Plundervolt
What is Plundervolt?
Plundervolt is the name of an undervolting attack that targeted Intel central processing units (CPUs). Intel has released firmware updates to mitigate the vulnerability behind the attack.
The attack involved depriving an Intel chip of power so that processing errors occurred. These errors could have exposed sensitive data and weakened chip security components.
The name Plundervolt is a combination of the words plunder, meaning to steal something of value, and undervolt, the practice of decreasing the voltage to computer processors. Undervolting is not exclusively for hacking. It is a common practice to improve computer performance. The Plundervolt attack, however, refers specifically to maliciously using undervolting to weaken and corrupt CPUs instead of improving them.
Plundervolt took advantage of features in Intel chips designed to improve efficiency and performance. The discovery of Plundervolt highlighted the continuous struggle of balancing performance and security for chip manufacturers.
The vulnerability was first reported in June 2019 by a group of international researchers studying the use of undervolting techniques for hacking. Their findings were published in a research paper called "Plundervolt: Software-based Fault Injection Attacks against Intel SGX."
How Plundervolt works
The attack plundered access to a chip's power supply and manipulated it to corrupt the chip. Plundervolt exploited the voltage regulator included in certain Intel chips that enabled users to regulate power flow to the chip. Attackers could use the mechanism to methodically reduce the core chip voltage until a fault occurred.
Using these induced faults, the attacker could breach the chip's built-in set of security-based instruction codes, known as Software Guard Extensions (SGX). SGX protects sensitive data housed on Intel CPUs by storing it in secure areas separate from other memory. These regions -- specifically termed memory enclaves -- are designed to not allow access to the data within, even by a user or attacker with kernel-level access or access to the core operating system (OS).
By inducing faults in the computations that write data to these secure enclaves, Plundervolt attackers could cause sensitive data to be misplaced outside the protected area. Attackers did not need access to the data in the enclave; they could use Plundervolt to manipulate the processor instead, corrupting or exposing important information before it made it to safety.
Sensitive information Plundervolt could corrupt included encryption keys and cryptographic processes. If attackers could expose and obtain these keys, they could completely neutralize the chip's SGX. This could have lead to privilege escalation and information disclosure attacks.
Plundervolt is compared to SGX-centric attacks, such as Foreshadow and Spectre. These attacks directly targeted sensitive data in memory, whereas Plundervolt targeted the processes that surround it. Unlike Plundervolt, Foreshadow and Spectre exploit a process in modern chips called speculative execution, which is designed to increase chip efficiency by letting the processor proactively work on processes before they've been concretely requested. Like Plundervolt, Foreshadow and Spectre manipulate chip components designed to improve performance and use them to break SGX instead.
For Plundervolt to have worked, attackers needed to have root privileges to the target device's OS. The voltage mechanism -- also called a model-specific register -- that the whole attack centered around is only accessible to authenticated users. The attacker could get root privileges by physically accessing the target device or remotely by using malicious code.
Plundervolt invalidated the guarantee of SGX. That data in the enclaves was safe from any attacker, even ones with high levels of privilege in the system. Plundervolt only worked with this access.
Plundervolt vs. Rowhammer
Rowhammer is a CPU security threat comparable to Plundervolt. Researchers became aware of Rowhammer in 2012, and in 2014, it began to garner more widespread attention when a research paper about it was published. Intel has since released patches to mitigate the Rowhammer threat.
Like Plundervolt, Rowhammer is an attack that exploits hardware vulnerabilities to undermine the security of CPUs. Unlike Plundervolt, Rowhammer doesn't work on newer CPUs that have SGX-protected memory. Rowhammer focuses on altering data -- known as flipping bits -- already in the processor's memory. SGX's cryptographic algorithm ensures no data stored in physical memory can be changed outside of the SGX environment. Plundervolt, on the other hand, flipped bits before written to memory and beyond the reach of SGX's protection.
CPU series vulnerable to Plundervolt attacks
Plundervolt, Spectre and Foreshadow are several SGX-centric attacks that have plagued Intel. These attacks were all discovered within approximately a year of each other, revealing that SGX is the source of many new vulnerabilities in modern Intel chips.
Intel Core processors that use SGX are all vulnerable to Plundervolt attacks. These series include the following:
- 6th to 10th generation Intel Core processors.
- v5 and v6 of the Xeon E3 series.
- Xeon E-2100 series.
- E-2200 series.
Update the chips with the software patch Intel released to minimize the chances of a Plundervolt attack.
Intel's correction to Plundervolt
Intel released several firmware patches to mitigate Plundervolt attacks. These patches locked the voltage settings on processors by default, meaning they cannot be changed when the patch is in effect. This keeps Plundervolt attackers from covertly altering the chips voltage in a way that compromises sensitive data on the chip. If users do not need the voltage regulation mechanism, it is highly recommended they install the patches.
The patches come in the form of a microcode update and a BIOS update. Users can reference Intel's security advisory for more details.
How to prevent Plundervolt attacks
End users were rarely the target for Plundervolt attacks because implementing an attack at a large scale would be difficult for malware authors. Plundervolt never affected the general public. Administering the attack in the real world would likely require pairing it with various exploits, such as social engineering. So far, it has only been used in a research context.
Plundervolt should still be considered a significant threat because a well-timed attack on a select target could have serious consequences. While it's not a risk that deserves constant attention from the everyday computer user, individuals with an elevated threat matrix should take steps to protect against the attack.
Plundervolt can do what it does because of a hardware vulnerability. Therefore, no amount of software patching will truly fix the Plundervolt problem. Only hardware changes can do that. Even with the patches, there is a possibility that attackers could overwrite the voltage controls set by the patches at the hardware level. Furthermore, the Plundervolt researchers warned Intel that other hidden channels for fault injection using power and clock management features may still exist undiscovered.
Although not perfect, the software patches are considered effective in minimizing the chance of a Plundervolt attack.
Rambus, a silicon chip provider, recommended users also implement a secure coprocessor separate from the main processor. The main processor could then be optimized mainly for performance, while the second processor could be optimized solely for security, handling more sensitive tasks. The addition of another processor helps mitigate Plundervolt attacks by isolating sensitive processes better than the enclave computations of SGX. Users could also use each processor to perform the same tasks and cross-reference each other to detect faults or inconsistencies.
Another mitigation strategy recommended by the Plundervolt researchers is to limit the voltage regulator to known safe values. This protects the chip from Plundervolt's destructive level of undervolting. This strategy poses challenges because voltage requirements can vary from chip to chip -- even chips of the same model can have different voltage requirements. As a result, additional testing is required to establish safe values. The benefits of this strategy include not needing new hardware and the user doesn't have to completely disable the voltage mechanism.