Researchers in Austria have discovered a vulnerability in Intel processors that uses a power meter built into the chips.
The team at Graz University of Technology exploited the unprivileged access to the meter, exposing the processor's power consumption to infer data and extract cryptographic keys.
With classical power side channel attacks, an adversary typically attaches an oscilloscope to monitor the energy consumption of a device. With the Intel Sandy Bridge CPUs in 2015, Intel introduced the Running Average Power Limit (RAPL) interface that allows monitoring and controlling the power consumption of the CPU and DRAM in software. Unfortunately, the current implementation of the Linux driver gives every unprivileged user access to its measurements, and the team developed a tool called Platypus to demonstrate the risks.
Luckily, the update interval of the RAPL interface is low compared to real oscilloscopes. The RAPL interface has a bandwidth of 20 kHz, whereas oscilloscopes are in the range of multiple GHz. Moreover, the values are filtered using a running average, making it harder to infer any useful data.
The team used the Platypus tool to look at the variations in the power consumption to distinguish different instructions and different weights of operands and memory loads, allowing inference of loaded values. The tool can further infer intra-cacheline control flow of applications, break KASLR, leak AES-NI keys and establish an independent covert channel into the chip.
The key to this exploit is Intel’s Software Guard eXtensions (SGX) which creates isolated environments in the computer's memory, called enclaves. SGX acts like a secure vault in the processor itself, combining strong encryption and hardware-level isolation to safeguard enclave programs, and the data they operate on, even against very advanced types of malware that compromise the operating system, hypervisor, or firmware (BIOS).
The researchers combined the Platypus power analysis tool with precise execution control of SGX-Step. This overcame the hurdle of the limited measuring capabilities of Intel RAPL by repeatedly executing single instructions inside the SGX enclave. Using this technique, the team recovered RSA keys processed by mbed TLS from an SGX enclave.