Jump to content
Tuts 4 You

V0LTpwn: Attacking x86 Processor Integrity from Software


whoknows

Recommended Posts

https://arxiv.org/abs/1912.04870

download pdf @ top right

 

bonus

Mozilla Installs Scheduled Telemetry Task On Windows With Firefox 75 - blog.mozilla.org/data/2020/03/16/understanding-default-browser-trends/

Edited by whoknows
  • Like 2
Link to comment

This is quite cool to see, as it demonstrates the evolution of side-channel attacks. One of the discussion points I think is worth mentioning from the paper is how the attacker could leverage this in a real-world scenario of attacking SGX crypto library. I think the next evolution of side-channel and attacks that are alike, is to remove the necessity of requiring root-privileges. Some further discussions around this area of undervolting is quite interesting:

[1] Voltpwn informal discussion - More of a contextual understanding of VoltPWN

[2] https://plundervolt.com/Plundervolt - Discusses the earlier works within the research of undervolting

 

Edited by eXit
Link to comment

On x86 it seems despite being undocumented that root is definetly a requirement for undervolting while ARM maybe not.  So probably more risk for mobile devices.  It seems that only certain instructions are vulnerable and even then it's not clear how predictable which bits will be flipped is.  Sounds like segfaults and other kernel crashes would possibly occur.  I think it would be exceedingly hard to weaponize this attack vector

Link to comment
9 hours ago, Progman said:

On x86 it seems despite being undocumented that root is definetly a requirement for undervolting while ARM maybe not.  So probably more risk for mobile devices.  It seems that only certain instructions are vulnerable and even then it's not clear how predictable which bits will be flipped is.  Sounds like segfaults and other kernel crashes would possibly occur.  I think it would be exceedingly hard to weaponize this attack vector

For sure this would be extremely hard to weaponize and it would be detectable by the aforementioned crashing, however, as a step forward in some form of PoC weaponization in this area is quite big considering that Meltdown, Spectre, and Rowhammer were unreal in actual weaponization.

Your point on ARM is really interesting, as the increased surface of ARM instructions is more versatile as you can switch between THUMB and ARM making it more plausible. However, the only possible device that could be targeted would possibly be IPhones or embedded Intel devices that have secure enclaves.

  • Like 1
Link to comment
11 hours ago, eXit said:

Your point on ARM is really interesting, as the increased surface of ARM instructions is more versatile as you can switch between THUMB and ARM making it more plausible. However, the only possible device that could be targeted would possibly be IPhones or embedded Intel devices that have secure enclaves.

There are many other vulns on mobiles that can be exploited far more easily. What makes all this more easier is the fact that many users do use carcked apps on their phones. Not too difficult to infect mobiles.

The main challenge arises from the fact that the updates to the mobile operating systems are quite frequent and that the actual build and version of the OS on anyone's phone could vary wildly from a mobile to a mobile (due to updates which are applied/not applied among other things).

  • Like 1
Link to comment
11 hours ago, Gorina said:

There are many other vulns on mobiles that can be exploited far more easily. What makes all this more easier is the fact that many users do use carcked apps on their phones. Not too difficult to infect mobiles.

The main challenge arises from the fact that the updates to the mobile operating systems are quite frequent and that the actual build and version of the OS on anyone's phone could vary wildly from a mobile to a mobile (due to updates which are applied/not applied among other things).

This is very, true mobiles have a major problem with rogue applications. But from an academic exercise, this research is important to the development of a new field of attack vectors that attacks can utilise (this is going to still take a while for side-channels to be weaponized).

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...