Exploiting Interfaces of SEV-ES-protected Virtual Machines
- Track: Hardware-Aided Trusted Computing devroom
- Room: D.hardware.trusted
- Day: Saturday
- Start: 13:55
- End: 14:20
- Video with Q&A: D.hardwaretrusted
- Video only: D.hardwaretrusted
- Chat: Join the conversation!
Supported since Linux 5.10, the AMD SEV Encrypted State (SEV-ES) feature can be used to protect the confidentiality of a virtual machine (VM) by means of encryption and attestation. Although the memory and registers of the VM are encrypted, the VM still communicates with the hypervisor for the emulation of special instructions and devices. Because these operations have not been previously considered part of the attack surface, we discovered that a malicious hypervisor can provide semantically incorrect information in order to bypass SEV-ES. In this talk, I provide technical details on the handling of special operations with SEV-ES, practically show how the original implementation could be exploited, and finally I show how the interfaces were hardened to fix the issues.
This talk includes four different attacks which: 1) use virtual devices to extract encryption keys and secret data from a virtual machine. 2) reduce the entropy of probabilistic kernel defenses in the VM by carefully manipulating the results of the CPUID and RDTSC instructions. 3) extract secret data or inject code by forging fake MMIO regions over the VM’s address space. 4) trick the VM to decrypt its stack and use Return Oriented Programming to execute arbitrary code inside the VM.
Speakers
Martin Radev |