back to article Re-volting: AMD Secure Encrypted Virtualization undone by electrical attack

AMD's Secure Encrypted Virtualization (SEV) scheme is not as secure as its name suggests. Boffins from the Technische Universität Berlin have devised an attack that defeats the primary purpose of this silicon safe room technology: protecting the data in virtual machines from rogue administrators in cloud environments. In a …

  1. batfink Silver badge

    Really?

    This is just another story pointing out that if someone with the right knowledge has physical access to your machines then you're fucked. This one's just a new flavour of fucked.

    1. Will Godfrey Silver badge
      Black Helicopters

      Re: Really?

      Not just access, but prolonged dismantling and internal interference without anyone noticing.

      Hmmm. I wonder if there is some organisation (with a reputation for dirty tricks) that might be promoting this kind of research.

      1. Mike 137 Silver badge

        Re: Really?

        "I wonder if there is some organisation ... that might be promoting this kind of research."

        Actually I think it's primarily because most attacks are perpetrated via bleeding obvious commonplace ages-old vectors, so the researchers have to find something new and interesting to occupy themselves with.

        It would be preferable if they could focus their efforts on finding ways to eliminate the bleeding obvious commonplace ages-old vectors.

        There's an episode of The Man from Uncle from 1962, in which an agent is tasked with finding ways to disrupt the organisation from outside. It turns out to be seriously easy - his final summing up is that they had taken great pains to protect themselves from obscure and esoteric attacks but had left themselves wide open to the commonplace. Still the case 59 years later?

        1. Yet Another Anonymous coward Silver badge

          Re: Really?

          >eliminate the bleeding obvious commonplace ages-old vectors

          Perhaps also by attaching wires and manipulating voltages?

      2. Roland6 Silver badge

        Re: Really?

        >Not just access, but prolonged dismantling and internal interference without anyone noticing.

        You, mean with the ability to intercept the delivery of new hardware and working on the premise that no one opening up a system would see the piggyback assembly.

    2. A Non e-mouse Silver badge

      Re: Really?

      Obligatory XKCD.

      1. Belperite
        Big Brother

        Re: Really?

        Or in the UK: Give us your passwords and passphrases or you're going to prison.

    3. Doctor Syntax Silver badge

      Re: Really?

      And with that degree of access there are very likely a lot of easier ways.

    4. MacroRodent Silver badge

      Re: Really?

      The whole point of SEV is to defend against an untrustworthy host (either because its owner is evil, or his organization has been penetrated by some three-letter agency). So it should resist also physical attacks.

      1. Anonymous Coward
        Anonymous Coward

        Re: Really?

        >The whole point of SEV is to defend against an untrustworthy host

        This is a misconception. SEV is not designed to allow you to run guests on an untrusted host.

        SEV is meant to protect against a relatively narrow set of threats mainly focused on the use of persistent memory technology. Most security models assume that RAM is transient, so that (barring relatively exotic "cold boot" attacks) once the machine is unplugged anything sensitive in memory is protected by virtue of being lost.

        This is really important when thinking about things like theft of machines with encrypted disks - keys in memory are usually deemed to be lost if/when the machine is disconnected to be stolen. If your platform is using persistent memory then this element of your protection is lost. Therefore some mechanism to reliably encrypt memory is needed, therefore SEV.

        However this is still a significant attack on SEV. If you can extract the keys from the SP with $40 of then SEV is in turn pointless. Reading the paper it looks like this can be done long after the machine has been pinched, because they've comprehensively broken the SP.

        1. Anonymous Coward
          Anonymous Coward

          Re: Really?

          What you say may be right, but this is not how AMD is selling it, they definitely claim it protects against unauthorized host access, as it's rather easy to find:

          "An attacker with hypervisor administrator access or a compromised VM account may try to read the memory of other virtual machines. With SEV, the attacker sees only encrypted data."

          https://www.amd.com/system/files/documents/trusted-cloud-winmagic-amd-epyc-hardware-memory-encryption.pdf

    5. martyn.hare
      Happy

      This isn’t a big deal if folks do things right…

      Since to implement any kind of tamper proofing to offer this kind of security, separation of roles is required anyway. Your system administrators should not be the same people who have physical datacentre access and your datacentre staff should not have a working interactive login to the automatically provisioned OS which should be making good use of network-based decryption with rate-limiting…

      Ideally, the people with physical access should know nothing about which software runs on which host, meaning there’s no way to know what would be accessible by trying to compromise a given physical server. At the same time the majority of people with remote access should be restricted from knowing too many details about the physical servers themselves.

      This way, most people cannot collude to undermine VM shielding.

      Last I checked, Microsoft and Google both utilise these measures alongside 24/7 surveillance.

  2. elsergiovolador Silver badge

    Vector

    The less you pay the admins, the more likely you'll get someone screwing up.

    1. Anonymous Coward
      Anonymous Coward

      Re: Vector

      Poor BOFHs need to make their living too.

  3. Sgt_Oddball Silver badge
    Paris Hilton

    Would it just not..

    Be cheaper/easier at scale/convenient to just include those chips in the motherboard building process?

    Especially since it removed the need to physically access the device, compromise an admin or otherwise have a fleshy involved at the thin end of wedge/hack?

    1. Anonymous Coward
      Anonymous Coward

      Re: Would it just not..

      Like when the the motherboard is outsourced to some cheap-labour place?

      where some sleeper chips would be implanted

      no no no!

      nooobody would allow this!

      hahaha hohoho hehehe....

  4. Must contain letters

    Add a lyer of security and someone peels if off again

    This may require physical access, which for many is seen as sufficient protection, but it does highlight that today ordinary boffins (tm) can peel the security layers off and obtain the keys that years ago would have required super hero boffins who had access to state level electron microscopy and large vats of very strong acids to uncover.

  5. mihares
    Joke

    Attach wires

    Exactly at that point my stoke level for this vuln dropped very near the floor…

  6. Sparkus Bronze badge

    A return to...

    on-die voltage regulators and integrated SoCs even for run-of-the-mill PC applications.....

  7. Henry Wertz 1 Gold badge

    More likely scenario

    More likely scenario to me would be having the AMD kit used in some ATM or slot machine, and this attack could be used to try to recover keys and so on. Still pretty contrived, you'd have to either have nobody notice you've cracked the ATM open and are running wires into it (or even less likely, a casino where they don't notice this) -- or have access to a machine you've carried off.

    In the distant past, IBM had a crypto processor for ATMs on a card, it had X-Ray detection, and physical tamper detection, including a battery backup so cutting power first didn't help, self-destructing if either were detected. They still make tamper-resistant modules for ATMs and such, I just don't know what specific anti-tamper measures they have, it does include protection against voltage manipulation though (... I suppose a fancy way of saying it has some fat capacitors on-board, or shuts off if voltage is out of spec, or both.)

    I suppose this gives notice that someone who is tempted to replace a crypto processor with some key storage by AMD SEV, don't.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021