VoltPillager: Hardware-based fault injection attacks against Intel SGX Enclaves using the SVID voltage scaling interface Zitai Chen, Georgios Vasilakis, Kit Murdock, Edward Dean, David Oswald, and Flavio D. Garcia School of Computer Science, University of Birmingham, UK Abstract bit flips into computations, including those inside Hardware-based fault injection attacks such as volt- an Intel Software Guard Extensions (SGX) enclave age and clock glitching have been thoroughly stud- (cf. CVE-2019-11157). Using the software-exposed ied on embedded devices. Typical targets for such interface Model Specific Register (MSR) 0x150, at- attacks include smartcards and low-power microcon- tacks against Intel SGX were mounted by under- trollers used in IoT devices. This paper presents the volting from (untrusted) software running with root first hardware-based voltage glitching attack against privileges. Intel have addressed this vulnerability by a fully-fledged Intel CPU. The transition to complex providing features to disable software undervolting CPUs is not trivial due to several factors, including: through this MSR. Because SGX was compromised, a complex operating system, large power consump- Intel have initiated Trusted Computing Base (TCB) tion, multi-threading, and high clock speeds. To this recovery and modified remote attestation to verify end, we have built VoltPillager, a low-cost tool for that software-based undervolting is disabled. This injecting messages on the Serial Voltage Identifica- requires Microcode (µCode) and BIOS updates. tion bus between the CPU and the voltage regu- Hardware fault injection considers a different ad- lator on the motherboard. This allows us to pre- versarial model where the adversary has physical ac- cisely control the CPU core voltage. We leverage this cess to the device under attack. When targeting powerful tool to mount fault-injection attacks that an SGX enclave running on a fully patched sys- breach confidentiality and integrity of Intel SGX en- tem (with the latest µCode and BIOS updates), claves. We present proof-of-concept key-recovery at- software-based fault attacks have been fully miti- tacks against cryptographic algorithms running in- gated and that is where hardware-based attacks be- side SGX. We demonstrate that VoltPillager attacks come relevant. Fault attacks induce a computation are more powerful than recent software-only under- fault in the target processor, such as skipping an volting attacks against SGX (CVE-2019-11157) be- instruction, by changing the physical operating en- cause they work on fully patched systems with all vironment of the chip, e.g., the supply voltage. They countermeasures against software undervolting en- do not rely on the presence of a software vulnerabil- abled. Additionally, we are able to fault security- ity or any code execution privileges. Voltage fault critical operations by delaying memory writes. Mit- injection (aka, glitching) in particular has the ad- igation of VoltPillager is not straightforward and vantage of being very powerful whilst not requiring may require a rethink of the SGX adversarial model expensive lab equipment. where a cloud provider is untrusted and has physical access to the hardware. 1.1 Our Contribution 1 Introduction In this paper, we analyse the dynamic voltage scaling features of x86 systems at the hardware level. We Modern computing platforms allow the operating found that a three-wire bus, Serial Voltage Identifi- system to self-regulate the processor’s core frequency cation (SVID), is used to send the currently required and voltage in order to manage heat and power con- voltage to an external Voltage Regulator (VR) chip sumption. Several authors [37, 24, 40] have shown on the motherboard. The VR then adjusts the volt- that an adversary can abuse this feature to inject age supplied to the CPU. We reverse-engineered the communication protocol of SVID and developed a 1.3 Related Work small microcontroller-based board that can be con- nected to the SVID bus. As there is no crypto- Since their introduction by Boneh et al. [6], fault- graphic authentication of the SVID packets, we were injection attacks with physical access have been able to inject our own commands to control the widely investigated in the context of embedded de- CPU voltage. With this, we reproduced Plunder- vices. Those attacks are based on the fact that the volt’s [37] open-source Proof-of-Concept (PoC) at- execution semantics of an IC can change when it is tacks, including against code running inside an SGX operated outside the specified operating conditions. enclave. Beyond that, we also found (and document) Examples of fault injection include: over and under- faults not previously observed. These faults affect el- volting (“voltage glitching”), overclocking, exposure ementary operations such as memory accesses. Be- to high or low temperature, or laser light [3, 53]. cause the software interface MSR 0x150 is not used, The fault injection threat model changed with the Intel’s