The technique, which one of the two teams calls Plundervolt, involves planting malicious software on a target computer that temporarily reduces the voltage of the electricity flowing to an Intel chip. That drop in voltage, known as "undervolting," typically allows legitimate users to save power when they don't need maximum performance. (By that same token, you can use the voltage-variance feature to "overclock" a processor for more intensive tasks.) But by momentarily undervolting a processor by 25 or 30 percent, and precisely timing that voltage change, an attacker can cause the chip to make errors in the midst of computations that use secret data. And those errors can reveal information as sensitive as a cryptographic key or biometric data stored in the SGX enclave.
"Writing to memory takes power," says Flavio Garcia, a computer scientist at the University of Birmingham who, along with his colleagues, will present the Plundervolt research at IEEE Security and Privacy next year. "So for an instant, you reduce the CPU voltage to induce a computation fault."Once the researchers found that they could use voltage changes to induce those faults—a so-called fault injection or "bit flip" that turns a one to a zero in the SGX enclave or vice versa—they showed that they could also exploit them. "If you can flip bits when, for instance, you're doing cryptographic computations—and that's where this gets interesting—you can recover the secret key," Garcia says. In many cases, the researchers explain, changing a single bit of a cryptographic key can make it vastly weaker, so that an attacker can both decipher the data it encrypts and derive the key itself. You can see the impact on an AES encryption key here:
It was a celebration of how exponential upgrades from the chip industry have propelled progress in technology and society over the past 50 years—and an argument that the party’s not over.“It's going to keep going,” said Jim Keller, a semiconductor rock star who joined Intel last year as senior vice president of silicon engineering, and a cohost of the event.
The researchers also showed that they could use those bit flips to make the processor write to an unprotected portion of memory rather than to the secure SGX enclave:
The researchers acknowledge that their attack isn't exactly easy to pull off. For it to work, the attacker has to have already somehow installed their malware with high-level, or "root," privileges on the target computer. But Intel has advertised its SGX feature as preventing corruption or theft of sensitive data even in the face of this sort of highly privileged malware. The researchers say they have demonstrated a serious exception to that guarantee.