cachewarp_sec24.pdf (299.31 kB)

CacheWarp: Software-based Fault Injection using Selective State Reset

Download (299.31 kB)
Version 2 2024-01-26, 13:19
Version 1 2024-01-26, 09:00
conference contribution
posted on 2024-01-26, 13:19 authored by Ruiyi ZhangRuiyi Zhang, Lukas GerlachLukas Gerlach, Daniel WeberDaniel Weber, Lorenz Andreas HetterichLorenz Andreas Hetterich, Youheng Lü, Andreas Kogler, Michael SchwarzMichael Schwarz
AMD SEV is a trusted-execution environment (TEE), providing confidentiality and integrity for virtual machines (VMs). With AMD SEV, it is possible to securely run VMs on an untrusted hypervisor. While previous attacks demonstrated architectural shortcomings of earlier SEV versions, AMD claims that SEV-SNP prevents all attacks on the integrity. In this paper, we introduce CacheWarp, a new software-based fault attack on AMD SEV-ES and SEV-SNP, exploiting the possibility to architecturally revert modified cache lines of guest VMs to their previous (stale) state. Unlike previous attacks on the integrity, CacheWarp is not mitigated on the newest SEV-SNP implementation, and it does not rely on specifics of the guest VM. CacheWarp only has to interrupt the VM at an attacker-chosen point to invalidate modified cache lines without them being written back to memory. Consequently, the VM continues with architecturally stale data. In 3 case studies, we demonstrate an attack on RSA in the Intel IPP crypto library, recovering the entire private key, logging into an OpenSSH server without authentication, and escalating privileges to root via the sudo binary. While we implement a software-based mitigation proof-of-concept, we argue that mitigations are difficult, as the root cause is in the hardware.


Primary Research Area

  • Threat Detection and Defenses

Name of Conference

Usenix Security Symposium (USENIX-Security)


USENIX Security


@conference{Zhang:Gerlach:Weber:Hetterich:Lü:Kogler:Schwarz:2024, title = "CacheWarp: Software-based Fault Injection using Selective State Reset", author = "Zhang, Ruiyi" AND "Gerlach, Lukas" AND "Weber, Daniel" AND "Hetterich, Lorenz" AND "Lü, Youheng" AND "Kogler, Andreas" AND "Schwarz, Michael", year = 2024, month = 8, journal = "USENIX Security" }

Usage metrics


    No categories selected



    Ref. manager