There is a new attack that can get around AMD’s Secure Encrypted Virtualization (SEV), researchers said.
SEV is a hardware feature that provides secure encryption of virtual machines (VMs) to protect VM memory from physical attacks and cross-VM and hypervisor-based attacks. It sees action mostly by AMD data-center processors.
It is possible to carry out an attack from a malicious hypervisor and capable of “extracting the full contents of main memory in plaintext from SEV-encrypted virtual machines,” said researchers from Fraunhofer AISEC in Germany in a paper. Named SEVered, the attack requires a remote communication service running in the VM.
“We present the design and implementation of SEVered, an attack from a malicious hypervisor capable of extracting the full contents of main memory in plaintext from SEV-encrypted virtual machines,” the researchers said in their paper. “SEVered neither requires physical access nor colluding virtual machines, but only relies on a remote communication service, such as a web server, running in the targeted virtual machine.”
The attack can be used to extract all memory contents, even if the targeted VM is under high load, researchers said. SEVered’s effectiveness was tested on a recent AMD SEV-enabled server platform running various services, in encrypted virtual machines.
SEV can transparently encrypt individual VMs using a Secure Processor (SP), where an individual key is used to encrypt the memory of each protected VM within the SP. The implementation in hardware is meant to protect the system against memory attacks, while also preventing hypervisors (HVs) from accessing sensitive VM data.
“With SEVered, we demonstrate that it is nevertheless possible for a malicious HV to extract all memory of an SEV-encrypted VM in plaintext. We base SEVered on the observation that the page-wise encryption of main memory lacks integrity protection,” the researchers said in their paper.
The HV is responsible for maintaining the VM’s Guest Physical Address (GPA) to Host Physical Address (HPA) mapping in main memory, which allows an attacker in control of the HV to change the memory layout of the VM in the HV, the researchers said in the paper.
“We use this capability to trick a service in the VM, such as a web server, into returning arbitrary pages of the VM in plaintext upon the request of a resource from outside,” the researchers said.
For that, they first identify the encrypted pages in memory corresponding to the resource, then repeatedly send requests “for the same resource to the service while re-mapping the identified memory pages,” which results in extracting all the VM’s memory in plaintext.
“SEVered neither requires detailed knowledge of the target VM or service, nor a malicious process colluding from inside the VM. Our attack is also resistant to noise, i.e., concurrent activity in the target VM, and dynamically adapts to different noise levels,” the paper said.
The researchers said SEVered is feasible in practice and could allow an attacker to extract the entire memory from a SEV-protected VM within reasonable time. They also said the attack manages critical aspects such as noise during the identification and the resource stickiness well, but there is room for improvements.
Software-based countermeasures are insufficient to prevent the attack, researchers said. The issue could be solved by providing “a full-featured integrity and freshness protection of guest-pages additional to the encryption.” However, the researchers agree such a solution would incur a high silicon cost to protect full VMs.
“A low-cost efficient solution could be to securely combine the hash of the page’s content with the guest-assigned GPA. This ensures that pages cannot easily be swapped by changing the GPA to HPA mapping. Adding a nonce additionally ensures that an old page for the GPA cannot be replayed into the guest by a malicious HV. Integration of such an approach into AMD SEV could effectively prevent remapping,” the paper said.