Security researchers continue to find ways to attack Intel and AMD processors, and the chip giants over the past week have issued responses to separate research targeting their products.
The research projects were aimed at Intel and AMD trusted execution environments (TEEs), which are designed to protect code and data by isolating the protected application or virtual machine (VM) from the operating system and other software running on the same physical system.
On Monday, a team of researchers representing the Graz University of Technology in Austria, the Fraunhofer Institute for Secure Information Technology (SIT) in Germany, and Fraunhofer Austria Research published a paper describing a new attack method targeting AMD processors.
The attack method, named CounterSEVeillance, targets AMD’s Secure Encrypted Virtualization (SEV) TEE, specifically the SEV-SNP extension, which is designed to provide protection for confidential VMs even when they are running in a shared hosting environment.
CounterSEVeillance is a side-channel attack targeting performance counters, which are used to count certain types of hardware events (such as instructions executed and cache misses) and which can aid in the identification of application bottlenecks, excessive resource consumption, and even attacks.
CounterSEVeillance also leverages single-stepping, a technique that can allow threat actors to observe the execution of a TEE instruction by instruction, enabling side-channel attacks and exposing potentially sensitive information.
“By single-stepping a confidential virtual machine and reading hardware performance counters after each step, a malicious hypervisor can observe the outcomes of secret-dependent conditional branches and the duration of secret-dependent divisions,” the researchers explained.
They demonstrated the impact of CounterSEVeillance by extracting a full RSA-4096 key from a single Mbed TLS signature process in minutes, and by recovering a six-digit time-based one-time password (TOTP) with roughly 30 guesses. They also showed that the method can be used to leak the secret key from which the TOTPs are derived, and for plaintext-checking attacks.
Conducting a CounterSEVeillance attack requires high-privileged access to the machines that host hardware-isolated VMs — these VMs are known as trust domains (TDs). The most obvious attacker would be the cloud service provider itself, but attacks could also be conducted by a state-sponsored threat actor (particularly in its own country), or other well-funded hackers that can obtain the necessary access.
“For our attack scenario, the cloud provider runs a modified hypervisor on the host. The attacked confidential virtual machine runs as a guest under the modified hypervisor,” explained Stefan Gast, one of the researchers involved in this project.
“Attacks from untrusted hypervisors running on the host are exactly what technologies like AMD SEV or Intel TDX are trying to prevent,” the researcher noted.
Gast told SecurityWeek that in principle their threat model is very similar to that of the recent TDXDown attack, which targets Intel’s Trust Domain Extensions (TDX) TEE technology.
The TDXDown attack method was disclosed last week by researchers from the University of Lübeck in Germany.
Intel TDX includes a dedicated mechanism to mitigate single-stepping attacks. With the TDXDown attack, researchers showed how flaws in this mitigation mechanism can be leveraged to bypass the protection and conduct single-stepping attacks. Combining this with another flaw, named StumbleStepping, the researchers managed to recover ECDSA keys.
Response from AMD and Intel
In an advisory published on Monday, AMD said performance counters are not protected by SEV, SEV-ES, or SEV-SNP.
“AMD recommends software developers employ existing best practices, including avoiding secret-dependent data accesses or control flows where appropriate to help mitigate this potential vulnerability,” the company said.
It added, “AMD has defined support for performance counter virtualization in APM Vol 2, section 15.39. PMC virtualization, planned for availability on AMD products starting with Zen 5, is designed to protect performance counters from the type of monitoring described by the researchers.”
Intel has updated TDX to address the TDXDown attack, but considers it a ‘low severity’ issue and has pointed out that it “represents very little risk in real world environments”. The company has assigned it CVE-2024-27457.
As for StumbleStepping, Intel said it “does not consider this technique to be in the scope of the defense-in-depth mechanisms” and decided not to assign it a CVE identifier.
Related: New TikTag Attack Targets Arm CPU Security Feature
Related: GhostWrite Vulnerability Facilitates Attacks on Devices With RISC-V CPU
Related: Researchers Resurrect Spectre v2 Attack Against Intel CPUs