WingNews logo WingNews
top | item 28153668

(no title)

spdy | 4 years ago

With our findings, we prove that SEV cannot adequately protect confidential data in cloud environments from insider attackers, such as rouge administrators, on currently available CPUs.

---

It is an interesting attack but is the above goal ever achievable? To protect against adversaries from the inside.

discuss

order

michaelt|4 years ago

> It is an interesting attack but is the above goal ever achievable? To protect against adversaries from the inside.

People have gotten very close to achieving similar goals.

For example, modern games consoles' anti-piracy measures guard against the device owner who has physical control and unlimited time. [1]

iPhone activation locks likewise prevent stolen phones from being used, even by thieves with physical control and unlimited time.

And neither of the systems rely on the clunky 'brick the device if the case is opened' methods of yesteryear.

(Of course there have also been a great many failed attempts - almost every console since the dawn of time has eventually been hacked, as have things like TPMs and TrustZone, many versions of the iPhone were rooted, etc etc)

[1] https://www.youtube.com/watch?v=quLa6kzzra0

steelframe|4 years ago

There's a significant asymmetry in motivation and resources available to compromise hardware between Jimmy and his Xbox vs. Google and their cloud infrastructure.

BeefWellington|4 years ago

> It is an interesting attack but is the above goal ever achievable? To protect against adversaries from the inside.

Yes. To expand: to a function on the CPU an administrator is just another user. The Operating System is responsible for managing those designations.

These trusted computing pieces across all kinds of CPUs are specifically aimed at protecting against people with host-root, so it would seem like it's a goal they've set for themselves and should be reasonably achievable.

JustFinishedBSG|4 years ago

> rouge administrators

It's not important but come on, if your field is cyber security at least make sure rogue is spelled correctly.

wizzwizz4|4 years ago

A rogue admin is acting alone, but rouge admins are part of the shadowy cabal and thus have access to many times more resources.

onlinejk|4 years ago

Thanks, I was worried I had red that wrong

ducks

dnautics|4 years ago

it's distinguish from bleu team administrators!

dgellow|4 years ago

I would guess the GP is using French locales + autocompletion from a mobile device

lima|4 years ago

> It is an interesting attack but is the above goal ever achievable? To protect against adversaries from the inside.

Achievable in any circumstances? No. Within a well-defined threat model, definitely.

DSingularity|4 years ago

Do you mean “adversaries from the inside” could be more detailed to create reasonable limitations on access and resources as imposed by external systems (eg cameras, guards, searches) securing the machines?

swiley|4 years ago

Except that the threat model the crippled SEV defends against is the same one the SU command does, making it irrelevant.

baybal2|4 years ago

> It is an interesting attack but is the above goal ever achievable? To protect against adversaries from the inside.

No, safe execution of untrusted code is impossible by the very definition, not without undoing 40 years of IC design practices.

It's an almost physical limitation which makes it very hard to compute something without some electromagnetic leakage from/to the die.

Take a look on secure CPUs for credit cards. They have layer, upon layers of anti-tampering, anti-extraction measures, and yet TEM shops in China do firmware/secret extraction from them for $10k-$20k

formerly_proven|4 years ago

It is very hard to perform a physical process while making it impossible to observe it. Similarly it is very difficult to have some object with permanent physical properties that you (the chip) can measure yourself, but no one else can, like a cloud of electrons trapped on an island, or a metal connection between two places.

MayeulC|4 years ago

>> It is an interesting attack but is the above goal ever achievable? To protect against adversaries from the inside.

> No, safe execution of untrusted code is impossible by the very definition

I think this is more about data processing while hiding the data from whoever operates the hardware. Homomorphic encryption could be a partial answer to that.

evancox100|4 years ago

What is a TEM shop? Curious about this topic, the threat model for some chips in the secure payments space assumes a secret value much higher than $10k for something like a root encryption key that blows open the payment processing security of multiple cards.

Also, just because something is physically possible, doesn't mean that the barriers to doing so are irrelevant. If it costs you $10k to unbrick a locked & stolen iPhone, then those countermeasures have likely succeeded at their intended purpose. This is why threat models try to quantify the time and/or monetary value of what they're protecting.

phire|4 years ago

Well, that's the explicit goal of SEV.

That the CPU should be able to cryptographically prove that a VM has been setup without any interference from an inside attacker who controls the hardware.

At the very least, SEV massively raises the barrier to such attacks. It's now beyond the ability of a rogue administrator or technician, requiring complex custom motherboards. But a well-funded inside attacker can target something with high enough value.

londons_explore|4 years ago

> It's now beyond the ability of a rouge administrator or technician, requiring complex custom motherboards

The end of the abstract explicitly refutes this. It is claiming that a software-only solution, using keys derived with this technique, can pretend to be a suitable target to migrate a secure VM to, which then allows the rogue admin to inspect or modify anything in the VM.

Cyph0n|4 years ago

My understanding is that this is part of the threat model of TEEs (Trusted Execution Environment). Whether or not this will ever be achievable is a different story.

jlourenco27|4 years ago

It's not plug-and-play. It still needs a custom firmware: "(...)The presented methods allow us to deploy a custom SEV firmware on the AMD-SP, which enables an adversary to decrypt a VM's memory.(..)"

londons_explore|4 years ago

InstallRogueFirmware.exe. double-click.

This is about protecting a VM from people who have admin rights and hardware access outside the VM.

landr0id|4 years ago

While its goals are a bit different from confidential computing, people saying "no" here have apparently never heard of the Xbox One. More generally, securing a device against its physical owner is notoriously difficult. Tony Chen gave a talk about how the Xbox One was secured against physical attack: https://www.youtube.com/watch?v=U7VwtOrwceo

monocasa|4 years ago

Chen makes it very clear that their threat model only includes attacks costing less than the attach rate of the system (about $600). He doesn't consider it an achievable goal in the general case.

dnautics|4 years ago

does anyone actually use SEV in cloud environments? My impression was that its lineage (my understanding it's basically AMD's intel-SGX) is to enable DRM for stuff like netflix. I know for a time there was a lot of talk about using SGX in the cloud, but I was under the impression that the trust in SGX has been eroded over time to the point where no one thinks it's a good idea.

theevilsharpie|4 years ago

SEV is completely different from SGX, and doesn't (currently, to my knowledge) have an equivalent on Intel chips that are currently on the market. Google Cloud's confidential compute feature makes use of SEV under the covers.

benlivengood|4 years ago

I've only spun up a SEV instance for the novelty but am considering using it for things like hashicorp vault where performance isn't critical but extra privacy assurance is nice.

Fundamentally, though, system security hasn't caught up with the promise of SEV. It's far more likely that a VM will be compromised by 0-day attacks than insiders at the cloud companies. But if you really need to run a secure kernel on someone else's machine then SEV is the way of the future. This includes using SEV on-premises against hardware attacks. I've wanted hardware RAM encryption for a decade or two to avoid coldboot attacks and similar hardware vulnerabilities.