Presentation
"OOPS!": Out-Of-Band Remote Power Side-Channel Attacks on Intel SGX and TDX
DescriptionPrior work shows that remote power attacks on Intel processors are possible through two Model Specific Registers (MSRs): MSR_PKG_Energy_Status and MSR_PP0_Energy_Status. In response, Intel introduced a defence: a bit in MSR IA32_MISC_PACKAGE_CTLS allows users to enable/disable "filtering'' mechanism that adds additional noise to energy measurements, making remote power attacks infeasible.
In this work, we demonstrate that "filtering'' does not cover all possible avenues of measuring power. On Intel server-grade platforms, components like out-of-band management interface (OOB) exist which also expose telemetric information like in-band energy consumption. For this, we first reverse engineer the protocol structure over which OOB communicates with in-band components. We then show how OOB allows read-only access to the Package Configuration Space (PCS) and note that energy readings through PCS are outside the scope of filtering.
Using this, we re-enable remote power side-channels on Intel SGX and TDX operational on Intel Sapphire Rapids. We first construct a synchronization mechanism to align in-band execution with out-of-band measurements by leveraging deliberately disabled MSRs. We then use energy readings through OOB PCS to recover 2048-bit RSA keys from MbedTLS operational within in-band Intel SGX and TDX (with generic single-stepping assumption). Finally, we also leak AESNI keys from within in-band Intel SGX and TDX (without any single-step assumption).
Prior to our work, the literature on side-channels has been focused on attacks leveraging in-band interfaces. Our work establishes the importance of evaluating confidential computing architectures against attack vectors that combine abilities of both in-band and out-of-band interfaces to achieve adversarial objectives (that both in-band and out-of-band interfaces cannot achieve independently).
In this work, we demonstrate that "filtering'' does not cover all possible avenues of measuring power. On Intel server-grade platforms, components like out-of-band management interface (OOB) exist which also expose telemetric information like in-band energy consumption. For this, we first reverse engineer the protocol structure over which OOB communicates with in-band components. We then show how OOB allows read-only access to the Package Configuration Space (PCS) and note that energy readings through PCS are outside the scope of filtering.
Using this, we re-enable remote power side-channels on Intel SGX and TDX operational on Intel Sapphire Rapids. We first construct a synchronization mechanism to align in-band execution with out-of-band measurements by leveraging deliberately disabled MSRs. We then use energy readings through OOB PCS to recover 2048-bit RSA keys from MbedTLS operational within in-band Intel SGX and TDX (with generic single-stepping assumption). Finally, we also leak AESNI keys from within in-band Intel SGX and TDX (without any single-step assumption).
Prior to our work, the literature on side-channels has been focused on attacks leveraging in-band interfaces. Our work establishes the importance of evaluating confidential computing architectures against attack vectors that combine abilities of both in-band and out-of-band interfaces to achieve adversarial objectives (that both in-band and out-of-band interfaces cannot achieve independently).
Event Type
Research Manuscript
TimeMonday, June 232:00pm - 2:15pm PDT
Location3006, Level 3
Security
SEC3: Hardware Security: Attack & Defense