Papers
Topics
Authors
Recent
Search
2000 character limit reached

WeSee: Using Malicious #VC Interrupts to Break AMD SEV-SNP

Published 4 Apr 2024 in cs.CR | (2404.03526v1)

Abstract: AMD SEV-SNP offers VM-level trusted execution environments (TEEs) to protect the confidentiality and integrity for sensitive cloud workloads from untrusted hypervisor controlled by the cloud provider. AMD introduced a new exception, #VC, to facilitate the communication between the VM and the untrusted hypervisor. We present WeSee attack, where the hypervisor injects malicious #VC into a victim VM's CPU to compromise the security guarantees of AMD SEV-SNP. Specifically, WeSee injects interrupt number 29, which delivers a #VC exception to the VM who then executes the corresponding handler that performs data and register copies between the VM and the hypervisor. WeSee shows that using well-crafted #VC injections, the attacker can induce arbitrary behavior in the VM. Our case-studies demonstrate that WeSee can leak sensitive VM information (kTLS keys for NGINX), corrupt kernel data (firewall rules), and inject arbitrary code (launch a root shell from the kernel space).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (65)
  1. AMD, “AMD SEV-SNP  Strengthening VM Isolation with Integrity protection and more,” (2023). Accessed: Apr 4, 2024. [Online]. Available: https://www.amd.com/content/dam/amd/en/documents/epyc-business-docs/white-papers/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf.
  2. ARM, “Arm Confidential Compute Architecture (ARM-CCA),” Accessed: Apr 4, 2024. [Online]. Available: https://www.arm.com/why-arm/architecture/security-features/arm-confidential-compute-architecture.
  3. IBM, “Confidential computing on IBM Cloud,” Accessed: Apr 4, 2024. [Online]. Available: https://www.ibm.com/cloud/confidential-computing.
  4. Intel, “Intel Trust Domain Extensions (Intel TDX),” Accessed: Apr 4, 2024. [Online]. Available: https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trust-domain-extensions.html.
  5. Microsoft Azure, “Azure confidential VMs using SEV-SNP (DCasv5/ECasv5) are now generally available,” (2022). Accessed: Apr 4, 2024. [Online]. Available: https://azure.microsoft.com/en-us/updates/azureconfidentialvm/.
  6. Google, “Oh SNP! VMs get even more confidential,” (2023). Accessed: Apr 4, 2024. [Online]. Available: https://cloud.google.com/blog/products/identity-security/rsa-snp-vm-more-confidential.
  7. AWS, “AWS: AMD SEV-SNP,” Accessed: Apr 4, 2024. [Online]. Available: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html.
  8. Microsoft, “Microsoft moves 25 Billion in credit card transactions to Azure confidential computing,” (2023). Accessed: Apr 4, 2024. [Online]. Available: https://techcommunity.microsoft.com/t5/azure-confidential-computing/announcing-microsoft-moves-25-billion-in-credit-card/ba-p/3981180.
  9. ——, “NLP Inferencing on Confidential Azure Container Instance,” (2023). Accessed: Apr 4, 2024. [Online]. Available: https://techcommunity.microsoft.com/t5/azure-confidential-computing/nlp-inferencing-on-confidential-azure-container-instance/ba-p/3827628.
