It’s been a while since we’ve heard of a new side-channel vulnerability for Intel chips. The latest is something to be concerned about because unlike many others, it can be done remotely without physical access, albeit with effort and skill. DSOG (via Phoronix) has reported on PLATYPUS (Power Leakage Attacks: Targeting Your Protected User Secrets).
Researchers from around the world worked together to discover this new vulnerability, which functions like something out of a spy novel. It has been known that monitoring power fluctuations of devices can provide information about particular functions or commands, but up until now, getting detailed readings often required an oscilloscope. In the effort to increase processor efficiency, Intel had introduced a new tool called RAPL (Running Average Power Limit). By using built-in sensors on the chip, RAPL allows monitoring of power usage by the chip. In turn, an attacker can decipher loaded data from the CPU with these readings. The University of Graz has created a site with detailed information about this.
Using PLATYPUS, we demonstrate that we can observe variations in the power consumption to distinguish different instructions and different Hamming weights of operands and memory loads, allowing inference of loaded values. PLATYPUS can further infer intra-cacheline control flow of applications, break KASLR, leak AES-NI keys from Intel SGX enclaves and the Linux kernel, and establish a timing-independent covert channel.
With SGX, Intel released a security feature to create isolated environments, so-called enclaves, that are secure even if the operating system is compromised. In our work, we combine PLATYPUS with precise execution control of SGX-Step. As a result, we overcome the hurdle of the limited measuring capabilities of Intel RAPL by repeatedly executing single instructions inside the SGX enclave. Using this technique, we recover RSA keys processed by mbed TLS from an SGX enclave.
As terrifying as this vulnerability is, Intel has already begun rolling out microcode for it. Security updates can be found on GitHub, which also includes a number of other fixes. Those interested in the official paper can read the PDF here. It should also be noted this vulnerability can affect x86 processors for both Intel and AMD, but with AMD, RAPL works differently, as does the privilege and access levels needed to execute this attack. It is detailed in the PDF. Since this attack directly targets the CPU, there’s no OS exempt from it, either. The best solution is to get the microcode update for your appropriate processor, but Microsoft and Apple should be rolling out their own updates as well. Linux has already done so.