A new security flaw has been discovered in AMD’s Secure Encrypted Virtualization (SEV) technology, which could allow threat actors topass encryption and gain unauthorized access to virtual machines (VMs). The vulnerability, known as “CacheWarp”, was identified researchers at the CISPA Helmholtz Center for Information Security.

SEV is an extension to AMD’s virtualization architecture introduced in 2016. It aims to protect VMs from potential malicious activities encrypting the memory contents with a unique key, effectively isolating them from the hypervisor. The recently added Secure Nested Paging (SNP) feature in SEV-SNP provides additional memory integrity protection against attacks such as data replay and memory re-mapping.

However, the CacheWarp vulnerability allows an attacker to exploit the “INVD” instruction to manipulate the processor’s cache and deceive the integrity protections of SEV. By dropping modified cache content without writing them back to memory, the attacker can create a scenario where the VM operates with outdated and inconsistent data.

The researchers identified two methods to achieve privilege escalation and remote code execution within the targeted VM. The first method, known as “timewarp”, tricks the processor into executing code that it had executed before, but with new data, leading to unexpected effects. The second method, called “Dropforge”, enables the attacker to reset changes made to data in the guest VMs, manipulating the logic flow of the guest execution.

Successful exploitation of CacheWarp can allow an attacker to take control of the VM hijacking the program’s control flow. AMD has responded to the vulnerability releasing a microcode update to address the “instruction misuse”.

It is worth noting that this is not the first time that researchers have identified security vulnerabilities in CPU technologies. Earlier this year, the CISPA researchers disclosed the Collide+Power vulnerability, affecting Intel, AMD, and Arm CPUs, which could also be used to leak sensitive data exploiting power side-channels.

While AMD claims that SEV-SNP provides robust integrity protection, the CacheWarp vulnerability demonstrates that further improvements are necessary to enhance the security of encrypted virtualization technologies. Continuous research and development efforts are crucial to staying one step ahead of potential threats in the ever-evolving landscape of hardware security.

FAQ

1. What is AMD Secure Encrypted Virtualization (SEV)?

AMD Secure Encrypted Virtualization (SEV) is an extension to AMD’s virtualization architecture designed to protect virtual machines (VMs) from potential malicious activities. It encrypts the memory contents of VMs, isolating them from the hypervisor.

2. What is CacheWarp?

CacheWarp is a security vulnerability discovered in AMD’s SEV technology. It allows an attacker topass encryption and gain unauthorized access to virtual machines, potentially leading to privilege escalation and remote code execution.

3. How does CacheWarp work?

CacheWarp exploits the “INVD” instruction to manipulate the processor’s cache, deceiving the integrity protections of AMD SEV. By dropping modified cache content without writing them back to memory, the attacker can trick the VM into operating with outdated and inconsistent data.

4. What is the impact of CacheWarp?

CacheWarp can permit an attacker to hijack the control flow of a program running within a virtual machine, gaining unauthorized control of the VM.

5. How has AMD responded to CacheWarp?

AMD has released a microcode update to address the vulnerability and fix the “instruction misuse” associated with CacheWarp.

Sources: https://newsroom.amd.com/news-releases/news-release-details/amd-introduces-secure-nested-paging-innovation-advance-zero