  10. AMD, “AMD Shares The Technical Details of Technology Powering Innovative Confidential Computing Leadership Cloud Offerings,” (2023). Accessed: Apr 4, 2024. [Online]. Available: https://www.amd.com/en/newsroom/press-releases/2023-8-30-amd-shares-the-technical-details-of-technology-pow.html.
  11. Oracle, “Product News: Protect data in use with OCI Confidential Computing,” (2023). Accessed: Apr 4, 2024. [Online]. https://blogs.oracle.com/cloud-infrastructure/post/protect-data-in-use-with-confidential-computing.
  12. Confidential Computing Consortium & Opaque, “Confidential Computing Summit 2023,” Accessed: Apr 4, 2024. [Online]. Available: https://confidentialcomputingsummit.com/.
  13. AMD, “Protecting VM Register State with SEV-ES,” (2017). Accessed: Apr 4, 2024. [Online]. Available: https://www.amd.com/content/dam/amd/en/documents/epyc-business-docs/white-papers/Protecting-VM-Register-State-with-SEV-ES.pdf.
  14. ——, “AMD64 Architecture Programmer’s Manual Volumes 1–5,” (2024). Accessed: Apr 4, 2024. [Online]. Available: https://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/programmer-references/40332.pdf.
  15. B. Schlüter, S. Sridhara, M. Kuhne, A. Bertschi, and S. Shinde, “Heckler: Breaking Confidential VMs with Malicious Interrupts,” in USENIX Security, 2024.
  16. S. Checkoway and H. Shacham, “Iago attacks: why the system call api is a bad untrusted rpc interface,” ACM SIGARCH Computer Architecture News, vol. 41, no. 1, pp. 253–264, 2013.
  17. AMD, “SEV-ES Guest-Hypervisor Communication Block Standardization,” (2023). Accessed: Apr 4, 2024. [Online]. Available: https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/specifications/56421.pdf.
  18. Intel, “Intel® 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D, and 4,” (2024). Accessed: Apr 4, 2024. [Online]. Available: https://cdrdv2.intel.com/v1/dl/getContent/671200.
  19. M. Morbitzer, S. Proskurin, M. Radev, M. Dorfhuber, and E. Q. Salas, “SEVerity: Code Injection Attacks against Encrypted Virtual Machines,” in IEEE Security and Privacy Workshops (SPW), 2021.
  20. L. Wilke, J. Wichelmann, M. Morbitzer, and T. Eisenbarth, “SEVurity: No Security Without Integrity : Breaking Integrity-Free Memory Encryption with Minimal Assumptions,” in IEEE S&P), 2020.
  21. J. Koschel, C. Giuffrida, H. Bos, and K. Razavi, “TagBleed: Breaking KASLR on the Isolated Kernel Address Space using Tagged TLBs,” in EuroS&P, 2020.
  22. M. Morbitzer, M. Huber, and J. Horsch, “Extracting Secrets from Encrypted Virtual Machines,” in CODASPY, 2019.
  23. L. Wilke, J. Wichelmann, A. Rabich, and T. Eisenbarth, “SEV-Step A Single-Stepping Framework for AMD-SEV,” IACR Transactions on Cryptographic Hardware and Embedded Systems, 2023.
  24. R. Zhang, L. Gerlach, D. Weber, L. Hetterich, Y. Lü, A. Kogler, and M. Schwarz, “CacheWarp: Software-based Fault Injection using Selective State Reset,” in USENIX Security, 2024.
  25. J. Werner, J. Mason, M. Antonakakis, M. Polychronakis, and F. Monrose, “The SEVerESt Of Them All: Inference Attacks Against Secure Virtual Enclaves,” in ACM AsiaCCS, 2019.
  26. AMD, “AMD SEV snp-host-latest tree ad9c0bf475,” Accessed: Apr 4, 2024. [Online]. Available: https://github.com/AMDESE/linux/tree/87146075f0d55c346ae7dbb902f8abc312e71004.
  27. Enarx, “Enarx,” (2023). Accessed: Apr 4, 2024. [Online]. Available: https://github.com/enarx/enarx.
