[spdy]

With our findings, we prove that SEV cannot adequately protect confidential data in cloud environments from insider attackers, such as rouge administrators, on currently available CPUs.

---

It is an interesting attack but is the above goal ever achievable? To protect against adversaries from the inside.

[michaelt]

> It is an interesting attack but is the above goal ever achievable? To protect against adversaries from the inside.

People have gotten very close to achieving similar goals.

For example, modern games consoles' anti-piracy measures guard against the device owner who has physical control and unlimited time. [1]

iPhone activation locks likewise prevent stolen phones from being used, even by thieves with physical control and unlimited time.

And neither of the systems rely on the clunky 'brick the device if the case is opened' methods of yesteryear.

(Of course there have also been a great many failed attempts - almost every console since the dawn of time has eventually been hacked, as have things like TPMs and TrustZone, many versions of the iPhone were rooted, etc etc)

[1] https://www.youtube.com/watch?v=quLa6kzzra0

[steelframe]

There's a significant asymmetry in motivation and resources available to compromise hardware between Jimmy and his Xbox vs. Google and their cloud infrastructure.

[michaelt]

Yes, someone with an xbox hack has tens of millions of potential customers who can save $60 a game, with complete physical access to the hardware and no chance of getting fired or arrested.

Whereas someone with a Google cloud infrastructure hardware fault injection attack has only a tiny number of spy agencies or rogue admins as potential customers, the servers are all locked up in data centres, and anyone who got caught making an attack would get fired and/or arrested.

[monocasa]

Jimmy is only willing to spend less than he'd spend in the cost of games. Even with a large amount of Jimmys there might not be market without getting the cost of an individual attack low enough.

On the other hand, there for sure is a market for cloud based attacks, and nation states that can apply a stick to go along with the carrot of millions of dollars in "consulting fees".

[Taek]

Especially as we move more key infrastructure into the cloud. If people start trusting these sorts of remote systems with things like financial data, the payoff of a clandestine compromise could be hundreds of billions of dollars.

Doubly true when you consider the history of Google working with the USG.

[BeefWellington]

> It is an interesting attack but is the above goal ever achievable? To protect against adversaries from the inside.

Yes. To expand: to a function on the CPU an administrator is just another user. The Operating System is responsible for managing those designations.

These trusted computing pieces across all kinds of CPUs are specifically aimed at protecting against people with host-root, so it would seem like it's a goal they've set for themselves and should be reasonably achievable.

[JustFinishedBSG]

> rouge administrators

It's not important but come on, if your field is cyber security at least make sure rogue is spelled correctly.

[throwaway420y]

Are you sure they aren't talking about these admins ? https://en.wikipedia.org/wiki/Wikipedia:Rouge_admin

[swiley]

One day, when I'm retired or homeless, I'd love to pull apart and try to understand the weird cultures of wikipedians.

[doubled112]

If you're retired AND homeless, will you do the same, or will you have bigger problems?

Just trying to figure out where you've drawn the line.

[wizzwizz4]

A rogue admin is acting alone, but rouge admins are part of the shadowy cabal and thus have access to many times more resources.

[markenqualitaet]

They meet at the Mole in Rouge, blowing off the tension of secrecy by mansplaining each other Das Kapital.

[onlinejk]

Thanks, I was worried I had red that wrong

ducks

[dnautics]

it's distinguish from bleu team administrators!

[dgellow]

I would guess the GP is using French locales + autocompletion from a mobile device

[JustFinishedBSG]

I'm not talking about GP though, it's not important to make that mistake here. But the mistake is present in the paper.

[lima]

> It is an interesting attack but is the above goal ever achievable? To protect against adversaries from the inside.

Achievable in any circumstances? No. Within a well-defined threat model, definitely.

[DSingularity]

Do you mean “adversaries from the inside” could be more detailed to create reasonable limitations on access and resources as imposed by external systems (eg cameras, guards, searches) securing the machines?

[swiley]

Except that the threat model the crippled SEV defends against is the same one the SU command does, making it irrelevant.

[new_realist]

No. SEV is supposed to protect from root.

[baybal2]

> It is an interesting attack but is the above goal ever achievable? To protect against adversaries from the inside.

No, safe execution of untrusted code is impossible by the very definition, not without undoing 40 years of IC design practices.

It's an almost physical limitation which makes it very hard to compute something without some electromagnetic leakage from/to the die.

Take a look on secure CPUs for credit cards. They have layer, upon layers of anti-tampering, anti-extraction measures, and yet TEM shops in China do firmware/secret extraction from them for $10k-$20k

[formerly_proven]

It is very hard to perform a physical process while making it impossible to observe it. Similarly it is very difficult to have some object with permanent physical properties that you (the chip) can measure yourself, but no one else can, like a cloud of electrons trapped on an island, or a metal connection between two places.

[MayeulC]

>> It is an interesting attack but is the above goal ever achievable? To protect against adversaries from the inside.

> No, safe execution of untrusted code is impossible by the very definition

I think this is more about data processing while hiding the data from whoever operates the hardware. Homomorphic encryption could be a partial answer to that.

[baybal2]

> Homomorphic encryption

Explain please to me how homomorphic encryption will protect someone from basic laws of physics.

[MayeulC]

I hate your condescending tone, especially since you are clueless about that and don't seem to be able to perform a simple search

https://en.wikipedia.org/wiki/Homomorphic_encryption

The idea is to use a special encryption scheme (and associated operations). If I take 50 numbers and multiply them by two before asking you to add them, I'll just have to divide the result by two to get the correct answer, and you won't see the data nor the result. Of course, actual schemes are more complex than that.

https://arstechnica.com/gadgets/2020/07/ibm-completes-succes...

