25:05
It's not Star Wars now, I don't know okay Okay, so Daniel I I really think you will like any of the names I suggest probably not But I really enjoyed breaking RSA. So what I want to know is what else can I break? Well, it's something else I can break if you don't like the RSA part. We can also take other crypto
25:24
I mean there's AES for instance AES is a symmetric key crypto algorithm Again, you encrypt messages you transfer them over a public channel this time with both sides having the key And You can also use that for storage
25:40
AES internally uses a four times four state matrix for four times four bytes and it runs through ten rounds which are S-box, which basically replaces a byte by another byte some shifting of rows in this matrix some mixing of the columns and then the round key is added which is computed from the
26:01
AES key that you provide to the algorithm and if we look at the last Three rounds because we want to again mount a fault attack and there are different differential fault attacks on AES If you look at the last rounds because the way of this this algorithm works is it propagates Changes differences through this algorithm if you look at the state matrix, which only has a difference in the top left corner
26:27
then this is how the state will propagate through the ninth and 10th round and you can put up formulas to compute possible values for the state up there if
26:42
You have different if you if you have encryptions which only have a difference there in exactly that single state byte Hmm now How does this work in practice? Well today everyone is using AES and I because that's super fast
27:00
That's an again an instruction set extension by Intel and it's super fast. Well, okay. I want to have a go, right? So let me have a look if I can break some of these AES new instructions So I'm gonna come at this slightly differently last time. I waited for a multiplication full. I'm gonna do something slightly different What I'm gonna do is put in a loop to AES encryptions and I wrote this using Intel's code
27:24
I should say I we we wrote this using Intel's code Example code This should never fault and we know what we're looking for. What we're looking for is a fault in the eighth round So, let's see if we get faults with this So the first thing is I'm gonna start at two minus two hundred and sixty two millivolts
27:44
What's interesting is that you have to under vault more when it's cold so you can tell at what time of day I run these I got full I got full. Oh Unfortunately, where did that that's actually in the fourth round?
28:01
I'm Anything with that can't do anything again in the fifth round can't or anything with that Fifth round again. Oh, oh we got one We got one in the eighth round and so it means I can take these two cipher texts and I can use the differential Fault attack. I actually ran this twice in order to get two pairs of faulty output
28:26
Because it made it so much easier and again Thank you to somebody on the internet for having written a differential fault analysis attack for me You don't you don't need to but it just makes it easy for the presentation. So I'm now going to compare Let me just pause there a second. I
28:43
Used somebody else's differential fault attack and it gave me in one for the first pair It gave me 500 keys possible keys and for the second it gave me 200 possible keys I'm overlapping them and there was only one key that matched both and and that's the key that came out And let's just again check inside the source code. Does that key exist? What is the key?
29:05
And yeah, that is the key So again, that's not a very good key though No, I Think if you think about randomness, it's as good as any other anyway What have I done I have flipped a bit
29:22
Inside SGX to create a fault in AES new instruction set That has enabled me to get the AES key out of SGX I shouldn't be able to do that. So so now that we have multiple attacks We should think about a logo and a name, right?
29:42
Good because the other one wasn't very good. No, seriously. We are we are already soon We are we will write this up send this to a conference that people will like it, right This is and I already have a name and a logo for it. Come on then crypto vault screw hammer, it's like
30:01
We attack crypto in a vault SGX and it's like like the clock screw and like grow hammer and like I Don't think that's very catchy But let me tell you it's not just crypto So We're faulting multiplications. So surely There's another use for this other than crypto and this is where something really interesting happens
30:25
For those of you who are really good at C. You can come and explain this to me later this is a really simple bit of C all I'm doing is getting an offset of an array and Taking the address of that and putting it into a pointer Why is this interesting
30:41
Mmm, it's interesting because I want to know what the compiler does with that So I'm gonna wave my magic wand and what the compiler is gonna do is it's gonna make this Why is that interesting simple pointer arithmetic? Hmm? Well, we know that we can fault Multiplications, so we're no longer looking at crypto. We're now looking at just memory
31:03
So, let's see if I can use this as an attack So, let me try and explain what's going on here on the right hand side you can see the under vaulting I'm going to create an enclave and I've put it in debug mode so that I can see what's going on you can see the size of the enclave because we've got the base and the limits of it and
