In the past, several voltage-based fault injection attacks on Intel SGX were successful. The attacks used software commands to control the voltage of the CPU. Intel’s mitigation was to disable the access to these commands at the BIOS level.
A team of researchers from the University of Birmingham succeeded in performing the same type of attacks but via external hardware, therefore bypassing the mitigation. They coined the attack: VoltPillager [1].
On the motherboard, the CPU controls its voltage by sending commands to a programmable Voltage Controller using an undocumented three-wire serial bus: Software Voltage Identification (SVID). The bus is somewhat similar to I2C. The researchers reverse-engineered its protocol. SVID has no protection. Furthermore, the bus uses open-drain outputs; thus, it is “easy” to piggy-back on SVID. Open-drain outputs require resistors to pull the signal to `1’; therefore, the connection is accessible easily and can use jumpers or soldering.
They used a $20 Teensy 4.0 microcontroller [2]. To synchronize the Teensy microcontroller’s commands with the target’s CPU activity, the team used an RS232 UART rather than the USB port. RS232 has minimal jitter compared to USB enabling a more accurate synchronization. Time accuracy is critical in fault injection attacks. The VoltPillager hardware allows issuing commands that program the shape of the undervolting waveform accurately. Hardware-driven undervolting is more precise and accurate than equivalent software-driven fault-injection attacks.
They succeeded in reproducing the exploits disclosed by the Plundervolt attack [3]. Due to its increased accuracy, VoltPillager requested 50 times fewer iterations than Plundervolt. Furthermore, the team discovered a new class of attacks. It seems that undervolting briefly delays memory writes to the cache. This potential delay opens many opportunities for cache attacks.
The bad news is that VoltPillager bypasses the mitigation introduced by Intel against the Plundervolt-like attacks. VoltPillager attacks the Voltage Controller directly. As explained in the paper, protecting the bus would not solve the issue because a determined attacker could directly drive the Pulse Wave Modulation that manages the actual voltage. The most efficient mitigation would use techniques inspired by the smart card world, such as the hardware detector of voltage glitches or redundant critical code.
Of course, VoltPillager requests physical access to the CPU. Intel’s answer to VoltPillager is
“… opening the case and tampering of internal hardware to compromise SGX is out of scope for SGX threat model.”
This assumption of the threat model may be valid in many scenarios. Unfortunately, tampering with hardware is in the scope of the content protection threat model.
A thrilling paper that reminds us that software runs on hardware and hardware is difficult to secure.
[1] Z. Chen, G. Vasilakis, K. Murdock, E. Dean, D. Oswald, and F. Garcia, “VoltPillager: Hardware-based fault injection attacks against Intel SGX Enclaves using the SVID voltage scaling interface.” Nov. 2020, [Online]. Available: https://www.usenix.org/system/files/sec21summer_chen-zitai.pdf.
[2] “Teensy USB Development Board.” https://www.pjrc.com/teensy/.
[3] “Plundervolt.” https://plundervolt.com/.