ROOTs 2020: Exploiting Interfaces of Secure Encrypted Virtual Machines – Martin Radev
Cloud computing is a convenient model for processing data remotely. However, users must trust their cloud provider with the confidentiality and integrity of the stored and processed data. To increase the protection of virtual machines, AMD introduced SEV, a hardware feature which aims to protect code and data in a virtual machine. This allows to store and process sensitive data in cloud environments without the need to trust the cloud provider or the underlying software.
However, the virtual machine still depends on the hypervisor for performing certain activities, such as the emulation of special CPU instructions, or the emulation of devices. Yet, most code that runs in virtual machines was not written with an attacker model which considers the hypervisor as malicious.
In this work, we introduce a new class of attacks in which a malicious hypervisor manipulates external interfaces of an SEV or SEV-ES virtual machine to make it act against its own interests. We start by showing how we can make use of virtual devices to extract encryption keys and secret data of a virtual machine. We then show how we can reduce the entropy of probabilistic kernel defenses in the virtual machine by carefully manipulating the results of the CPUID and RDTSC instructions. We continue by showing an approach for secret data exfiltration and code injection based on the forgery of MMIO regions over the VM’s address space. Finally, we show another attack which forces decryption of the VM’s stack and uses Return Oriented Programming to execute arbitrary code inside the VM.
While our approach is also applicable to traditional virtualization environments, its severity significantly increases with the attacker model of SEV-ES, which aims to protect a virtual machine from a benign but vulnerable hypervisor.
We asked Martin a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- We present four different attacks on the AMD SEV-ES-protected VMs
- Each attack tricks the VM to act against its own interests
- One of the code execution attacks builds on top of traditional exploitation techniques such as ROP
- All issues were/will be fixed with Linux 5.10
- For one of the PoC demonstrations, we present a horribly rendered, but authentic, demoscene tunnel effect
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
We were working on another SEV-related project, and during this time I was reading through the AMD CPU manuals and SEV-ES implementation in Linux. The presented security issues in the paper were all discovered on-the-go, one after the other and unsystematically.
Why do you think this is an important topic?
Privacy computing is becoming more common on desktop and server CPUs with the help of Trusted Execution Environments. Such solutions have the high goal of protecting secret data in a hostile environment without introducing great inconveniences to the user. Our work showcases issues in re-purposing a large code base (Linux) to an elevated threat model for which a system component (hypervisor) is no longer trusted.The results show the obvious fact that transmitted information over any existing previously trusted communication channel would now have to be carefully validated. This concept carries over to other system designs and TEE solutions.
Is there something you want everybody to know – some good advice for our readers maybe?
Our paper and talk provide some technical details on the implementation of the AMD SEV features and on virtualization with AMD CPUs.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
Our work presents the first attacks which exploit the software running inside the VM, not the design limitations of the protection feature. With the future introduction of the AMD SEV-SNP feature, we expect future exploits to also target explicitly the software running in the VM.
Martin Radev is a graduating M.Sc. student in Informatics at the Technical University of Munich, as well as a student assistant at the Fraunhofer Institute for Applied and Integrated Security. His current interests reside in system programming and security but has previously worked on various graphics (demoscene) and data compression projects, and on GPU drivers.