31:24
If we look at that in a diagram what that's saying is here if I can write Anything at the top above that that will no longer be encrypted that will be unencrypted Okay, let's carry on with that So let's just write that one statement again
31:43
And again that pointer arithmetic again and again and again whilst I'm under vaulting and see what happens. Oh suddenly It changed and if you look at where it's mapped it to It's mapped that pointer to memory. That is no longer in inside SGX. It's put it into
32:03
Untrusted memory, so we're just doing the same statement again and again whilst under vaulting Bish we've written something that was in the enclave out of the enclave And I'm just going to display the page of memory that we've got there to show you what it was And there's the one line. It's dead beef. And again, I'm just going to look in my
32:24
Source code to see what it was. Yeah, it's you know, you know endian this blah blah blah. I Have now not even used crypto. I have purely used pointer arithmetic to take something that was stored inside Intel's SGX and
32:40
Removed it into user space where anyone can read it. So yes, I get your point It's more than just crypto, right? Yeah, it's way beyond that. So we we Leaked RSA keys we leaked AS keys Yeah, we did not just that though we did memory corruption, okay, so yeah, okay crypto volts
33:04
We have our point taken is not the ideal name, but maybe you could come up with something We need a name and the low pressures on me then right here we go. So it's got to be due to under vaulting because We're under vaulting. Maybe we can get a pun on vault and vault in there somewhere
33:23
We're stealing something aren't we we're corrupting something maybe Maybe we're plundering something. Yeah, I know. Yeah, let's call it plunder vault Oh, no. No, no, that's not it. That's not a good name No, we need something. This is really not a good name. People will wait. Wait, wait, wait, you can read this if you like Daniel
33:58
Okay, I I think I get it I think I get it no, no, I haven't finished
34:31
Yeah, this is really also a very nice comment Yes, the quality of the videos, I think you did a very good job there Thank you. Also the web website really good. So just to summarize what we've done with plunder vault is
34:46
It's a new type of attack. It breaks the integrity of SGX it's Within a STX we're doing stuff. We shouldn't be able to like a es keys. We leak a es keys. Yeah, and
35:01
We are Retrieving the RSA signature key. Yeah and yes, we induced memory corruption in bug-free code and We made the enclave write secrets to untrusted memory This is the paper that's been accepted next year. It is my first paper. So thank you very much kit. That's me
35:25
Thank you David Oswald Flavio Garcia yo fan bulk, and of course the infamous
35:41
And Frank peace and So all that really reminds me to do is to say thank you very much. Wait a second. Wait a second There's one more thing. I think you overlooked one of the tweets. I I added it here. You didn't see this slide yet I haven't seen this one. I Really like it It's a slightly ponderous pun on Thunderbolt
36:03
Pirate themed logo a pirate themed logo. I really like it. And if it's a pirate themed logo Don't you think there should be a pirate themed song? Daniel Have you written a pirate themed song?
36:24
Go on then play it. Let's let's hear the pirate theme song Oh
37:10
Just take a minute Thanks to
37:42
Thanks to mano de viva and also to my group at Teo gods for volunteering for the choir And then I mean this is not now the last slide thank you for your attention Thank you for being here and we would like to answer questions in the Q&A
38:07
Thank you for a great talk. Thank you some more for the song All right, if you have questions, please line up on the microphones in the room First question goes to a single angel of any question from the internet and not that's not for now. No
38:25
All right, then microphone number four your question, please. Hi. Thanks for the great talk. So why does this happen now? I mean, thanks for the explanation for Roma, but it wasn't clear What's going on there? So to if you look at circuits for the signal to be
38:45
Ready at the output There need electrons have to travel a bit if you increase the voltage Things will go faster. So they will You will have the output signal ready at an earlier point in time
39:01
Now the frequency that you choose for your processor should be related to that So if you choose the frequency too high, the outputs will not be ready at this circuit And this is exactly what happens if you reduce the voltage the outputs are not ready yet for the next clock cycle And interestingly we couldn't fault really short instructions
39:22
So anything like an ad or an X or it was basically impossible to fault so they had to be complex Instructions that probably weren't finishing by the time the next clock tick arrived. Yeah. Thank you Thanks for the answer Microphone number four again Hello, it's a very interesting theoretical approach I think but you were capable to break these
39:44
Crypto mechanisms for example because you could do zillions of iterations and You are sure to trigger the fault but in practice say if someone is having a Secure conversation. Is it practical even close to possible to break it with that?
