Researchers at the University of Graz in Austria have discovered a dangerous new vulnerability in Intel processors. The attack on her was called PLATYPUS (platypus in Russian). Platypuses, according to the authors of the study, sense an electric current with their beak, which conveys the essence of the vulnerability found based on the use of processor consumption readings. The hole discovered allows for the extraction of AES and RSA keys and has been present in all Intel processors since 2011.
It should be said that an attack on side (side) channels using consumption (voltage) measurements is as old as the world of microprocessors. She even got into detective literature, for example, something like that was written a quarter of a century ago in one of the novels of Daniil Koretsky. But until relatively recently, the attacker had to physically connect to the attacked platform. The release of Intel’s Sandy Bridge processors changed everything. The fact is that, starting from this generation, consumption sensors have appeared in processors, the readings of which can be read remotely.
Moreover, the Intel RAPL (Running Average Power Limit) system for telemetry transmission from the processor does not require privileged access from Linux and is protected from access under Windows and OS X only by installing a special driver. In other words, it was not closed at all. Research by Austrian researchers forced Intel to make changes in the policy of the RAPL mechanism. Yesterday the company released a revised microcode for the processors and is looking forward to prompt fixes by motherboard and computer manufacturers (INTEL-SA-0389 hotfix).
To defend against the PLATYPUS attack, Intel offered two solutions. First, only high-privilege users will now be able to access RAPL. Secondly, RAPL will not give real data on the consumption of the system, but will begin to transmit data based on a certain model (averaged indicators), which will not allow obtaining accurate information on consumption for hacking the system.
It would seem that the question is closed, but the researchers warn that we are talking about the compromise of the protected SGX enclave in Intel processors. Together with other vulnerabilities, such as privilege escalation of an attacker, a power metering attack can still leak cryptographic keys. After all, now the hacker does not need to sit with the oscilloscope at the attacked computer, everything will be done by a remote exploit. And AMD processors also have similar mechanisms that are waiting for their discoverers.
If you notice an error, select it with the mouse and press CTRL + ENTER.