Platypus Attack Abuses RAPL Mechanism to Steal Data from Intel CPUs

Recently, researchers at the Institute of Applied Information Processing and Communications at the Graz University of Technology discovered a new power-based side-channel attack named Platypus, an acronym for "Power Leakage Attacks: Targeting Your Protected User Secrets."

Key factors

Platypus is the first of its kind passive attack that exploits fluctuations in power consumption to extract sensitive data, such as cryptographic keys on devices including desktop PCs, laptops, and cloud computing servers from Intel and AMD.
  • According to the research team, while Platypus attacks are possible on Windows and macOS, it is much more effective on Linux systems. 
  • Moreover, the attack allows power side-channel attacks, enabling attackers to steal data by exploiting fluctuations in power consumption, i.e. without any physical access.

The experiment

  • The researchers used two key approaches; the first being the RAPL interface (Running Average Power Limit), and the second was Intel's security function Software Guard Extensions (SGX).
  • Using the combination of these two approaches, the researchers have demonstrated methods to bypass KASLR by observing RAPL power consumption values, retrieval of data from the Linux kernel, and retrieval of data being processed inside Intel SGX secure enclaves.

Security updates resolve the threat

  • In an advisory, Intel has released the microcode and Linux driver updates to block Platypus attacks for CVE-2020-8694 (Linux+Intel) and CVE-2020-8695 (Intel) vulnerabilities.
  • Researchers have observed leakage through energy consumption, in addition to power consumption in the ARM-based devices. AMD has updated the RAPL interface for CVE-2020-12912 (Linux+AMD).

Conclusion

Researchers have illustrated that software-based power side-channel attacks are particularly powerful due to the zero-stepping capabilities of a privileged attacker. Additionally, other processor vendors are likely impacted by the Platypus attack as they include a RAPL interface with their products. The vendors have developed solutions that users should adopt to prevent any possible attack.