German researchers reckon they have devised a method to thwart the security mechanisms AMD’s Epyc server chips use to automatically encrypt virtual machines in memory.
So much so, they said they can exfiltrate plaintext data from an encrypted guest via a hijacked hypervisor and simple HTTP or HTTPS requests.
a technique dubbed SEVered can, it is claimed, be used by a rogue host-level administrator, or malware within a hypervisor, or similar, to bypass SEV protections and copy information out of a customer or user’s virtual machine.
The problem, said Fraunhofer AISEC researchers Mathias Morbitzer, Manuel Huber, Julian Horsch and Sascha Wessel, is that miscreants at the host level can alter a guest’s physical memory mappings, using standard page tables, bypassing the SEV’s protection mechanism. Here’s the team’s outline of the attack:
With SEVered, we demonstrate that it is nevertheless possible for a malicious HV [hypervisor] to extract all memory of an SEV-encrypted VM [virtual machine] in plaintext. We base SEVered on the observation that the page-wise encryption of main memory lacks integrity protection.
While the VM’s Guest Virtual Address (GVA) to Guest Physical Address (GPA) translation is controlled by the VM itself and opaque to the HV, the HV remains responsible for the Second Level Address Translation (SLAT), meaning that it maintains the VM’s GPA to Host Physical Address (HPA) mapping in main memory. This enables us to change the memory layout of the VM in the HV. We use this capability to trick a service in the VM, such as a web server, into returning arbitrary pages of the VM in plaintext upon the request of a resource from outside.
This is not the first time eggheads have uncovered shortcomings in SEV’s ability to lock down VMs: previous studies have examined how the memory management system can be exploited by hackers to poke inside encrypted guests. Fraunhofer AISEC’s study, emitted on Thursday this week, takes this a step further, demonstrating that, indeed, the entire memory contents of a virtual machine could be pulled by a hypervisor even when SEV is active.
To show this, the researchers set up a test system powered by an AMD Epyc 7251 processor with SEV enabled and Debian GNU/Linux installed, running the Apache web server in a virtual machine. They then modified the system’s KVM hypervisor to observe when software within the guest accessed physical RAM.
By firing lots of HTML page requests at the Apache service, the hypervisor can see which pages of physical memory are being used to hold the file. It then switches the page mappings so that an encrypted memory page used by Apache to send the requested webpage sends a memory page from another part of the guest – a page that is automatically decrypted.
That means Apache leaks data from within the protected guest. Over time, the team was able to lift a full 2GB of memory from the targeted VM.
“Our evaluation shows that SEVered is feasible in practice and that it can be used to extract the entire memory from a SEV-protected VM within reasonable time,” the researchers wrote. “The results specifically show that critical aspects, such as noise during the identification and the resource stickiness are managed well by SEVered.”