With Great Power comes Great Leakage
With PLATYPUS, we present novel software-based power side-channel attacks on Intel server, desktop and laptop CPUs. We exploit the unprivileged access to the Intel RAPL interface exposing the processor's power consumption to infer data and extract cryptographic keys.
PLATYPUS in Action
The Power Meter within the CPU. Intel RAPL.
With classical power side-channel attacks, an adversary typically attaches an oscilloscope to monitor the energy consumption of a device. Since Intel Sandy Bridge CPUs, the Intel Running Average Power Limit (RAPL) interface allows monitoring and controlling the power consumption of the CPU and DRAM in software. Hence, the CPU basically comes with its own power meter. With the current implementation of the Linux driver, every unprivileged user has access to its measurements.
Luckily, the update interval of the RAPL interface is low compared to real oscilloscopes. The RAPL interface has a bandwidth of 20 kHz, whereas oscilloscopes are in the range of multiple GHz. Moreover, the values are filtered using a running average, making it harder to infer secrets.
PLATYPUS. Finding Secrets in the Dark.
Platypuses are fascinating animals: While they are mammals, they also lay eggs, and males can detect electrical signals with their bill. Likewise to the Platypus that uses its ability to find food even in complete darkness, we sense secrets in the processor's energy measurements using Intel RAPL.
Using PLATYPUS, we demonstrate that we can observe variations in the power consumption to distinguish different instructions and different Hamming weights of operands and memory loads, allowing inference of loaded values. PLATYPUS can further infer intra-cacheline control flow of applications, break KASLR, leak AES-NI keys from Intel SGX enclaves and the Linux kernel, and establish a timing-independent covert channel.
With SGX, Intel released a security feature to create isolated environments, so-called enclaves, that are secure even if the operating system is compromised. In our work, we combine PLATYPUS with precise execution control of SGX-Step. As a result, we overcome the hurdle of the limited measuring capabilities of Intel RAPL by repeatedly executing single instructions inside the SGX enclave. Using this technique, we recover RSA keys processed by mbed TLS from an SGX enclave.
Protecting against PLATYPUS. Fixing RAPL.
On Linux, the powercap framework provides unprivileged access to the Intel RAPL counters. With a recent security update, this access is revoked, and an unprivileged attacker can not retrieve power measurements anymore.
However, this update does not protect against a privileged attacker, e.g., a compromised operating system targeting Intel SGX. To mitigate attacks in this scenario, Intel released microcode updates to affected processors. These updates ensure that the reported energy consumption hinders the ability to distinguish the same instructions with different data or operands if Intel SGX is enabled on the system.
Please make sure to get the latest updates for your operating system and BIOS.
Who is behind PLATYPUS?
- Moritz Lipp (Graz University of Technology)
- Michael Schwarz (CISPA Helmholtz Center for Information Security)
- Andreas Kogler (Graz University of Technology)
- David Oswald (University of Birmingham)
- Catherine Easdon (Graz University of Technology)
- Claudio Canella (Graz University of Technology)
- Daniel Gruss (Graz University of Technology)
Questions & Answers
Intel provides a list with all affected products here.
We disclosed the problem to AMD and ARM as well. However, currently, we are not aware of any official statement regarding affected products from these vendors.
With classical power side-channel attacks, an attacker typically has physical access to a victim device. Using an oscilloscope, the attacker monitors the energy consumption of the device. With interfaces like Intel RAPL, physical access is not required anymore as the measurements can be accessed directly from software. Previous work already showed limited information leakage caused by the Intel RAPL interface. Mantel et al. showed that it is possible to distinguish if different cryptographic keys have been processed by the CPU. Paiva et al. established a covert channel by modulating the energy consumption of the DRAM.
