listen to this article:
Researchers from three universities in Europe (Austria, Germany, and the UK) have recently published a new attack on Intel chips, called PLATYPUS. Not to be confused with the well-known monotreme, this PLATYPUS is a new side-channel attack that is worth taking note of. In this blog post I will not go into the technical details of how the attack actually works; you can learn more about that from the webpage set up by the researchers themselves and from the paper. However, what I will explain below is what this attack is all about, and what we can learn from it.
Computational Leakage and Power Attacks
In the 1990s, it was already understood that computation leaks in multiple ways. In the context of PLATYPUS, the type of leakage that is of interest is power leakage. Surprisingly, the amount of power used by a computing device when carrying out a computation depends on the actual values being processed. This means that the secret key used in a cryptographic operation like decryption or signing can leak to someone who can physically measure the power consumption of the device itself. These attacks are called “side-channel attacks” since they utilize auxiliary information that can be obtained regarding the computation. In this case, the power measurements can be made by connecting an oscilloscope of some kind to the computer and measuring the power over multiple operations. Power attacks are extremely hard to prevent, and devices that may find themselves in the hands of attackers need to utilize sophisticated methods to physically blur these measurements. Having said that, physical access to modern data centers or cloud deployments is highly restricted today. Therefore, server-side attacks of this kind are not considered very practical or one that we should typically be concerned about.
Software Side Channel Attacks
As a result of our ability to prevent physical access to servers in many cases, the most effective and concerning side-channel attacks today are via what we call “software side channels”. These attacks work by running attack software on the same physical machine as the victim software and utilizing observable behavior on the machine itself. Software side-channel attacks are very effective even though there is a strong software separation that prevents the attack software from accessing the memory or anything else related to the victim. This is because there is no true separation, and shared resources turn out to be very leaky. In today’s virtualized environments, the attack software can just be a VM running in the cloud that is co-located with many potential victims. In addition, the Intel SGX trusted execution environment is designed to protect secrets even when someone with administrator rights (e.g., a rogue employee, a hacker who stole admin credentials, or malware with elevated privileges) can run attack software on the machine. Since software side-channel attacks are very effective in these scenarios, they are a huge concern and great effort is invested in mitigating them.
The platypus power Side Channel
PLATYPUS is an effective new software side-channel attack that is based on measuring the computer’s power usage during cryptographic operations. This is extremely surprising since until now, power had to be measured by physically connecting an oscilloscope of some kind. (To be exact, the researchers behind PLATYPUS were not the first to discover this. However, their attack is far more effective on Intel chips than previous ones.) The researchers discovered that power can be measured in software by using an interesting feature of Intel chips, called the RAPL (Intel Running Average Power Limit) interface, that enables software to monitor and control power consumption. Furthermore, the measurement provided via RAPL suffices for attack software to effectively extract cryptographic keys from victim software on the same machine. Such attacks are not always very quick, and can take hours (sometimes many hours). However, given that the attack software does not do anything “illegal”, it can easily go undetected.
Mitigations and the current status
Importantly, in many cases, the access to RAPL requires no special privileges at all and any software running on the machine can utilize it. This is “easily” fixed by requiring administrator privileges to access RAPL. Needless to say, this is far from a perfect fix since attackers with administrator privileges will still be able to carry out the attack. It is important to note that PLATYPUS works effectively against SGX, and thus the protections provided by SGX even against attackers with administrator privileges are broken. Furthermore, when using AES-NI inside SGX, the security used to be considered very strong, since the actual AES operations take place in hardware and are so protected from side-channel attacks. However, PLATYPUS breaks AES-NI implementations as well, since it utilizes the power consumption differences that occur in AES-NI as well as in software implementations. Intel has released a patch to deal with this, but given the nature of the side channel and experience in other previous side-channel attacks, it is very unclear if the side channel is truly completely blocked.
What does this all mean?
Beyond the specific need to consider short-term ramifications of this attack in your setup, this is yet another validation that cryptographic keys cannot be truly protected when used in whole on a machine that runs general-purpose software that can carry out a side-channel attack. This cat-and-mouse situation with series of repeated attacks and fixes does not scale and leaves organizations exposed. In order to break out of this cycle, other paradigms are needed. Primarily, either completely isolated machines must be used (and even these constitute a single point of failure if an attacker succeeds to penetrate them) or security can be achieved via distribution using MPC (aka threshold cryptography) to prevent key material from ever being in one place. Using such MPC-based solutions, especially when run inside a trusted execution environment like SGX, an attacker would have to carry out a simultaneous side-channel attack on more than one machine. Although nothing is absolutely impossible in security, this becomes extremely difficult and unlikely.