Image: Intel

It’s been a while since we’ve heard of a new side-channel vulnerability for Intel chips. The latest is something to be concerned about because unlike many others, it can be done remotely without physical access, albeit with effort and skill. DSOG (via Phoronix) has reported on PLATYPUS (Power Leakage Attacks: Targeting Your Protected User Secrets).

Researchers from around the world worked together to discover this new vulnerability, which functions like something out of a spy novel. It has been known that monitoring power fluctuations of devices can provide information about particular functions or commands, but up until now, getting detailed readings often required an oscilloscope. In the effort to increase processor efficiency, Intel had introduced a new tool called RAPL (Running Average Power Limit). By using built-in sensors on the chip, RAPL allows monitoring of power usage by the chip. In turn, an attacker can decipher loaded data from the CPU with these readings. The University of Graz has created a site with detailed information about this.

PLATYPUS

Using PLATYPUS, we demonstrate that we can observe variations in the power consumption to distinguish different instructions and different Hamming weights of operands and memory loads, allowing inference of loaded values. PLATYPUS can further infer intra-cacheline control flow of applications, break KASLR, leak AES-NI keys from Intel SGX enclaves and the Linux kernel, and establish a timing-independent covert channel.

With SGX, Intel released a security feature to create isolated environments, so-called enclaves, that are secure even if the operating system is compromised. In our work, we combine PLATYPUS with precise execution control of SGX-Step. As a result, we overcome the hurdle of the limited measuring capabilities of Intel RAPL by repeatedly executing single instructions inside the SGX enclave. Using this technique, we recover RSA keys processed by mbed TLS from an SGX enclave.

As terrifying as this vulnerability is, Intel has already begun rolling out microcode for it. Security updates can be found on GitHub, which also includes a number of other fixes. Those interested in the official paper can read the PDF here. It should also be noted this vulnerability can affect x86 processors for both Intel and AMD, but with AMD, RAPL works differently, as does the privilege and access levels needed to execute this attack. It is detailed in the PDF. Since this attack directly targets the CPU, there’s no OS exempt from it, either. The best solution is to get the microcode update for your appropriate processor, but Microsoft and Apple should be rolling out their own updates as well. Linux has already done so.

Peter Brosdahl

As a child of the 70’s I was part of the many who became enthralled by the video arcade invasion of the 1980’s. Saving money from various odd jobs I purchased my first computer from a friend of my...

Join the Conversation

4 Comments

  1. Well **** how much more performance do we loose for patching this one?!

    No word on that but I was a thinking that a funny before/after meme, after all these are done and x86 finally becomes secure should show a off-road truck doing something epic and then a unicycle traversing a crosswalk. At this point getting an old x86 that hasn’t had any microcode updates could be worth some money just for bench comparison. I imagine they’re going to be hard to find after a while.

  2. The microcode updates as I understand them are at the BIOS level right?

    Firmware/BIOS I believe. Since coming directly from Intel it would make sense. I haven’t actually tried it yet so I don’t really know for sure. One thing I saw in the PDF is that this goes all the way back to Sandybridge when RAPL was rolled out. Have to check out Github for more documentation on them. Intel probably has something, somewhere, on their site as well.

Leave a comment