Intel CPU flaw lets attackers manipulate voltage and leak secrets

• An undocumented feature in Intel CPUs was leading to vulnerabilities that could compromise the safety of the system
• It affects all SGX-enabled Intel Core processors starting with the Skylake generation.

The frequency and voltage in all modern processors are adjusted automatically as necessary. Chip manufacturers also give users an option to manually set the frequency and voltage using in combination with Intel SGX.

Lately, a group of researchers came across a flaw with the software used to adjust the voltage and frequency of a processor.

What happened?

A team of academic researchers revealed that an undocumented feature in Intel CPUs was leading to vulnerabilities that could compromise the safety of the system.

• A new fault injection attack dubbed Plundervolt was developed to compromise Intel SGX secrets.
• An attacker could manipulate the voltage of CPUs to trigger computational faults in a controlled manner.
• The security of the Intel SGX trusted execution environment was challenged since it protects cryptographic secrets and isolates sensitive code execution in memory.

Researchers from the University of Birmingham in the UK, Graz University of Technology in Austria and KU Leuven in Belgium, developed this new attack tool.

“We were able to corrupt the integrity of Intel SGX on Intel Core processors by controlling the voltage when executing enclave computations. This means that even Intel SGX's memory encryption/authentication technology cannot protect against Plundervolt,” said the researches.

How does Plundervolt work?

Normally, a fault injection attack involves manipulating the normal operating conditions of a system and look for unexpected errors.

Plundervolt, however, doesn’t use physical manipulation technique. It exploits a dynamic voltage scaling feature that Intel CPUs already have and that can be triggered from software through a special Model Specific Register (MSR). This interface is there because modern CPUs automatically adjust their operating frequency.

“Crucially, since the faults happen within the processor package, i.e., before the results are committed to memory, Intel SGX’s memory integrity protection fails to defend against our attacks. To the best of our knowledge, we are the first to practically showcase an attack that directly breaches SGX’s integrity guarantees,” said the researcher in their paper.

Plundervolt affects all SGX-enabled Intel Core processors starting with the Skylake generation. Previous generations of Intel Core processors also have the under-voltage interface, but it does not pose a threat outside of the SGX context.

Mitigation and response

Though the researchers proposed several possible countermeasures in their paper at both hardware and microcode level and the software level, Intel’s has patched the flaw by disabling access to the particular voltage scaling interface—MSR.