For the past 26 months, Intel and other CPU makers have been assailed by Spectre, Meltdown, and a steady flow of follow-on vulnerabilities that make it possible for attackers to pluck passwords, encryption keys, and other sensitive data out of computer memory. On Tuesday, researchers disclosed a new flaw that steals information from Intel’s SGX, short for Software Guard eXtensions, which acts as a digital vault for securing users most sensitive secrets.
On the surface, Load Value Injection, as researchers have named their proof-of-concept attacks, works in ways similar to the previous vulnerabilities and accomplishes the same thing. All of these so-called transient-execution flaws stem from speculative execution, an optimization in which CPUs attempt to guess future instructions before they’re called. Meltdown and Spectre were the first transient execution exploits to become public. Attacks named ZombieLoad, RIDL, Fallout, and Foreshadow soon followed. Foreshadow also worked against Intel’s SGX.
Breaking the vault
Load Value Injection, or LVI for short, is especially important because the exploit allows for the raiding of secrets stored in the SGX enclave, the name often used for Intel’s Software Guard eXtensions. Apps that work with encryption keys, passwords, digital rights management technology, and other secret data often use SGX to run in a fortified container known as a trusted execution environment. LVI can also steal secrets out of other regions of a vulnerable CPU.
Released in 2015, SGX also creates isolated environments inside memory called enclaves. SGX uses strong encryption and hardware-level isolation to ensure the confidentiality of data and code and to prevent them from being tampered with. Intel designed SGX to protect apps and code even when the operating system, hypervisor, or BIOS firmware is compromised.
In the video below, researchers who discovered LVI show how an exploit can steal a secret encryption key protected by the SGX.
Intel has a list of affected processors here. Chips that have hardware fixes for Meltdown aren’t vulnerable. Exploitation may also be hindered by some defensive measures built into hardware or software that protect against null pointer dereference bugs. Some Linux distributions, for instance, don’t allow the mapping of a virtual address zero in user space. Another mitigation example: recent x86 SMAP and SMEP architectural features further prohibit user-space data and code pointer dereferences respectively in kernel mode. “SMAP and SMEP have been shown to also hold in the microarchitectural transient domain,” the researchers said.
Poisoning the processor
As its name suggests, LVI works by injecting attacker data into a running program and stealing sensitive data and keys it’s using at the time of the attack. The malicious data flows through hidden processor buffers into the program and hijacks the execution flow of an application or process. With that, the attacker’s code can acquire the sensitive information. It’s not possible to fix or mitigate the vulnerability inside the silicon, leaving the only mitigation option for outside developers to recompile the code their apps use. The team of researchers who devised the LVI exploit said that compiler mitigations come with a considerable hit to system performance.
“Crucially, LVI is much harder to mitigate than previous attacks, as it can affect virtually any access to memory,” the researchers wrote in an overview of their research. “Unlike all previous Meltdown-type attacks, LVI cannot be transparently mitigated in existing processors and necessitates expensive software patches, which may slow down Intel SGX enclave computations 2 up to 19 times.”
LVI reverses the exploitation process of Meltdown. Whereas Meltdown relies on an attacker probing memory offsets to infer the contents of in-flight data, LVI turns the flow around by injecting data that poisons hidden processor buffer (specifically the line fill buffer) with attacker values. From there, the attacker can hijack a process and access the data it uses.
LVI-based attacks aren’t likely to be used against consumer machines, because the attacks are extremely difficult to carry out and there are generally much easier ways to obtain confidential information in home and small business settings. The most likely attack scenario is a cloud-computing environment that allocates two or more customers to the same CPU. While hypervisors and other protections normally cordon off data belonging to different customers, LVI could in theory pluck out any data or code stored in SGX environments, as well as other regions of a vulnerable CPU.
In a statement, Intel officials wrote:
Researchers have identified a new mechanism referred to as Load Value Injection (LVI). Due to the numerous complex requirements that must be satisfied to successfully carry out, Intel does not believe LVI is a practical method in real world environments where the OS and VMM are trusted. New mitigation guidance and tools for LVI are available now and work in conjunction with previously released mitigations to substantively reduce the overall attack surface. We thank the researchers who worked with us, and our industry partners for their contributions on the coordinated disclosure of this issue.
To mitigate the potential exploits of Load Value Injection (LVI) on platforms and applications utilizing Intel SGX, Intel is releasing updates to the SGX Platform Software and SDK starting today. The Intel SGX SDK includes guidance on how to mitigate LVI for Intel SGX application developers. Intel has likewise worked with our industry partners to make application compiler options available and will conduct an SGX TCB Recovery.
The chipmaker has published this deep dive.
LVI primarily works against Intel CPUs, but it also affects other chips that are vulnerable to meltdown. Non-Intel CPUs that have been shown to be vulnerable to Meltdown include those based on the ARM design. It’s not currently known what specific ARM chips are affected.
The team that first identified the LVI vulnerabilities included researchers from imec-DistriNet, KU Leuven, Worcester Polytechnic Institute, Graz University of Technology, the University of Michigan, the University of Adelaide, and Data61. Researchers from Romanian security firm Bitdefender later discovered the vulnerability after the earlier team had already reported it to Intel. The first team has published information here. Bitdefender has details here, here, and here. Proof-of concept code is here and here.
Some restrictions apply
The difficulty in carrying out LVI attacks isn’t the only limitation. The data the attacks can acquire is also restricted to that stored at the time the malicious code is executed. That makes exploits either a game of luck or further adds to the rigorous requirements for exploitation. For those reasons, many researchers say they’re unsure exploits will ever be used in active malicious attacks.
Not all researchers share that assessment. Bogdan Botezatu, senior e-threat analyst at Bitdefender, said that the growing body of research showing how to exploit speculative execution may pave the way for use by real-world attackers, particularly those from nation-states targeting specific people.
“There are more people involved in this kind research who are good guys,” Botezatu told me. “Chances are the bad guys are also actively looking into the CPU issue. Which makes me think that, at some point, with enough scrutiny, this will not be solely an academic topic. It will become a viable tool to exploit in the wild.”