Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Voltage Glitching Attack on AMD Chips Poses Risk to Cloud Environments

Researchers have described a voltage glitching attack that shows AMD’s Secure Encrypted Virtualization (SEV) technology may not provide proper protection for confidential data in cloud environments.

The research was conducted by a team from the Technical University of Berlin (TU Berlin) and it was detailed in a paper published this week.

Researchers have described a voltage glitching attack that shows AMD’s Secure Encrypted Virtualization (SEV) technology may not provide proper protection for confidential data in cloud environments.

The research was conducted by a team from the Technical University of Berlin (TU Berlin) and it was detailed in a paper published this week.

AMD CPUs vulnerable to voltage glitching attackAMD’s SEV technology — present in the company’s EPYC processors — is designed to protect virtual machines (VMs) and the data they store against insider threats with elevated privileges, such as a malicious administrator. SEV is often used in cloud environments.

SEV is designed to protect confidential data by encrypting the VM’s memory, and the encryption keys are secured using AMD’s Secure Processor (SP), a dedicated security co-processor. This should ensure that only the SP has access to the memory encryption key, while the hypervisor, which can be under the control of a threat actor, does not.

However, the TU Berlin researchers showed that an attacker who has physical access to the targeted system can gain access to SEV-protected VM memory content by launching a voltage fault injection attack on SP.

In order to work as intended, integrated circuits need to operate within specific temperature, clock stability, electromagnetic field, and supply voltage ranges. Purposefully manipulating one of these parameters is called a glitching attack. Such attacks require physical access to the chip, but they can be useful for obtaining sensitive information, bypassing security checks, or achieving arbitrary code execution.

In their voltage glitching attack, the researchers showed that by manipulating the input voltage to AMD chips, they can induce an error in the ROM bootloader of the SP, allowing them to gain full control. They described the risk posed to cloud environments due to SEV’s failure to properly protect potentially sensitive information from malicious insiders.

“We presented how an adversary with physical access to the target host can implant a custom SEV firmware that decrypts a VM’s memory using SEV’s debug API calls,” the researchers explained in their paper. “Furthermore, we showed that the glitching attack enables the extraction of endorsement keys. The endorsement keys play a central role in the remote attestation mechanism of SEV and can be used to mount remote attacks. Even an attacker without physical access to the target host can use extracted endorsement keys to attack SEV-protected VMs. By faking attestation reports, an attacker can pose as a valid target for VM migration to gain access to a VM’s data.”

The hardware needed to conduct such an attack is widely available and inexpensive, but the researchers said it took them 4 hours to prepare a system for an attack, which significantly lowers the risk in a real world environment. 

Advertisement. Scroll to continue reading.

While this is not the first research project focusing on voltage glitching attacks or attacks on AMD’s SP and SEV, the researchers said that — to the best of their knowledge — this is the first attack affecting all AMD EPYC CPUs (Zen 1, Zen 2 and Zen 3).

The researchers have reported their findings to AMD and proposed some mitigations that could be implemented in future CPUs.

SecurityWeek has reached out to AMD for comment and will update this article if the company responds.

*updated to clarify that it took the researchers 4 hours to prepare a system for an attack

Related: PLATYPUS: Hackers Can Obtain Crypto Keys by Monitoring CPU Power Consumption

Related: VoltPillager: New Hardware-Based Voltage Manipulation Attack Against Intel SGX

Related: Plundervolt Attack Uses Voltage to Steal Data From Intel Chips

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.