A team of researchers from the Worcester Polytechnic Institute, the University of Lübeck and the University of California San Diego side-channel attack method that allows you to recover the value of private keys stored in the TPM (Trusted Platform Module). Attack got a code name and affects fTPM ( based on firmware, running on a separate microprocessor inside the CPU) from Intel (CVE-2019-11090) and hardware TPMs on STMicroelectronics chips (CVE-2019-16863).
Researchers a prototype attack toolkit and demonstrated the ability to recover a 256-bit private key used to generate digital signatures using the ECDSA and EC-Schnorr elliptic curve algorithms. Depending on access rights, the total attack time on Intel fTPM systems is 4-20 minutes and requires analysis of 1-15 thousand operations. It takes about 33 minutes to attack systems with the ST80 chip and analyze about 40 operations to generate a digital signature.
The researchers also demonstrated the ability to perform a remote attack on high-speed networks, which made it possible to recover a private key in a local network with a bandwidth of 1GB in laboratory conditions in five hours, after measuring the response time for 45 authentication sessions with a VPN server based on strongSwan software, which stores its keys in a vulnerable TPM.
The attack method is based on the analysis of differences in the execution time of operations in the process of generating a digital signature. Calculation latency estimation allows you to determine information about individual bits during scalar multiplication in elliptic curve operations. For ECDSA, the definition of even a few bits with information about the initialization vector (nonce) is enough to perform an attack to sequentially restore the entire private key. To successfully carry out an attack, it is necessary to analyze the generation time of several thousand digital signatures created over data known to the attacker.
Vulnerability by STMicroelectronics in a new edition of chips, in which the implementation of the ECDSA algorithm was freed from correlations with the execution time of operations. Interestingly, affected STMicroelectronics chips are also used in equipment that meets the CommonCriteria (CC) EAL 4+ security level. The researchers also tested TPM chips from Infineon and Nuvoton, but they do not leak based on changes in computation time.
In Intel processors, the problem has been manifesting since the Haswell family, produced since 2013. It is noted that a wide range of laptops, PCs and servers manufactured by various manufacturers, including Dell, Lenovo and HP, are affected by the problem.
Intel has included a fix in firmware update, in which, in addition to the problem under consideration, 24 more vulnerabilities, of which nine are assigned a high level of danger, and one is critical. Only general information is provided on these problems, for example, it is mentioned that the critical vulnerability (CVE-2019-0169) is due to the ability to cause a heap overflow on the side of the Intel CSME (Converged Security and Management Engine) and Intel TXE (Trusted Execution Engine) environments, which allows an attacker to elevate their privileges and gain access to confidential data.
You can also note audit results of various SDKs for developing applications that interact with code running on the side of isolated enclaves. In order to identify problematic features that can be used to launch attacks, eight SDKs were studied: , , , ,
и for Intel SGX, for RISC-V and for Sancus TEE. During the audit it was 35 vulnerabilities based on which several attack scenarios have been developed that allow you to extract AES keys from the enclave or organize the execution of your code by creating conditions for corrupting the contents of memory.
Source: opennet.ru