One Glitch to Rule Them All: Fault Injection Attacks Against AMD's Secure Encrypted Virtualization (2108.04575v4)

Abstract: AMD Secure Encrypted Virtualization (SEV) offers protection mechanisms for virtual machines in untrusted environments through memory and register encryption. To separate security-sensitive operations from software executing on the main x86 cores, SEV leverages the AMD Secure Processor (AMD-SP). This paper introduces a new approach to attack SEV-protected virtual machines (VMs) by targeting the AMD-SP. We present a voltage glitching attack that allows an attacker to execute custom payloads on the AMD-SPs of all microarchitectures that support SEV currently on the market (Zen 1, Zen 2, and Zen 3). The presented methods allow us to deploy a custom SEV firmware on the AMD-SP, which enables an adversary to decrypt a VM's memory. Furthermore, using our approach, we can extract endorsement keys of SEV-enabled CPUs, which allows us to fake attestation reports or to pose as a valid target for VM migration without requiring physical access to the target host. Moreover, we reverse-engineered the Versioned Chip Endorsement Key (VCEK) mechanism introduced with SEV Secure Nested Paging (SEV-SNP). The VCEK binds the endorsement keys to the firmware version of TCB components relevant for SEV. Building on the ability to extract the endorsement keys, we show how to derive valid VCEKs for arbitrary firmware versions. With our findings, we prove that SEV cannot adequately protect confidential data in cloud environments from insider attackers, such as rogue administrators, on currently available CPUs.

• The paper demonstrates voltage fault injection attacks successfully compromise AMD's Secure Encrypted Virtualization (SEV) by exploiting the AMD Secure Processor (AMD-SP).
• Researchers used voltage glitching via the SVI2 protocol to interfere with AMD-SP boot across Zen 1, 2, and 3 architectures, enabling extraction of critical secrets and cryptographic keys.
• The findings show SEV is vulnerable to insider threats, compromising runtime encryption and attestation processes, and suggest mitigation via hardware protection, software checks, and revised key generation.

Voltage Fault Injection Attacks on AMD Secure Encrypted Virtualization

The paper by Buhren et al. provides a detailed examination of the vulnerability of AMD's Secure Encrypted Virtualization (SEV) technology to voltage fault injection attacks. The authors focus specifically on exploiting the AMD Secure Processor (AMD-SP), which acts as the root of trust for SEV, to perform custom code execution, implying severe security repercussions for virtual machines (VMs) relying on SEV for confidentiality in cloud environments.

Key Findings and Attack Methodology

The researchers have successfully demonstrated a voltage glitching attack on AMD-SP across three generations of microarchitectures—Zen 1, Zen 2, and Zen 3. This approach manipulates the input voltage of the AMD-SP through the Serial Voltage Identification Interface 2.0 (SVI2) protocol to interfere with the AMD-SP’s boot process, thereby coercing it to accept a manipulated cryptographic key for subsequent firmware validation. As a result, the attack bypasses SEV’s protective mechanisms, enabling full extraction of secrets critical to both runtime security and remote attestation processes.

A significant contribution of the paper is the reverse engineering of the SEV-SNP’s Versioned Chip Endorsement Key (VCEK) mechanism, which uses a Trusted Computing Base (TCB) version string tied to endorsement keys. The research delineates how by extracting these endorsement keys, the adversary can falsify attestation reports without physical access—posing as a valid migration target for VMs and jeopardizing data integrity.

Implications

The paper elucidates that SEV's aim of securing VM data from insider threats, such as rogue administrators, is compromised because of the single point of failure at the AMD-SP. The consequences are twofold: first, the runtime encryption could be voided through manipulated SEV firmware; second, the integrity of SEV’s attestation process is invalidated due to the ability to extract and forge endorsement keys.

For cloud service providers (CSPs), this vulnerability reveals that SEV cannot robustly guarantee data protection against malicious internal entities. The practicality of the attack, facilitated by inexpensive equipment and widely accessible components, underscores the urgency for alternative or strengthened safeguarding against such exploits.

Mitigation Strategy

The authors propose several strategies to address these vulnerabilities:

1. Hardware-Level Protection: Enhance the AMD-SP’s ability to detect anomalies in voltage levels and react accordingly to deter fault injection, e.g., incorporating advanced monitoring circuits.
2. Software-Based Approaches: Implement redundant checks or cryptographic guards within the SEV firmware, ensuring that even under fault conditions, code paths remain secure and consistent.
3. Revised Endorsement Key Generation: They suggest anchoring the endorsement keys to cryptographic hashes of firmware components, ensuring that key validity is intrinsically linked to both firmware version and functionality. This approach potentially impedes the extraction of universal keys applicable across every firmware version.

Conclusion

The findings of this paper challenge the prevailing confidence in SEV as a security measure for VMs in cloud environments, advocating for profound changes in the design of trusted computing mechanisms. Future development must integrate stronger hardware protections and redefine the endorsement key architecture to protect against similar vulnerabilities, thereby improving the resilience of cloud data protection strategies. As the field of fault injection evolves, the insights provided by Buhren et al. offer a forewarning and technical blueprint for enhancing security in virtualization technologies.