Man
Professional
- Messages
- 3,222
- Reaction score
- 810
- Points
- 113
What are the secrets of the CounterSEVeillance and TDXDown attacks?
Cybersecurity researchers have recently discovered a number of vulnerabilities in the Protected Execution Environments (TEEs) of AMD and Intel processors. For example, the attack, called CounterSEVeillance, targets AMD's Secure Encrypted Virtualization (SEV) technology, including the SEV-SNP extension, which protects confidential virtual machines (VMs) even in shared hosting environments. Researchers from the Graz University of Technology as well as the Fraunhofer Institutes have presented a technique that uses side-channels and performance counters to track every step of instruction execution in the VM.
The team showed that with CounterSEVeillance, it is possible to extract the RSA-4096 key in just a few minutes and obtain one-time passwords (TOTP) in 30 attempts. In order to carry out an attack, an attacker requires high-level access to the host machine running isolated VMs. In a hypothetical attack scenario, the threat could come from a cloud service provider or hacker groups sponsored by governments.
At the same time, another attack method was presented - TDXDown, developed by scientists from the University of Lübeck. It is aimed at bypassing the protection in Intel's Trust Domain Extensions (TDX) technology. Despite the built-in mechanisms to prevent step-by-step attacks, the researchers discovered a vulnerability that allowed them to bypass these measures, and also demonstrated the StumbleStepping method, which was able to recover ECDSA keys.
Both manufacturers reacted very quickly to the identified attacks. AMD acknowledged that performance counters are not protected by SEV and SEV-SNP, and recommended that developers avoid using secret data in managed threads. The company also announced meter virtualization in its future Zen 5-based products.
Intel, in turn, fixed the TDXDown vulnerability and assigned it the identifier CVE-2024-27457, indicating that the problem has a low degree of risk in real-world conditions. At the same time, StumbleStepping equipment, according to the company, does not fall into the protection zone of current mechanisms, so it will not be assigned CVE.
These studies show that even the most advanced security technologies are not immune to new attack vectors, underscoring the need to continually improve security mechanisms and account for hidden threats that can penetrate the layer of trusted environments.
Source
Cybersecurity researchers have recently discovered a number of vulnerabilities in the Protected Execution Environments (TEEs) of AMD and Intel processors. For example, the attack, called CounterSEVeillance, targets AMD's Secure Encrypted Virtualization (SEV) technology, including the SEV-SNP extension, which protects confidential virtual machines (VMs) even in shared hosting environments. Researchers from the Graz University of Technology as well as the Fraunhofer Institutes have presented a technique that uses side-channels and performance counters to track every step of instruction execution in the VM.
The team showed that with CounterSEVeillance, it is possible to extract the RSA-4096 key in just a few minutes and obtain one-time passwords (TOTP) in 30 attempts. In order to carry out an attack, an attacker requires high-level access to the host machine running isolated VMs. In a hypothetical attack scenario, the threat could come from a cloud service provider or hacker groups sponsored by governments.
At the same time, another attack method was presented - TDXDown, developed by scientists from the University of Lübeck. It is aimed at bypassing the protection in Intel's Trust Domain Extensions (TDX) technology. Despite the built-in mechanisms to prevent step-by-step attacks, the researchers discovered a vulnerability that allowed them to bypass these measures, and also demonstrated the StumbleStepping method, which was able to recover ECDSA keys.
Both manufacturers reacted very quickly to the identified attacks. AMD acknowledged that performance counters are not protected by SEV and SEV-SNP, and recommended that developers avoid using secret data in managed threads. The company also announced meter virtualization in its future Zen 5-based products.
Intel, in turn, fixed the TDXDown vulnerability and assigned it the identifier CVE-2024-27457, indicating that the problem has a low degree of risk in real-world conditions. At the same time, StumbleStepping equipment, according to the company, does not fall into the protection zone of current mechanisms, so it will not be assigned CVE.
These studies show that even the most advanced security technologies are not immune to new attack vectors, underscoring the need to continually improve security mechanisms and account for hidden threats that can penetrate the layer of trusted environments.
Source