countermeasures do not prevent this attack. discovery of software-based attacks. In 2014, Kim The main contributions of this paper are: et al. reported the Rowhammer effect: bits could be flipped in DRAM by accessing neighbouring rows • We showcase the (to our knowledge) first but not the actual target location [26]. Several au- hardware-based attack that directly breaches thors [43, 17, 28] have since discovered applications, SGX’s integrity guarantees. We demonstrate its variations, and improvements of the original attack, practicality with end-to-end secret-key recovery including the successful bypass of countermeasures attacks against mbed TLS and the unmodified in recent DDR4 DRAM chips [14]. While Rowham- file-encryptor sample enclave from Microsoft mer can be performed from unprivileged software, Open Enclave. another class of software-based fault injection at- • We show that Intel’s countermeasures for CVE- tacks require the adversary to have root privileges. 2019-11157 do not prevent fault-injection attacks These generally target a Trusted Execution Envi- from adversaries with physical access. This chal- ronment (TEE) such as ARM TrustZone or Intel lenges the widely accepted belief that SGX can SGX, which should defend the code running inside protect enclave integrity against a malicious cloud the TEE even against a privileged adversary. provider (cf. e.g., [2, 5, 27, 8]). CLKSCREW [50] was the first attack of this type: • We demonstrate novel fault effects discovered it exploited the software-controlled overclocking fea- through hardware-based undervolting, in partic- tures on the ARM processor of a Nexus 6 smart- ular by briefly delaying memory writes. phone. CLKSCREW was able to extract crypto- • We present VoltPillager, an open-source hardware graphic secrets from TrustZone and to bypass signa- device to inject SVID packets. VoltPillager is ture checks, leading to code execution inside Trust- based on a low-cost, widely available microcon- Zone. Qiu et al. later found a similar attack, troller board, the Teensy 4.0, and can be built VoltJockey, against TrustZone, this time controlling for approximately $ 30. We also document the the CPU’s core voltage from privileged software [41]. internal power management interfaces on mod- This line of work continued with voltage fault in- ern motherboards, SVID and System Manage- jection attacks on Intel SGX enclaves [37, 24, 40], ment Bus (SMBus). which use the software-exposed MSR 0x150 to un- dervolt during enclave execution and thus trigger bit flips in certain operations, e.g., multiplications, vec- 1.2 Responsible Disclosure tor instructions, and cryptographic operations. We reported this issue to Intel on 13 March 2020. Hardware-based attacks against TEEs have, so Intel evaluated our report and concluded on 5 May far, received less attention. Cui et al. showed that that “... opening the case and tampering of inter- electro-magnetic fault injection can be used to by- nal hardware to compromise SGX is out of scope pass the TrustZone-based secure boot process of a for SGX threat model. Patches for CVE-2019-11157 Broadcom ARM CPU [9]. Similarly, Roth et al. pre- (Plundervolt) were not designed to protect against sented fault injection attacks with physical access to hardware-based attacks as per the threat model”, ARMv8-M processors, among others breaking the and, therefore, they will not further address the is- TrustZone-M security on certain CPUs [46]. sue. Intel have not requested an embargo for the Lee et al. presented a side-channel attack [29] on vulnerabilities described in this paper. We discuss SGX by physically connecting to, and eavesdropping the implications of Intel’s response in relation to the on, the DRAM memory bus. They showed that by widely adopted threat model of SGX in Section 1.4. observing the pattern of the (encrypted) memory ac- cesses, they can recover secret information from a SVID reverse engineering, we occasionally refer to it range of example enclaves. Notably, their attack as i3-7100-GZ170 in Section 4. requires specialized and expensive test equipment We used 64-bit Ubuntu 18.04.3 LTS as our oper- (e.g., $ 170,000 for a JLA320A signal analyzer). ating system with stock Linux 5.0.0-23-generic ker- nel, Intel SGX driver V2.6 and Intel SGX-SDK 1.4 Attacker Model V2.8. We publicly release all source code at https: //github.com/zt-chen/voltpillager. We are using the widely adopted SGX adversary model with physical access to the target CPU and 1.6 Outline full control over all software running outside the en- clave, including BIOS and operating system. Cru- The remainder of this paper is structured as follows: cially, our attacks do not require expensive lab first, in Section 2, we discuss Intel’s mitigation for equipment (e.g., for invasive attacks on the CPU CVE-2019-11157. In Section 3, we then describe the die), but can be mounted with an inexpensive micro- two main interfaces for controlling CPU voltage on controller board and only require board-level access modern systems.