This is just another story pointing out that if someone with the right knowledge has physical access to your machines then you're fucked. This one's just a new flavour of fucked.
AMD's Secure Encrypted Virtualization (SEV) scheme is not as secure as its name suggests. Boffins from the Technische Universität Berlin have devised an attack that defeats the primary purpose of this silicon safe room technology: protecting the data in virtual machines from rogue administrators in cloud environments. In a …
"I wonder if there is some organisation ... that might be promoting this kind of research."
Actually I think it's primarily because most attacks are perpetrated via bleeding obvious commonplace ages-old vectors, so the researchers have to find something new and interesting to occupy themselves with.
It would be preferable if they could focus their efforts on finding ways to eliminate the bleeding obvious commonplace ages-old vectors.
There's an episode of The Man from Uncle from 1962, in which an agent is tasked with finding ways to disrupt the organisation from outside. It turns out to be seriously easy - his final summing up is that they had taken great pains to protect themselves from obscure and esoteric attacks but had left themselves wide open to the commonplace. Still the case 59 years later?
>The whole point of SEV is to defend against an untrustworthy host
This is a misconception. SEV is not designed to allow you to run guests on an untrusted host.
SEV is meant to protect against a relatively narrow set of threats mainly focused on the use of persistent memory technology. Most security models assume that RAM is transient, so that (barring relatively exotic "cold boot" attacks) once the machine is unplugged anything sensitive in memory is protected by virtue of being lost.
This is really important when thinking about things like theft of machines with encrypted disks - keys in memory are usually deemed to be lost if/when the machine is disconnected to be stolen. If your platform is using persistent memory then this element of your protection is lost. Therefore some mechanism to reliably encrypt memory is needed, therefore SEV.
However this is still a significant attack on SEV. If you can extract the keys from the SP with $40 of then SEV is in turn pointless. Reading the paper it looks like this can be done long after the machine has been pinched, because they've comprehensively broken the SP.
What you say may be right, but this is not how AMD is selling it, they definitely claim it protects against unauthorized host access, as it's rather easy to find:
"An attacker with hypervisor administrator access or a compromised VM account may try to read the memory of other virtual machines. With SEV, the attacker sees only encrypted data."
Since to implement any kind of tamper proofing to offer this kind of security, separation of roles is required anyway. Your system administrators should not be the same people who have physical datacentre access and your datacentre staff should not have a working interactive login to the automatically provisioned OS which should be making good use of network-based decryption with rate-limiting…
Ideally, the people with physical access should know nothing about which software runs on which host, meaning there’s no way to know what would be accessible by trying to compromise a given physical server. At the same time the majority of people with remote access should be restricted from knowing too many details about the physical servers themselves.
This way, most people cannot collude to undermine VM shielding.
Last I checked, Microsoft and Google both utilise these measures alongside 24/7 surveillance.
This may require physical access, which for many is seen as sufficient protection, but it does highlight that today ordinary boffins (tm) can peel the security layers off and obtain the keys that years ago would have required super hero boffins who had access to state level electron microscopy and large vats of very strong acids to uncover.
More likely scenario to me would be having the AMD kit used in some ATM or slot machine, and this attack could be used to try to recover keys and so on. Still pretty contrived, you'd have to either have nobody notice you've cracked the ATM open and are running wires into it (or even less likely, a casino where they don't notice this) -- or have access to a machine you've carried off.
In the distant past, IBM had a crypto processor for ATMs on a card, it had X-Ray detection, and physical tamper detection, including a battery backup so cutting power first didn't help, self-destructing if either were detected. They still make tamper-resistant modules for ATMs and such, I just don't know what specific anti-tamper measures they have, it does include protection against voltage manipulation though (... I suppose a fancy way of saying it has some fat capacitors on-board, or shuts off if voltage is out of spec, or both.)
I suppose this gives notice that someone who is tempted to replace a crypto processor with some key storage by AMD SEV, don't.
Biting the hand that feeds IT © 1998–2021