  28. Project Oak, “Project Oak,” Accessed: Apr 4, 2024. [Online]. Available: https://github.com/project-oak/oak.
  29. Coconut SVSM, “Coconut SVSM,” (2023). Accessed: Apr 4, 2024. [Online]. Available: https://github.com/coconut-svsm/svsm.
  30. T. Dohrmann, “Mushroom,” Accessed: Apr 4, 2024. [Online]. Available: https://github.com/Freax13/mushroom.
  31. Project Oak, “Oak Pull Request: Ensure CPUID triggered the VC exception,” (2024). Accessed: Apr 4, 2024. [Online]. Available: https://github.com/project-oak/oak/pull/4974.
  32. B. Petkov, “x86/sev: Harden #VC instruction emulation somewhat,” (2024). Accessed: Apr 4, 2024. [Online]. Available: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e3ef461af35a8c74f2f4ce6616491ddb355a208f.
  33. T. Lan, “x86/hyperv/sev: Add AMD sev-snp enlightened guest support on hyperv,” (2023). Accessed: Apr 4, 2024. [Online]. Available: https://lore.kernel.org/all/[email protected]/.
  34. Google Project Zero and Google Cloud Security, “AMD Secure Processor for Confidential Computing Security Review,” (2022). Accessed: Apr 4, 2024. [Online]. Available: https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/AMD_GPZ-Technical_Report_FINAL_05_2022.pdf.
  35. M. Li, Y. Zhang, Z. Lin, and Y. Solihin, “Exploiting Unprotected I/O Operations in AMD’s Secure Encrypted Virtualization,” in USENIX Security, 2019.
  36. M. Morbitzer, M. Huber, J. Horsch, and S. Wessel, “SEVered: Subverting AMD’s Virtual Machine Encryption,” in EuroSec, 2018.
  37. W. Wang, M. Li, Y. Zhang, and Z. Lin, “PwrLeak: Exploiting Power Reporting Interface for Side-Channel Attacks on AMD SEV,” in DIMVA, 2023.
  38. R. Buhren, C. Werling, and J.-P. Seifert, “Insecure Until Proven Updated: Analyzing AMD SEV’s Remote Attestation,” in ACM CCS, 2019.
  39. L. Wilke, J. Wichelmann, F. Sieck, and T. Eisenbarth, “undeSErVed trust: Exploiting Permutation-Agnostic Remote Attestation,” in 2021 IEEE Security and Privacy Workshops (SPW), 2021.
  40. M. Li, Y. Zhang, H. Wang, K. Li, and Y. Cheng, “CIPHERLEAKS: Breaking Constant-time Cryptography on AMD SEV via the Ciphertext Side Channel,” in USENIX Security, 2021.
  41. M. Li, L. Wilke, J. Wichelmann, T. Eisenbarth, R. Teodorescu, and Y. Zhang, “A Systematic Look at Ciphertext Side Channels on AMD SEV-SNP,” in IEEE S&P, 2022.
  42. M. Li, Y. Zhang, and Z. Lin, “CrossLine: Breaking ”Security-by-Crash” Based Memory Isolation in AMD SEV,” in ACM CCS, 2021.
  43. M. Radev and M. Morbitzer, “Exploiting interfaces of secure encrypted virtual machines,” in ROOTS, 2020.
  44. M. R. Khandaker, Y. Cheng, Z. Wang, and T. Wei, “COIN Attacks: On Insecurity of Enclave Untrusted Interfaces in SGX,” in ASPLOS, 2020.
  45. J. Van Bulck, D. Oswald, E. Marin, A. Aldoseri, F. D. Garcia, and F. Piessens, “A Tale of Two Worlds: Assessing the Vulnerability of Enclave Shielding Runtimes,” in ACM CCS, 2019.
  46. Y. Chen, J. Li, G. Xu, Y. Zhou, Z. Wang, C. Wang, and K. Ren, “SGXLock: Towards efficiently establishing mutual distrust between host application and enclave for SGX,” in USENIX Security, 2022.
  47. M. Busi, J. Noorman, J. Van Bulck, L. Galletta, P. Degano, J. T. Mühlberg, and F. Piessens, “Securing Interruptible Enclaved Execution on Small Microprocessors,” ACM Trans. Program. Lang. Syst., 2021.
