Researchers have disclosed the details of a new side-channel attack method that can be used to obtain sensitive information from a system by observing variations in the processor’s power consumption.
The attack method has been dubbed PLATYPUS (Power Leakage Attacks: Targeting Your Protected User Secrets) due to the fact that the platypus can detect weak electrical signals emitted by its prey.
It was discovered by researchers from the Graz University of Technology, the University of Birmingham, and the CISPA Helmholtz Center for Information Security, and it has been confirmed to work against systems using processors made by Intel. It’s worth noting that the research was conducted as part of a project that was partly funded by Intel.
While the researchers believe it may also be possible to launch attacks against CPUs made by ARM, AMD and NVIDIA, they were unable to verify this theory due to the lack of access or limited access to systems using these types of processors.
The PLATYPUS attack relies on having access to Intel’s Running Average Power Limit (RAPL), a feature introduced by the company with the Sandy Bridge microarchitecture and which is designed for monitoring and controlling the CPU and DRAM power consumption.
Attacks that rely on monitoring power consumption for data exfiltration are not unheard of. However, many of the methods disclosed in the past required physical access to the targeted system and they involved the use of oscilloscopes.
The PLATYPUS attack uses the RAPL interface instead of an oscilloscope to monitor power consumption. The measurements from the RAPL interface can be obtained even by an unprivileged user via a Linux driver, which allows an unprivileged malicious application installed on the targeted system to monitor power consumption and correlate it to the data being processed, which can potentially allow it to obtain sensitive information.
The researchers demonstrated that an attacker could use the PLATYPUS method to recover encryption keys from an Intel SGX enclave, which is designed to protect data even if the operating system has been compromised. The attack can also be leveraged to break kernel address-space layout randomization (KASLR) or to establish a covert channel.
However, it’s worth noting that conducting a successful attack could take anywhere between seconds to hundreds of hours. For example, the experts managed to break KASLR from user space within 20 seconds. Recovering an encryption key from an AES-NI implementation in an SGX enclave can take between 26 hours (with minimal noise) and 277 hours (in a real world environment), while recovering RSA private keys processed by mbed TLS from SGX can be done within 100 minutes. The targeted application needs to be running the entire time while the power consumption is measured.
AES-NI, for example, is used for applications that need to encrypt large amounts of data, such as disk encryption software, browsers and web servers, Michael Schwarz of the CISPA Helmholtz Center for Information Security told SecurityWeek. If they can obtain a key — depending on what type of key they can get — the attacker could conduct various activities, such as decrypting encrypted hard disks or spying on secure network communications.
Schwarz also noted that the attack cannot directly target a specific application.
“However, the target application always works with the same data (e.g., cryptographic key), while the data of other applications typically changes over time. Thus, the ‘noise’ caused by other applications is averaged out when measuring for a long time,” he explained.
The researchers have published a paper detailing their findings and they have also released a couple of videos showing the attack in action. The videos show tests conducted on a normal laptop running Ubuntu.
Intel, which has known about the attack method since November 2019, has assigned two CVE identifiers, CVE-2020-8694 and CVE-2020-8695, for the underlying vulnerabilities, which the company has rated as medium severity. An advisory published by the tech giant on Tuesday addresses the attack.
An update has been released for the Linux driver to prevent unprivileged users from accessing the RAPL interface. Intel has also developed microcode updates for its processors that should prevent malicious actors from using the PLATYPUS attack to recover any secrets from SGX enclaves. The microcode updates are being released through the Intel Platform Update (IPU) process.
While there is no indication that a PLATYPUS attack has been launched in the real world, Intel has decided, as an additional precaution, to issue new attestation keys to platforms that implemented mitigations.