A security protocol designed to prevent hypervisors accessing data from other virtual machines on AMD chips may not be as secure as thought.
According to research carried out by scientists as the Technical University of Berlin, Germany, Secure Encrypted Virtualization (SEV), which will debut in future ZMD Zen processors, could enable hackers to use a malicious hypervisor to access guest data on other virtual machines.
The technology is set to feature in x86 AMD Zen server chips next year, but according to Felicitas Hetzelt and Robert Buhren of the Technical University of Berlin, there are three theoretical design “shortcomings” that could allow hackers to access data. SEV works by encrypting sections of the virtual machine's memory so a hypervisor is unable to look at the data. The technology has been set up so that developers don't need to modify existing software in order for this to work.
This differs from another technology in development, Intel's Software Guard Extensions (SGX) which requires developers to identify the security sensitive parts of a program and to alter them such that these parts are executed in an SGX enclave.
The researchers investigated the technology by examining publicly available technical documentation on SEV. In a technical paper released over the weekend, the researchers said that as with standard AMD-V, under SEV, the virtual machine control block is not encrypted and handled directly by the hypervisor, allowing him to bypass VM memory encryption by executing conveniently chosen gadgets.
“Secondly, the general purpose registers are not encrypted upon vmexit, leaking potentially sensitive data. Finally, the control of the nested pagetables allows a malicious hypervisor to closely control the execution of a VM and attack it with memory replay attacks,” said the researchers in the paper.
This means that a malicious hypervisor can force the guest to perform arbitrary read and write operations on protected memory. The researchers also said that SEV memory protection configured by the tenant could be completely disabled. The researchers also posited that a replay attack could be implemented that uses captured login data to gain access to the target system by solely exploiting resource management features of a hypervisor.
“We would like to emphasize that we did not break AMD SEV itself but rather evaluated the design issues present in the documentation in respect to their usefulness for a malicious or compromised hypervisor,” said the researchers.
The researchers said that the flaws reduced “the usefulness of the current SEV version to mere protection against cold-boot attacks”.
“Although we discovered serious design issues of AMD's SEV, we still think that the technology is promising considering the mitigations discussed in this paper,” said the researchers.
AMD Statement –
1. SEV is not included on any AMD products in market today, so the proposed SEV vulnerability would not have any impact on existing AMD products.
2. AMD is pleased to hear researchers see the merit and promise of AMD SEV technology, as it is the first to address protection of data in a virtualised environment and represents a significant step forward in security. AMD along with the rest of the industry, continues to evaluate new threats and develop responses to them. AMD SEV is just one of the critical ingredients in AMD's security toolbox and the industry can expect to see more security enhancements in the future with our upcoming Naples platform.”
Adam Lackorzynski, security and system architect at the Technical University of Dresden, told SC that a proper design of the virtualization stack can very well remove the attack surface "hypervisor" by providing isolation within the system and only granting required access and functionality, and not more (including cloud administrators).
“With an open source approach everyone can check the hypervisor while with hardware-based approaches it's trust only to the hardware vendor,” he said.
“That said, AMD's approach looks balanced regarding the virtualization use case (potential issues put aside), while Intel's SGX does not address virtualization currently.”
Lackorzynski added that great care is required when introducing security at the hardware level. “It needs to be designed in a way that is can be disabled without negative impact on other parts of the system.”
He said, “Hardware needs to provide security/isolation mechanism. It's about the complexity of features. Because hardware cannot be readily updated, great care is required and mistakes are expensive.”