CISPA
Browse
cispa_all_4051.pdf (265.69 kB)

CacheWarp: Software-based Fault Injection using Selective State Reset

Download (265.69 kB)
conference contribution
posted on 2024-03-05, 12:22 authored by Ruiyi ZhangRuiyi Zhang, Lukas GerlachLukas Gerlach, Daniel WeberDaniel Weber, Hetterich, Lorenz, Lü, Youheng, Kogler, Andreas, Michael SchwarzMichael Schwarz
AMD SEV is a trusted-execution environment (TEE), providing confidentiality and integrity for virtual machines (VMs). With AMD SEV, it is possible to securely run VMs on an untrusted hypervisor. While previous attacks demonstrated architectural shortcomings of earlier SEV versions, AMD claims that SEV-SNP prevents all attacks on the integrity. In this paper, we introduce CacheWarp, a new software-based fault attack on AMD SEV-ES and SEV-SNP, exploiting the possibility to architecturally revert modified cache lines of guest VMs to their previous (stale) state. Unlike previous attacks on the integrity, CacheWarp is not mitigated on the newest SEV-SNP implementation, and it does not rely on specifics of the guest VM. CacheWarp only has to interrupt the VM at an attacker-chosen point to invalidate modified cache lines without them being written back to memory. Consequently, the VM continues with architecturally stale data. In 3 case studies, we demonstrate an attack on RSA in the Intel IPP crypto library, recovering the entire private key, logging into an OpenSSH server without authentication, and escalating privileges to root via the sudo binary. While we implement a software-based mitigation proof-of-concept, we argue that mitigations are difficult, as the root cause is in the hardware.

History

Preferred Citation

Ruiyi Zhang, Lukas Gerlach, Daniel Weber, Lorenz Hetterich, Youheng Lü, Andreas Kogler, Michael Schwarz. CacheWarp: Software-based Fault Injection using Selective State Reset. 2023.

Primary Research Area

  • Threat Detection and Defenses

Legacy Posted Date

2023-11-14

Open Access Type

  • Repository

BibTeX

@inproceedings{cispa_all_4051, author = {Ruiyi Zhang AND Lukas Gerlach AND Daniel Weber AND Lorenz Hetterich AND Youheng Lü AND Andreas Kogler AND Michael Schwarz}, title = {CacheWarp: Software-based Fault Injection using Selective State Reset}, year = {2023} }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC