If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Recently The news was announced by CISPA researchers, about a new method of attack CacheWarp to compromise AMD SEV security mechanism used in virtualization systems to protect virtual machines from interference by the hypervisor or host system administrator.
Regarding the vulnerability (CacheWarp), the researchers mention that is based on the use of a vulnerability (listed under CVE-2023-20592) caused by cache malfunction during INVD processor instruction execution, with the help of which it is possible to achieve data discrepancy in memory and cache and bypass mechanisms to maintain the integrity of the virtual machine memory, implemented based on the SEV-ES and SEV-SNP extensions.
The proposed method allows an attacker with access to the hypervisor to execute third-party code and escalate privileges on a virtual machine protected by AMD SEV. The vulnerability affects AMD EPYC processors from the first to the third generation.
Technology AMD SEV is used for virtual machine isolation by cloud providers. AMD SEV protection It is implemented by hardware-level encryption of the virtual machine memory, Additionally, the SEV-ES extension protects CPU registers. Only the current guest system has access to the decrypted data, and when other virtual machines and the hypervisor try to access this memory, they receive a set of encrypted data.
About the attack it is mentioned that It is based on using the INVD instruction to invalidate blocks in the page cache without dumping the data accumulated in the cache into memory (writeback). Therefore, The method allows you to evict modified data from the cache without changing the memory state.
To carry out an attack, it is proposed to use software exceptions to disrupt the operation of the virtual machine in two places: first, the attacker calls the “wbnoinvd” instruction to reset all memory write operations accumulated in the cache, and second, he calls the “invd” instruction to return write operations not reflected in memory to the previous state.
To check the vulnerability, sA prototype exploit has been published that allows an exception to be inserted into a virtual machine protected by AMD SEV and revert changes to the VM that have not been reset to memory.
Rollback of a change can be used to change the flow of a program by returning a previous return address on the stack, or to use login parameters from a previous session that was previously authenticated by returning an authentication attribute value.
For example, researchers demonstrated the possibility of using the CacheWarp method to perform a Bellcore attack on the implementation of the algorithm RSA-CRT in the ipp-crypto library, which made it possible to recover the private key by replacing errors when calculating a digital key.
Finally, it is mentioned that CacheWarp does not generally affect everyone AMD processors, since for example for XNUMXrd generation AMD EPYC processors (Zen 3), The problem is resolved in the microcode update November published by AMD (the fix does not cause any performance degradation).
While for the first and second generation of AMD EPYC (Zen 1 and Zen 2), no protection provided, since these CPUs do not support the SEV-SNP extension, which provides integrity control for virtual machines. The fourth generation of AMD AMD EPYC “Genoa” processors based on the “Zen 4” microarchitecture It is not vulnerable.
Besides that, The third generation of AMD EPYC processors introduced an additional extension, SEV-SNP (Secure Nested Paging), which ensures safe operation of nested memory page tables. In addition to general memory encryption and log isolation, SEV-SNP implements additional measures to protect memory integrity by preventing changes to the VM by the hypervisor. Encryption keys are managed on the side of a separate PSP (Platform Security Processor) processor integrated into the chip, implemented on the basis of the ARM architecture.
If you are interested in knowing more about it, you can consult the details In the following link.