Fault Attacks on Encrypted General Purpose Compute Platforms

TL;DR

This paper demonstrates that memory encryption alone is insufficient to defend against active adversaries capable of modifying RAM content, as shown by a fault attack extracting an RSA key from a system mimicking AMD's SME.

Contribution

The authors develop a software-based memory encryption prototype and demonstrate a fault attack that compromises RSA keys, highlighting vulnerabilities in current encryption schemes against active attacks.

Findings

Memory encryption does not prevent active fault attacks.

Fault injection can extract cryptographic keys from encrypted memory.

Current hardware protections may be inadequate against active adversaries.

Abstract

Adversaries with physical access to a target platform can perform cold boot or DMA attacks to extract sensitive data from the RAM. In response, several main-memory encryption schemes have been proposed to prevent such attacks. Also hardware vendors have acknowledged the threat and already announced respective hardware extensions. Intel's SGX and AMD's SME will provide means to encrypt parts of the RAM to protect security-relevant assets that reside there. Encrypting the RAM will protect the user's content against passive eavesdropping. However, the level of protection it provides in scenarios that involve an adversary who is not only able to read from RAM but can also change content in RAM is less clear. Obviously, encryption offers some protection against such an "active" adversary: from the ciphertext the adversary cannot see what value is changed in the plaintext, nor predict the system behaviour based on the changes. But is this enough to prevent an active adversary from performing malicious tasks? This paper addresses the open research question whether encryption alone is a dependable protection mechanism in practice when considering an active adversary. To this end, we first build a software based memory encryption solution on a desktop system which mimics AMD's SME. Subsequently, we demonstrate a proof-of-concept fault attack on this system, by which we are able to extract the private RSA key of a GnuPG user. Our work suggests that transparent memory encryption is not enough to prevent active attacks.