AMD's SEV virtual machine encryption can be broken to extract memory data, researchers say

German security researchers have discovered a new, serious security flaw in AMD’s Secure Encryption Virtualization (SEV) technology that could allow hackers to extract memory data from virtual machines (VMs) in plain-text. The SEV technology is a hardware feature that comes in AMD’s EPYC line of server chips and is designed to help protect VMs from vulnerabilities and malicious hypervisor controller attacks.

SEV decrypts and encrypts virtual machines using RAM to make sure the host operating system, hypervisor or any malware on the host computer cannot access, inspect or interfere with the protected VM.

However, a group of researchers from the Fraunhofer Institute for Applied and Integrated Security have discovered a technique to bypass the SEV’s protection mechanism using a side channel attack dubbed “SEVered”.

In a research paper published last week, researchers detailed the exploit that allows attackers to bypass protections and copy information out of guest VMs running on the same server as the one attacked that should be encrypted.

“SEVered neither requires physical access nor colluding virtual machines, but only relies on a remote communication service, such as a web server, running in the targeted virtual machine,” researchers Mathias Morbitzer, Manuel Huber, Julian Horsch and Sascha Wessel explained in the paper. “SEVered reliably and efficiently extracts all memory contents, even in scenarios where the targeted virtual machine is under high load.”

How does it work?

According to researchers, the attack essentially exploits the lack of integrity protection in SEV’s encryption of main memory.

As controllers for virtual machines, hypervisors can access sensitive data stored in VM memory and are responsible for second-level address translation. They can also maintain the VM’s General Physical Access (GPA) to Host Physical Address (HPA) mapping in the main memory.

Therefore, an attacker with access to the hypervisor can maliciously change that mapping and identify linked information - such as keys, passwords, or classified information - when the RAM is queried. They can also restore the mapping back to their original HPAs after completing their nefarious activities.

“We use this capability to trick a service in the VM, such as a web server, into returning arbitrary pages of the VM in plaintext upon the request of a resource from outside,” read the research paper. “We first identify the encrypted pages in memory corresponding to the resource, which the service returns as a response to a specific request. By repeatedly sending requests for the same resource to the service while re-mapping the identified memory pages, we extract all the VM’s memory in plaintext.”

Researchers note that the attack is difficult to carry out and requires several techniques to properly identify the encrypted pages being queried, but is certainly achievable.

In their own tests, the team was able to extract an entire 2GB of memory from the targeted VM, including data from a guest VM. In the experimental setup, researchers used a Debian GNU/Linux test server running on an AMD Epyc 7251 processor with SEV enabled, running the Apache web server in a virtual machine. They then used the system’s Kernel-based Virtual Machine (KVM) hypervisor and modified it to see when software within the guest accessed physical RAM.

While Apache and Nginx web servers extracted memory data at a speed of 79.4 KB/sec, OpenSSH was slower, retrieving data at 41.6 KB/sec.

AMD has confirmed the vulnerability to Threatpost saying: “AMD is currently working with the ecosystem to protect against vulnerabilities that are more difficult to exploit, such as malicious hypervisor attacks like those recently detailed by German researchers”

There are currently no patches or fixes for the issue at the time of writing.

Since the attack targets a hardware feature used for secure encryption, a fix for the issue would be difficult while a software-based solution would prove to be inefficient fix.

“Integrity protection can hardly be achieved in software as the VM would require efficient and reliable software mechanisms to protect itself from modification of memory mappings and contents, e.g., by maintaining hashes in a safe location,” researchers noted. “Both mechanisms seem hard to realize to reliably protect an entire VM at all times, and would probably incur an intolerable performance overhead. We thus consider software-based countermeasures insufficient solutions against our attack.”

However, securely combining the hash of the page’s content with the guest-assigned GPA could ensure that pages “cannot easily be swapped by changing the GPA to HPA mapping. Adding a nonce additionally ensures that an old page for the GPA cannot be replayed into the guest by a malicious [hypervisor].”