VoltPillager: Researchers Compromise Intel SGX With Hardware-Based Undervolting Attack
Two years ago Plundervolt was widely publicized for compromising Intel's SGX security by manipulating the CPU frequency/voltage as able to through software interfaces. By carefully undervolting the Intel CPUs when executing enclave computations they were able to ultimately compromise the integrity of SGX.
The impact of Plundervolt was already limited as typically the software needs root/administrative rights to access the CPU voltage/frequency MSRs or other kernel interfaces for manipulating them. But in response to Plundervolt, motherboard vendors began offering options to allow disabling voltage/frequency interface controls on their systems. Following Plundervolt, security researchers at the University of Birmingham in the UK began exploring a hardware-based attack on SGX.
With the assembled "Voltpillager" device and latching onto the motherboard's VR responsible for the CPU voltage, they were able to mount fault-injection attacks to again break the integrity of SGX. With this ~$30 device they were able to run proof-of-concept attacks against crypto algorithms within SGX. Yes, this is a sophisticated attack and not as easy as say plugging in a compromised USB/Thunderbolt device with the Voltpillager needing to be carefully attached to the proper voltage regulator, but researchers have found this method to be successful even with Plundervolt safeguards enabled.
This VoltPillager device is based on a Teensy microcontroller. The researchers behind this effort are formally presenting their research at the Usenix Security 2021 conference in August, but this weekend at the virtual FOSDEM conference their findings were shared as well. Their pre-publication paper on VoltPillager was published last November and can be found via Usenix.org but at the time didn't receive much attention.
As for this weekend's FOSDEM Online event, see this slide deck (PDF) for those interested in VoltPillager for their hardware-based under-volting attack on Intel SGX.
If it's not clear enough already, VoltPillager requires obvious hardware access to the system's motherboard and to carefully attach it to the proper VR for a particular motherboard -- so even while Plundervolt's scope was limited in needing root/admin access to the local system, VoltPillager is much more limited. Per the FOSDEM presentation, Intel responded to the researchers that tampering with the internal hardware to compromise SGX is "out of scope for SGX threat model" and prior Plundervolt mitigations were not designed for hardware-based attacks.
More of the VoltPillager research can be found on GitHub.