Researchers discover vulnerabilities in Intel's Trust Domain Extensions
Scientists from the University of LĂĽbeck have identified vulnerabilities in Intel's Trusted Domain Extensions. Intel has already closed one gap.
Scientists from the Institute for IT Security at the University of LĂĽbeck have pointed out security problems to Intel.
(Image: Eisenbarth et al.)
Scientists have identified two vulnerabilities in Intel's latest security technology, the Trusted Domain Extensions (TDX). TDX are designed to protect data processing in the cloud by isolating programs from the operating system. The researchers from the Institute for IT Security at the University of LĂĽbeck, including Luca Wilke, Florian Sieck and Prof. Thomas Eisenbarth, published their findings under the title "TDXdown".
The vulnerabilities enable so-called side-channel attacks. An attacker could outwit the TDX security mechanisms by manipulating the CPU frequency. It is conceivable to observe the execution of the TEE "and draw conclusions about the processed data", explains Eisenbarth.
Intel has already fixed one of the vulnerabilities and recommends installing TDX module version 1.5.06 or higher to reduce the risk. However, the second vulnerability requires action at the application level to exploit the vulnerability.
Single-stepping attacks pose a major threat to Trusted Environment Executions (TEE for short). This allows attackers to execute TEE commands sequentially, "creating numerous controlled and side-channel based security issues", according to the paper.
Videos by heise
The researchers have succeeded in using a "single-stepping attack" to track the execution of commands in the trusted environment step by step. To do this, they lowered the CPU frequency to such an extent that even a single executed instruction takes longer than Intel's defined threshold value. The protection measure that was actually introduced ("Prevention Mode") also has an inherent weakness that allows the executed instructions to be counted ("stumble stepping").
Intel classifies the single-stepping vulnerability with the threat level "low" (CVSS score 2.5). According to the chip manufacturer, detection has been improved in TDX version 1.5.06. However, there will be no remedy against stumble stepping. Instead, Intel refers to its "Software Security Guidance" for TD developers.
Both OpenSSL and wolfSSL have published updates that fix the vulnerability in the nonce truncation through a constant runtime. WolfSSL introduces an additional implementation for this in version 5.6.6 (CVE-2024-1544). OpenSSL fixes the problem from version 3.3.1 with "Rejection Sampling".
Vulnerability reported in November 2023
According to the researchers, the vulnerability in the development of protected applications remains high, despite the many security measures integrated into TDX. "The demands on developers of protected applications remain high," emphasizes Wilke. The discoveries were reported to Intel as early as November 2023, which gave the company the opportunity to provide patches in good time.
"Although Intel has added many built-in security measures to TDX to prevent known attacks, comparably powerful attacks are currently not taken into account. This means that the demands on the developers of protected applications, and therefore the vulnerability to errors, remain high," says Wilke.
Wilke and his colleagues have been researching the security of TEEs for several years and have also published numerous security problems in Intel SGX and AMD SEV themselves.
(mack)
