Lord777
Professional
- Messages
- 2,579
- Reaction score
- 1,479
- Points
- 113
Researchers at the Helmholtz Center for Information Security (CISPA) have published a new CacheWarp attack method that allows you to compromise the AMD SEV (Secure Encrypted Virtualization) protection mechanism used in virtualization systems to protect virtual machines from interference from the hypervisor or host system administrator. The proposed method allows an attacker with access to the hypervisor to execute third-party code and increase privileges in a VM protected using AMD SEV.
The attack is based on exploiting a vulnerability (CVE-2023-20592) caused by incorrect operation with the cache during the execution of the INVD processor instruction, which can cause data mismatch in memory and cache, and bypass the mechanisms for maintaining the integrity of virtual machine memory implemented on the basis of the SEV-ES and SEV-SNP extensions. The vulnerability affects AMD EPYC processors from the first to the third generation.
For third-generation AMD EPYC processors (Zen 3), the issue was fixed in the November microcode update released yesterday by AMD (the fix does not result in performance degradation). For the first and second generations of AMD EPYC (Zen 1 and Zen 2), protection is not provided, because the CPU data does not support the SEV-SNP extension, which provides virtual machine integrity control. The fourth generation of AMD EPYC "Genoa" processors based on the Zen 4 microarchitecture is not affected.
AMD SEV technology is used to isolate virtual machines by cloud providers such as Amazon Web Services (AWS), Google Cloud, Microsoft Azure, and Oracle Compute Infrastructure (OCI). AMD SEV protection is implemented through hardware-level encryption of virtual machine memory. Additionally, the SEV-ES (Encrypted State) extension protects CPU registers. Only the current guest system has access to the decrypted data, and other VMs and the hypervisor receive an encrypted data set when they attempt to access this memory.
In the third generation of AMD EPYC processors, an additional SEV-SNP (Secure Nested Paging) extension was implemented, which provides secure operation with nested memory page tables. In addition to general memory encryption and register isolation, SEV-SNP provides additional memory integrity protection features that prevent changes to the VM from being made by the hypervisor. Encryption keys are managed on the side of a separate PSP (Platform Security Processor) processor built into the chip, implemented on the basis of the ARM architecture.
The essence of the proposed method is to use the INVD instruction to invalidate blocks (lines) in the cache of dirty pages without resetting the accumulated data in the cache to memory (write-back). This method allows you to push out the changed data from the cache without changing the state of memory. To perform an attack, it is proposed to use software exceptions (fault injection) to interrupt the operation of the VM in two places: in the first place, the attacker calls the "wbnoinvd" instruction to reset all write operations accumulated in the cache to memory, and in the second place, it calls the "invd" instruction to return write operations that are not reflected in memory to the old state.
To check your systems for vulnerabilities, a prototype exploit has been published that allows you to insert an exception into a VM protected via AMD SEV and roll back changes in the VM that were not thrown into memory to the old state. Rolling back a change can be used to change the course of program execution by returning the old return address on the stack, or to use the parameters of an old session that was previously authenticated when logging in, by returning the value of the authentication attribute.
For example, the researchers demonstrated the possibility of using the CacheWarp method to perform a Bellcore attack on the implementation of the RSA-CRT algorithm in the ipp-crypto library, which allowed restoring the private key through error substitution when calculating a digital signature. It also shows how you can replace session verification parameters with OpenSSH when connecting to a guest remotely, and then change the verification state when running the sudo utility to get root rights in Ubuntu 20.04. The exploit was tested on systems with AMD EPYC 7252, 7313P, and 7443 processors.
The attack is based on exploiting a vulnerability (CVE-2023-20592) caused by incorrect operation with the cache during the execution of the INVD processor instruction, which can cause data mismatch in memory and cache, and bypass the mechanisms for maintaining the integrity of virtual machine memory implemented on the basis of the SEV-ES and SEV-SNP extensions. The vulnerability affects AMD EPYC processors from the first to the third generation.
For third-generation AMD EPYC processors (Zen 3), the issue was fixed in the November microcode update released yesterday by AMD (the fix does not result in performance degradation). For the first and second generations of AMD EPYC (Zen 1 and Zen 2), protection is not provided, because the CPU data does not support the SEV-SNP extension, which provides virtual machine integrity control. The fourth generation of AMD EPYC "Genoa" processors based on the Zen 4 microarchitecture is not affected.
AMD SEV technology is used to isolate virtual machines by cloud providers such as Amazon Web Services (AWS), Google Cloud, Microsoft Azure, and Oracle Compute Infrastructure (OCI). AMD SEV protection is implemented through hardware-level encryption of virtual machine memory. Additionally, the SEV-ES (Encrypted State) extension protects CPU registers. Only the current guest system has access to the decrypted data, and other VMs and the hypervisor receive an encrypted data set when they attempt to access this memory.
In the third generation of AMD EPYC processors, an additional SEV-SNP (Secure Nested Paging) extension was implemented, which provides secure operation with nested memory page tables. In addition to general memory encryption and register isolation, SEV-SNP provides additional memory integrity protection features that prevent changes to the VM from being made by the hypervisor. Encryption keys are managed on the side of a separate PSP (Platform Security Processor) processor built into the chip, implemented on the basis of the ARM architecture.
The essence of the proposed method is to use the INVD instruction to invalidate blocks (lines) in the cache of dirty pages without resetting the accumulated data in the cache to memory (write-back). This method allows you to push out the changed data from the cache without changing the state of memory. To perform an attack, it is proposed to use software exceptions (fault injection) to interrupt the operation of the VM in two places: in the first place, the attacker calls the "wbnoinvd" instruction to reset all write operations accumulated in the cache to memory, and in the second place, it calls the "invd" instruction to return write operations that are not reflected in memory to the old state.
To check your systems for vulnerabilities, a prototype exploit has been published that allows you to insert an exception into a VM protected via AMD SEV and roll back changes in the VM that were not thrown into memory to the old state. Rolling back a change can be used to change the course of program execution by returning the old return address on the stack, or to use the parameters of an old session that was previously authenticated when logging in, by returning the value of the authentication attribute.
For example, the researchers demonstrated the possibility of using the CacheWarp method to perform a Bellcore attack on the implementation of the RSA-CRT algorithm in the ipp-crypto library, which allowed restoring the private key through error substitution when calculating a digital signature. It also shows how you can replace session verification parameters with OpenSSH when connecting to a guest remotely, and then change the verification state when running the sudo utility to get root rights in Ubuntu 20.04. The exploit was tested on systems with AMD EPYC 7252, 7313P, and 7443 processors.