[evancox100]

What is a TEM shop? Curious about this topic, the threat model for some chips in the secure payments space assumes a secret value much higher than $10k for something like a root encryption key that blows open the payment processing security of multiple cards.

Also, just because something is physically possible, doesn't mean that the barriers to doing so are irrelevant. If it costs you $10k to unbrick a locked & stolen iPhone, then those countermeasures have likely succeeded at their intended purpose. This is why threat models try to quantify the time and/or monetary value of what they're protecting.

[baybal2]

Tunneling electron microscope

A single facility for TEM comes with $10,00,000+ pricetag, and usually they amount to few dozens per a developed country, in use in places like universities, and research institutes.

China has probably more of them than the rest of the world combined.

[phire]

Well, that's the explicit goal of SEV.

That the CPU should be able to cryptographically prove that a VM has been setup without any interference from an inside attacker who controls the hardware.

At the very least, SEV massively raises the barrier to such attacks. It's now beyond the ability of a rogue administrator or technician, requiring complex custom motherboards. But a well-funded inside attacker can target something with high enough value.

[londons_explore]

> It's now beyond the ability of a rouge administrator or technician, requiring complex custom motherboards

The end of the abstract explicitly refutes this. It is claiming that a software-only solution, using keys derived with this technique, can pretend to be a suitable target to migrate a secure VM to, which then allows the rogue admin to inspect or modify anything in the VM.

[floatboth]

A bit unclear from the abstract whether the keys they learned how to derive (and the secret material they're derived from) are per individual chip or for all chips ever produced. If it's the former, that means the rogue admin still needs to electrically mess with the hardware once.

[nieve]

The part about "without requiring physical access to the target host" would seem to imply that they only need access to a machine on their end for some attacks.

[phire]

Though, that means you just need one modified motherboard.

Put each CPU in, extract the keys, deploy in a regular motherboard.

[nine_k]

This still excludes wide ranges of possible rogue admin attacks.

As a minimum, it takes shutting down and powering down the physical machine, then starting it up, which would not go unnoticed in highly controlled environment where SEV makes most sense.

[toast0]

One potential use of SEV is to provide a secure environment to run a VM at an untrusted provider. That provider could do lots of things with funky motherboards and forced migrations without notice by their clients.

If it's an insider attack on company owner and operated hardware, there's always some reason to have a long downtime, and you can piggyback on that to attack the CPUs... Or just put it in a new system and use the migration setup.

Suggested downtimes, organic or sabotage up to attacker's timeline:

HVAC failure: have to shut down many/most/all servers to manage temperatures until HVAC techs can fix.

Automatic transfer switch failure: these things love to fail at the same time as a utility failure, and aren't always easy to bypass.

[simcop2387]

it does mean though that a system integrator could extract the keys ahead of time, likely without any way to know this has happened. adding a way to generate a new key or otherwise rotate the key material should fix that issue though.

[Cyph0n]

My understanding is that this is part of the threat model of TEEs (Trusted Execution Environment). Whether or not this will ever be achievable is a different story.

[jlourenco27]

It's not plug-and-play. It still needs a custom firmware: "(...)The presented methods allow us to deploy a custom SEV firmware on the AMD-SP, which enables an adversary to decrypt a VM's memory.(..)"

[londons_explore]

InstallRogueFirmware.exe. double-click.

This is about protecting a VM from people who have admin rights and hardware access outside the VM.

[floatboth]

Voltage glitching is no double-click. It would be a huge embarrassment to AMD if just double-click defeated the secure processor's firmware authentication. This requires electrically messing with the power supply of the processor.

[api]

So this means the secure VM feature is secure up to the threat model of someone able to crack open the hardware.

Honestly that's kind of what I would have expected. Just making it almost impossible to get VM memory remotely by owning the hypervisor is pretty good and reduces your attack surface to people who can get into the data center and have electronics expertise.

[landr0id]

While its goals are a bit different from confidential computing, people saying "no" here have apparently never heard of the Xbox One. More generally, securing a device against its physical owner is notoriously difficult. Tony Chen gave a talk about how the Xbox One was secured against physical attack: https://www.youtube.com/watch?v=U7VwtOrwceo

[monocasa]

Chen makes it very clear that their threat model only includes attacks costing less than the attach rate of the system (about $600). He doesn't consider it an achievable goal in the general case.

[dnautics]

does anyone actually use SEV in cloud environments? My impression was that its lineage (my understanding it's basically AMD's intel-SGX) is to enable DRM for stuff like netflix. I know for a time there was a lot of talk about using SGX in the cloud, but I was under the impression that the trust in SGX has been eroded over time to the point where no one thinks it's a good idea.

[theevilsharpie]

SEV is completely different from SGX, and doesn't (currently, to my knowledge) have an equivalent on Intel chips that are currently on the market. Google Cloud's confidential compute feature makes use of SEV under the covers.

[wmf]

Specifically, I think SEV is lacking attestation that would be needed for DRM.

[dnautics]

thanks for clearing that up!

[benlivengood]

I've only spun up a SEV instance for the novelty but am considering using it for things like hashicorp vault where performance isn't critical but extra privacy assurance is nice.

Fundamentally, though, system security hasn't caught up with the promise of SEV. It's far more likely that a VM will be compromised by 0-day attacks than insiders at the cloud companies. But if you really need to run a secure kernel on someone else's machine then SEV is the way of the future. This includes using SEV on-premises against hardware attacks. I've wanted hardware RAM encryption for a decade or two to avoid coldboot attacks and similar hardware vulnerabilities.