40:05
It totally depends on your threat model So what can you do with the enclave if you we are assuming that we are running with root privileges here and the root Privileged attacker can certainly run the enclave with certain inputs Again, and again if the enclave doesn't have any protection against replay then certainly we can mount an attack like that. Yes
40:24
Thank you single angel your question and Somebody asked if the attack only applies to Intel or to AMD or other architectures the word question I suspect right now There are people trying this attack on AMD in the same way that when clocks group came out
40:41
There are an awful lot of people starting to do stuff on Intel as well We saw the clock screw attack on arm with frequency then we saw arm with voltage now We've seen Intel on Intel with voltage and someone else has done similar Volt pone has done something very similar to us and I suspect AMD is the next one I guess because it's not out there as much we've tried to do them in the order of you know, scaring people
41:08
Scaring as many people as possible as quickly as possible. Thank you for the explanation microphone number four Thanks for a representation Can you get similar results by
41:23
By hardware, I mean by tweaking the voltage that you provide to the CPU. Well, I Refer you to my earlier answer. I know for a fact that there are people doing this right now with physical hardware Seeing what they can do. Yes, and I think it will not be long before that paper comes out
41:40
Thank you Thanks Like for number one your question. Sorry Look for for again. Sorry Hi, thanks for the talk two small questions one. Why? Doesn't anything break inside is GX
42:01
when you do these tricks and second one why when you Write outside the enclaves memory, but their value is not encrypted So The enclave is an encrypted area of memory So when it points to an unencrypted, it's just going to write it to the unencrypted memory
42:25
Does that make sense from the from the enclaves perspective? None of the memory is encrypted This is just transparent to the enclave. So if the enclave will write to another memory location Yes, it just won't be encrypted. Yeah. Yeah, and what what's happening is we're getting flips in the registers
42:40
Which is why I think we're not getting an integrity check because the enclave is completely unaware that anything's even gone wrong It's got a it's got a value in its memory and it's gonna use it Yeah, the integrity check is only on the on the memory that you load from RAM Okay micro number seven Yeah, thank you
43:01
Interesting work I was wondering you showed us the example of the Code that wrote outside the enclave memory using simple pointer arithmetics Have you been able to talk to Intel why this? Memory access actually happens. I mean you showed us the output of the program it crashes
43:25
But nevertheless it writes the result to the resulting memory address So there must be something wrong like the Attack that happened two years ago at the Congress about yeah, you know all that stuff so
43:41
Generally enclaves can read and write any memory location in their host application We have also published papers that basically argue that this might not be a good idea Good design decision But that's the current design and the reason is that this makes interaction with the enclave very easy
44:04
You can just place your payload somewhere in the memory hand the pointer to the enclave and the enclave can use the data from there Maybe copy it into the enclave memory if necessary or directly work on the data So that's why this memory access to the normal memory region is not illegal
44:23
And if you want to know more you can come and find Daniel afterwards Okay, thanks for the answer a single angel the question for me internet. Yes, and the question came up if How stable the system you're attacking with the hammering is why you're performing their tech
44:42
It's really stable once I'd been through three months of crashing the computer I got to a point where I had a really really good frequency voltage combination and we did discover on all Intel Chips it was different. So even what looked like a nut we bought almost an identical little nook We put one with exactly the same spec and it had a different sort of
45:04
Frequency voltage model, but once we done this sort of benchmarking you could pretty much do any attack without it crushing at all Yeah, but without this benchmarking, it's true. We would offer is a nightmare. Yeah, I wish I'd done that at the beginning It would have saved me so much time
45:21
Thanks again friend for answering microphone number for your question can in to fix this with a microcode update so There are different approaches to this of course the quick fix is to Remove the access to the MSR Which is of course inconvenient because you can't under vault your system anymore
45:43
so maybe you want to choose whether you want to use SGX or want to have a gaming computer where you Undervolt the system or control the voltage from software But is this a real fix? I don't know. I think there are more vectors, right? Yeah Well, I'll be interested to see what they're going to do with the next generation of chips. No
46:04
Alright my phone number seven, what's your question? Yes, similarly to the other question. Is there a way you can Prevent such attacks when writing code that runs in the secure enclave Well, no, that's the interesting thing is really hard to do because we weren't writing code with bugs
46:22
We were just writing normal pointer arithmetic normal crypto if anywhere in your code, you're using a multiplication It can be attacked. Yeah, but of course you could use fault resistant implementations inside the enclave Whether that is a practical solution is yeah, you write dupe code and do comparison things like that. But if yeah
46:45
Okay, Mike for number three, what's your question? Hi, I can't imagine Intel being very happy about this and Recently, they were under fire for how they were handling Coordinated disclosure. So can you summarize experience? They were really nice They were really nice. We disclosed really early like
47:05
Before we had all of the attacks. We just had a pocket at that point. Yeah They've been really nice they wanted to know what we were doing They wanted to see all our attacks. I found them lovely. Yes. Am I allowed to say that? I
47:23
Mean they also have interest in making these processes smooth so that vulnerability Researchers also report to them because if everyone says all this was awful Then they will also not get a lot of reports But if they do their job well, and they did in our case then of course, it's nice
47:44
Okay, Mike for number we even got a bug bounty we did get bug bounty I didn't want to mention that cuz I haven't told my university yet Thank you for the funny talk if I understood you're right It means to really be able to exploit this you need to do some benchmarking on the X on the machine that you want
48:06
to exploit Do you see in a way to? Convert this to a remote Exploit, I mean that to me it seems you need physical access right now because you need to reboot the machine If you've done benchmarking on an identical machine, I don't think you would have to have physical access
48:25
But you would have to make sure that it's really an identical machine Yeah, but in the cloud you will find a lot of identical machines Okay, my phone number for again
48:42
Also as we said like the temperature plays an important role You will also in the cloud find a lot of machines at similar temperatures and and there was there's a lot of these stuff We didn't show you we did start measuring the total amount of clock ticks It took to do maybe 10 RSA encryptions and then we did start doing very specific timing attacks
49:02
But obviously it's much easier to just do 10,000 of them and hope that one fault All Right seems there no further questions. Thank you very much for your talk for your Eastern for answering all the questions