Our research shows that the Intel RAPL interface can be exploited in way more threatening scenarios. We show that in addition to distinguishing different keys, it is possible to reconstruct entire cryptographic keys. We demonstrate this by recovering AES keys from the side-channel resilient AES-NI implementation, as well as RSA keys from an Intel SGX enclave. In addition, we distinguish different Hamming weights of operands or memory loads, threatening constant-time implementations of cryptographic algorithms. To mitigate PLATYPUS, the unprivileged access to the energy consumption has been revoked with an update to the operating system. With Intel SGX, however, a compromised operating system is within the threat model, rendering this mitigation insufficient. Therefore, Intel released microcode updates that change the way the energy consumption is reported if Intel SGX is enabled on the system. Instead of actual energy measurements, it falls back to a model-based approach, such that same instructions with different data or operands can not be distinguished.
Within our research, we focused on Intel's RAPL implementation as the threat model of Intel SGX allows a privileged attacker to achieve a more precise execution control of the victim. However, starting with the Zen microarchitecture, AMD CPUs also provide a RAPL interface that even allows measuring the energy consumption per individual core. With Linux kernel 5.8, this interface also grants access to unprivileged applications, however, currently limited to AMD Rome CPUs.
Furthermore, other processor vendors like ARM and NVIDIA have on-board energy meters that can be used. Marvell and Ampere also provide kernel drivers to provide unprivileged access to hardware sensors. However, as we do not or have only limited access to these devices, we were not able to conduct any experiments on these devices.
On Linux, the powercap framework provides unprivileged access to Intel RAPL by default. On Windows and macOS, the Intel Power Gadget needs to be installed. Therefore, the presented attacks exploiting the unprivileged access only work on Linux.
For a privileged attacker targeting Intel SGX, the operating system used does not matter.
Platypuses are fascinating animals: While they are mammals, they also lay eggs. They have a bill like a duck, a tail like a beaver and a fur like an otter. Males are venomous, but more importantly, they can detect electrical signals with their bill. Likewise to the Platypus that uses its ability to find food even in complete darkness, we sense secrets in the energy measurements of the processor using Intel RAPL.
In addition, PLATYPUS is an acronym for "Power Leakage Attacks: Targeting Your Protected User Secrets".
As the Linux driver provides unrestricited access to the Intel RAPL interface, a security update makes this access privileged.
However, in a setting where the victim is an Intel SGX enclave, this patch does not prevent a compromised operating system from accessing the Intel RAPL counters directly. Therefore, Intel released microcode updates that change the way the energy consumption is reported if Intel SGX is enabled on the system. Instead of actual energy measurements, it falls back to a model-based approach, such that same instructions with different data or operands can not be distinguished. Thus, if the enclave follows the Intel guide lines and uses constant-time cryptographic implementations, an adversary should not be able to recover any secrets of the enclave.
Intel Software Guard eXtensions (SGX) is an innovative processor technology released in 2015 to create isolated environments in the computer's memory, so-called enclaves. SGX acts like a secure vault in the processor itself, combining strong encryption and hardware-level isolation to safeguard enclave programs, and the data they operate on, even against very advanced types of malware that compromise the operating system, hypervisor, or firmware (BIOS).
CVE-2020-8694 and CVE-2020-8695 are the official references to PLATYPUS. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
The research presented in this paper was supported by the Austrian Research Promotion Agency (FFG) via the K-project DeSSnet, which is funded in the context of COMET - Competence Centers for Excellent Technologies by BMVIT, BMWFW, Styria, and Carinthia. It was also supported by the European Research Council (ERC) under the European Union's Horizon 2020 research and innovation programme (grant agreement No 681402). It has also been supported by the Austrian Research Promotion Agency (FFG) via the project ESPRESSO, which is funded by the province of Styria and the Business Promotion Agencies of Styria and Carinthia. It is partially funded by the Engineering and Physical Sciences Research Council (EPSRC) under grants EP/R012598/1, EP/S030867/1 and by the European Union's Horizon 2020 research and innovation programme under grant agreement No. 779391 (FutureTPM). Additional funding was provided by generous gifts from Intel, ARM, Amazon and Red Hat. Further, we would like to thank Equinix Metal for providing us access to bare metal instances to run our experiments.