Plundervolt
Plundervolt is a method of hacking that involves depriving an Intel chip of power so that processing errors occur. These errors can expose sensitive data and weaken chip security components. The name Plundervolt is a combination of the word undervolt, which is the practice of decreasing the voltage to computer processors, and the word plunder, which means to steal something of value.
The act of undervolting is not exclusively for hackers. It is a common practice used to improve computer performance. However, the term Plundervolt refers specifically to the use of undervolting to weaken and corrupt central processing units (CPUs) instead of improving them.
Plundervolt takes advantage of features in new Intel chips that are designed to improve efficiency and performance. While these features do enable improved chip performance, their introduction also opens vulnerabilities that should ideally be secured. The discovery of Plundervolt highlights the continuous struggle of balancing performance and security for chip manufacturers.
Plundervolt was first reported in June 2019 by a group of international researchers studying the use of undervolting techniques for hacking. Their findings were published in a research paper called "Plundervolt: Software-based Fault Injection Attacks against Intel SGX." Intel was notified soon after and developed several software patches to help users defend against Plundervolt attacks.
How Plundervolt works
As the name suggests, the attack plunders access to a chip's power supply and manipulates it to corrupt the chip. To do this, Plundervolt exploits the voltage regulator included in newer Intel chips that enables users to regulate power flow to their chip. The attacker can use this mechanism to methodically reduce the core chip voltage until a fault occurs.
Using these induced faults, the attacker can breach the chip's built-in set of security-based instruction codes, known as Software Guard Extensions (SGX). SGX protects sensitive data housed on Intel CPUs by storing it in secure areas separate from other memory. These regions -- specifically termed memory enclaves -- are designed not to allow access to the data within, even by a user or attacker with kernel-level access or access to the core operating system (OS).
By inducing faults in the computations that write data to these secure enclaves, Plundervolt attackers can cause sensitive data to be misplaced outside of the protected area. Therefore, attackers don't even need access to the data in the enclave. They can use Plundervolt to manipulate the processor instead, corrupting or exposing important information before it ever makes it to safety.
The sensitive information that Plundervolt corrupts includes encryption keys and cryptographic processes. If the attacker can expose and obtain these keys, they have the power to completely neutralize the chip's main security feature: SGX. This creates various openings for future attacks, such as privilege escalation and information disclosure attacks. For this reason, Plundervolt pairs well with other SGX-centric attacks, like Foreshadow and Spectre, which directly target sensitive data in memory, whereas Plundervolt targets the processes that surround it.
Unlike Plundervolt, Foreshadow and Spectre exploit a process in modern chips called speculative execution, which is designed to increase chip efficiency by letting the processor proactively work on processes before they've been concretely requested.
Like Plundervolt, Foreshadow and Spectre manipulate chip components that are designed to improve performance and use them to break SGX instead.
For Plundervolt to work, the attacker needs to have root privileges to the target device's OS. This is because the voltage mechanism -- also called a model-specific register (MSR) -- that the whole attack centers around is only accessible to authenticated users. The attacker can get root privileges by either physically accessing the target device or remotely using malicious code.
The existence of Plundervolt invalidates the guarantee of SGX: that data in the enclaves is safe from any attacker, even ones with high levels of privilege in the system. Plundervolt only works with this access.
Plundervolt vs. Rowhammer
Rowhammer is another CPU security threat that is comparable to Plundervolt.
Researchers first became aware of Rowhammer in 2012, and in 2014, it began to garner more widespread attention when a research paper about it was published. Since then, Intel has released software patches to mitigate the Rowhammer threat.
Like Plundervolt, Rowhammer is an attack that exploits hardware vulnerabilities to undermine the security of CPUs. Because they both exploit hardware vulnerabilities, software updates and patches cannot completely mitigate them, only decrease their likelihood of occurring.
Unlike Plundervolt, Rowhammer doesn't work on newer CPUs that have SGX-protected memory. This is because Rowhammer focuses on altering data -- known as flipping bits -- that is already in the processor's memory. SGX's cryptographic algorithm ensures that no data stored in physical memory can be changed outside of the SGX environment. Plundervolt, on the other hand, flips bits before they are written to memory, beyond the reach of SGX's protection. Basically, Rowhammer corrupts information that has already been created, whereas Plundervolt corrupts information as it's being created.
CPU series vulnerable to Plundervolt attacks
Plundervolt, Spectre and Foreshadow are several SGX-centric attacks that have plagued Intel in recent years. These attacks were all discovered within approximately a year of each other, revealing that SGX is the source of many new vulnerabilities in modern Intel chips.
Intel Core processors that use SGX are all vulnerable to Plundervolt attacks. These series include the following:
- 6th to 10th generation Intel Core processors
- v5 and v6 of the Xeon E3 series
- Xeon E-2100 series
- E-2200 series
These chips should be updated with the software patch that Intel has released to help users minimize the chances of a Plundervolt attack.
Intel's correction to Plundervolt
Intel has released several firmware patches that mitigate Plundervolt attacks. These patches lock the voltage settings on processors by default, meaning they cannot be changed when the patch is in effect. This keeps Plundervolt attackers from covertly altering the chips voltage in a way that compromises sensitive data on the chip.
Users can choose whether they want to implement the patches. If users do not have any beneficial use in mind for the voltage regulation mechanism, it is highly recommended that they install the patches.
The patches come in the form of a microcode update and a basic input/output system (BIOS) update. Users can reference Intel's security advisory for more details on the updates.
Protecting against Plundervolt attacks
It should be noted that the target user for a Plundervolt attack is not likely to be an end user; implementing this attack at a large scale would be too difficult for malware authors to attempt it. Plundervolt has not yet affected the general public. Practically, administering this attack in the real world would likely require pairing it with various exploits, like social engineering. So far, it has only been used in a research context.
However, it should still be considered a significant threat because a well-timed attack on a select target could have serious consequences. While it's not a risk that deserves constant attention from the everyday computer user, individuals with an elevated threat matrix should take steps to protect against the attack.
Plundervolt can do what it does because of a hardware vulnerability. Therefore, no amount of software patching will truly fix the Plundervolt problem. Only hardware changes can do that. Even with the patches, there is a possibility that attackers could overwrite the voltage controls set by the patches at the hardware level. Furthermore, the Plundervolt researchers warned Intel that other hidden channels for fault injection using power and clock management features may still exist undiscovered.
Although they are not perfect, the software patches are still largely considered effective in minimizing the chance of this attack occurring. After installing Intel's software patches, users can do other things to help protect themselves.
Rambus -- a silicon chip provider -- recommends that users implement a secure coprocessor that is separate from the main processor. The main processor could then be optimized mainly for performance, while the second processor could be optimized solely for security, handling more sensitive tasks. The addition of another processor helps mitigate Plundervolt attacks by isolating sensitive processes better than the enclave computations of SGX.
Users could also use the two-processor approach slightly differently. Instead of dividing tasks between them, each processor could perform all the same tasks and cross-reference each other to detect faults or inconsistencies.
Another mitigation strategy recommended by the Plundervolt researchers is to limit the voltage regulator to known safe values. This will protect the chip from Plundervolt's destructive level of undervolting. This strategy poses challenges because voltage requirements can vary from chip to chip -- even chips of the same model can have different voltage requirements. As a result, additional testing is required to establish safe values. The benefits of this strategy include that no new hardware is needed and the user doesn't have to completely disable the voltage mechanism.
