Security researchers described a new practical attack against virtual machines that are protected by AMD's Secure Encrypted Virtualization technology. What is SEV used for and how can this vulnerability be exploited?
AMD developed Secure Encrypted Virtualization (SEV) as a hardware feature to encrypt virtual machines (VMs). The aim of Secure Encrypted Virtualization is to protect the content of virtual machines from attacks by malicious guests on a shared virtual machine host, as well as from attacks launched by the hypervisor control software that manages all the virtual machines on the host.
The intention of SEV is to give cloud and virtual machine service customers confidence that their virtual machine data is safe, even if their cloud provider is subverted by an attacker who gains control of the cloud hypervisor infrastructure.
Researchers recently identified an attack against SEV, named SEVered, that demonstrates "an attack from a malicious hypervisor capable of extracting the full contents of main memory in plaintext from SEV-encrypted virtual machines," according to researchers Mathias Morbitzer, Manuel Huber, Julian Horsch and Sascha Wessel, all affiliated with the Fraunhofer Institute for Applied and Integrated Security, a German information security research institution, as described in a paper published earlier this year.
AMD's Secure Encrypted Virtualization encrypts virtual machines using a Secure Processor, which performs encryption using ephemeral keys that remain inside the virtual machine, which is inaccessible to external attackers and neighboring virtual machines, as well as to the hypervisor itself.
The newly discovered vulnerability is notable because it can be exploited remotely, and it requires only that the targeted virtual machine be running a remote communication service -- like a web server -- within the virtual machine.
SEVered works because SEV does not provide integrity protection for the page-wise encryption of the main memory, so a malicious hypervisor could control mapping from a guest's physical address to the host's physical address. As a result, the malicious hypervisor can extract all the memory in an SEV encrypted VM in plaintext. This feature could enable an attacker to take advantage of the services and resources within the VM and give them the ability to change the memory layout of the VM.
The researchers demonstrated a technique they called page tracking, which can be used by an attacker to get information about the memory map. Page tracking is achieved by removing present flags, which, when removed, trigger an error that can help the attacker identify targeted resources.
The exposed information in the memory map can enable an attacker to identify a resource by determining the set of pages that can store the service's response. A service then returns the pages of the virtual machine stored in memory when the attacker requests a resource, such as an HTML page or a file offered for download from a web server. The attacker can repeat the requests to extract the data while switching the mapping of the identified resource from the guest's physical address to the host's physical address in the hypervisor. Without the victim's knowledge, the attacker could restore the original state of the VM by mapping the original resource pages to the host's physical address.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)