  48. C. T. Cortiñas, M. Vassena, and A. Russo, “Securing Asynchronous Exceptions,” in IEEE CSF, 2020.
  49. R. de Clercq, F. Piessens, D. Schellekens, and I. Verbauwhede, “Secure Interrupts on Low-End Microcontrollers,” in IEEE ASAP, 2014.
  50. S. Constable, J. V. Bulck, X. Cheng, Y. Xiao, C. Xing, I. Alexandrovich, T. Kim, F. Piessens, M. Vij, and M. Silberstein, “AEX-Notify: Thwarting Precise Single-Stepping Attacks through Interrupt Awareness for Intel SGX Enclaves,” in USENIX Security, 2023.
  51. ARM, “Learn the Architecture: TrustZone for AArch64,” (2021). Accessed: Apr 4, 2024. [Online]. Available: https://developer.arm.com/architectures/learn-the-architecture/trustzone-for-aarch64/trustzone-in-the-processor.
  52. F. Hetzelt and R. Buhren, “Security Analysis of Encrypted Virtual Machines,” ACM SIGPLAN Notices, 2017.
  53. J. Van Bulck, F. Piessens, and R. Strackx, “SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control,” in SysTEX, 2017.
  54. L. Guan, P. Liu, X. Xing, X. Ge, S. Zhang, M. Yu, and T. Jaeger, “TrustShadow: Secure Execution of Unmodified Applications with ARM TrustZone,” in MobiSys, 2017.
  55. A. Baumann, M. Peinado, and G. Hunt, “Shielding Applications from an Untrusted Cloud with Haven,” in OSDI, 2014.
  56. C. che Tsai, D. E. Porter, and M. Vij, “Graphene-SGX: A practical library OS for unmodified applications on SGX,” in USENIX ATC, 2017.
  57. Y. Shen, H. Tian, Y. Chen, K. Chen, R. Wang, Y. Xu, Y. Xia, and S. Yan, “Occlum: Secure and Efficient Multitasking Inside a Single Enclave of Intel SGX,” in ASPLOS, 2020.
  58. S. Arnautov, B. Trach, F. Gregor, T. Knauth, A. Martin, C. Priebe, J. Lind, D. Muthukumaran, D. O’Keeffe, M. L. Stillwell, D. Goltzsche, D. Eyers, R. Kapitza, P. Pietzuch, and C. Fetzer, “SCONE: Secure linux containers with intel SGX,” in OSDI, 2016.
  59. T. Hunt, Z. Zhu, Y. Xu, S. Peter, and E. Witchel, “Ryoan: A Distributed Sandbox for Untrusted Computation on Secret Data,” 2016.
  60. X. Ge, H.-C. Kuo, and W. Cui, “Hecate: Lifting and shifting on-premises workloads to an untrusted cloud,” in ACM CCS, 2022.
  61. Linux, “The Kernel Address Sanitizer (KASAN),” Accessed: Apr 4, 2024. [Online]. Available: https://www.kernel.org/doc/html/v6.5/dev-tools/kasan.html.
  62. ——, “Kernel Self-Protection,” Accessed: Apr 4, 2024. [Online]. Available: https://www.kernel.org/doc/html/v6.5/security/self-protection.html?highlight=kaslr.
  63. S. Tolvanen, “Linux Clang CFI,” (2021). Accessed: Apr 4, 2024. [Online]. Available: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cf68fffb66d60d96209446bfc4a15291dc5a5d41.
  64. Intel, “Intel TDX Guest Kernel Hardening Documentation,” Accessed: Apr 4, 2024. [Online]. Available: https://intel.github.io/ccc-linux-guest-hardening-docs/index.html.
  65. M. Rybczyńska, “Hardening virtio,” (2021). Accessed: Apr 4, 2024. [Online]. Available: https://lwn.net/Articles/865216/.
Citations (17)
View on Semantic Scholar

Summary

No one has generated a summary of this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Summarize

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up

Tweets

Sign up for free to view the 2 tweets with 6 likes about this paper.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up for Free