A team of security researchers with Cornell University have demonstrated a proof of concept attack on AMD’s Secure Encrypted Virtualization (SEV) technology, leveraging the Zen-integrated AMD Secure Processor (AMD-SP) to achieve full system access.
The technique requires physical access to the AMD system and is based on a voltage glitching attack that allows a bad actor to actually deploy custom SEV firmware, which would, in turn, allow the decryption of all Virtual Machine (VM)-bound information. The vulnerability is executable on Zen 1 through Zen 3. Previously, part of AMD’s claim to fame was that Zen 2 and Zen 3 were free from any vulnerabilities of this kind.
The team was led by Robert Buhren, a security researcher who has already demonstrated a series of AMD SEV flaws. The requirement for physical access means that this vulnerability isn’t of particular concern to most mainstream users. However, the detailed technique shows yet another way for a rogue actor with physical hardware access to a company’s infrastructure to execute malicious code that bypasses all of AMD’s protection mechanisms for their Zen microarchitectures. This vulnerability stands on its own, in the sense that the voltage modulation attack doesn’t rely on any other existing exploits.
That AMD’s Secure Processor (basically an ARM-powered CPU integrated into AMD’s Zen design) was the target of this exploit is blow to AMD – the AMD-SP was specifically designed to protect AMD’s customers from such attacks, which could be carried out by rogue system administrators. This is of particular concern in cloud-powered environments, since it means that companies running their services on an instanced cloud provider have to trust not only the provider itself, but also their technicians (whether they’re subcontracted or not). It’s another small knife cut on AMD’s attempts to steal server market share from Intel, though it’s still a far cry from the thousand cuts one estimates might be required to render AMD’s current solutions unpalatable on the basis of security concerns. If anything, Intel currently features a worse security track record when it comes to the number and severity of its product’s (already public) vulnerabilities.