At this point, I really don't understand how people can still believe that SGX is ever going to work. The threat model is so incredibly hostile that it is basically impossible to create something that isn't vulnerable through some kind of side channel or physical manipulation such as this. When it is compromised at just one site, then the whole security model topples. In the end, you will only be able to "securely" deploy it in environments where you trust the parties to not tinker too much with it. But in that case, why not just go for something a lot simpler when you already rely on trust?
These kinds of brownout/undervolt attacks have been used in console cracking for decades.<p>Surely someone involved would have known about that. I wonder what chain of events led to the creation of a secure enclave with such well understood flaws.
I understanding how screwing with the voltage can cause execution errors. If a random flop somewhere in the design flips state (or fails to when it should) the resulting behavior could be anything, including hanging the chip.<p>How does such a random event get turned into an exploit?
Most comments simply missed the point.<p>Power analysis attack and power glitch attacks are well-known in cryptography and electronics. The classic technique is to monitor the Vcc voltage and current on an oscilloscope and try deducing the internal operation of the chip and extract the secret, or to inject a glitch by on the Vcc rail to induce a fault. A classic side-channel attack, but these attacks required complete physical control over the hardware, and you need to put a dozen of probes on the motherboard in a lab with an elaborate setup, so it was typically not a concern unless it's a crypto key or something (<i>if so, it would be done on a separate security chip with physical defense internally</i>).<p>But this attack showed that, since every CPU and SoC now has builtin dynamic voltage scaling and power management, by using these features, you can use the CPU to launch a power analysis attack against itself, and you don't even need to touch even a single trace on the PCB, the attack can be launched remotely, and all you need is root access!<p>This is frightening. Who knows what is going to be the next.
Intel just keeps getting kicked in the nuts, huh<p>There is no way to get <i>the most</i> performance out of your Intel chip without undervolting - especially on mobile, they run really hot under constant load and often throttle. Manufacturers using barely capable heatsinks doesn't help.<p>Time to switch to AMD when the new Zen mobile chips arrive.
There is no such thing as a "trusted" computing.<p>The very same DFVS is also possible to exploit for side channel attacks. Say, one branch makes the processor kick in in a higher gear, and over millions of branches, you can reliably deduce branch result for operation behind the MCU barrier.
I wonder, with formal verification being a thing, could you formally verify that a chip would be resistant to all types of power attacks according to the current laws of physics?<p>Such a proof can never be final, because the laws of physics aren't either. But just because it's not perfect doesn't mean it wouldn't be good.
Important caveats, for the lazy:<p>- SGX is disabled by default, it has to be enabled for this exploit to be relevant<p>- POC requires privileged execution, at which point you can safely assume all is already lost<p>Anyone who has spent time around digital logic circuits will know that messing with voltages will cause errors. If the power lines are too low some transistors will not be able to switch their load. Or too high and you will cause parasitic losses or capacitance in unexpected places. This is actually a really nice attack to show off to people with an interest in computer/electrical engineering because it demonstrates how a basic design constraint can cascade in unexpected ways.