International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

SEV-Step A Single-Stepping Framework for AMD-SEV

Authors:
Luca Wilke , University of Lübeck, Lübeck, Germany
Jan Wichelmann , University of Lübeck, Lübeck, Germany
Anja Rabich , University of Lübeck, Lübeck, Germany
Thomas Eisenbarth , University of Lübeck, Lübeck, Germany
Download:
DOI: 10.46586/tches.v2024.i1.180-206
URL: https://tches.iacr.org/index.php/TCHES/article/view/11250
Search ePrint
Search Google
Abstract: The ever increasing popularity and availability of Trusted Execution Environments (TEEs) had a stark influence on microarchitectural attack research in academia, as their strong attacker model both boosts existing attack vectors and introduces several new ones. While many works have focused on Intel SGX, other TEEs like AMD SEV have recently also started to receive more attention. A common technique when attacking SGX enclaves is single-stepping, where the system’s APIC timer is used to interrupt the enclave after every instruction. Single-stepping increases the temporal resolution of subsequent microarchitectural attacks to a maximum. A key driver in the proliferation of this complex attack technique was the SGX-Step framework, which offered a stable reference implementation for single-stepping and a relatively easy setup. In this paper, we demonstrate that SEV VMs can also be reliably single-stepped. To lay the foundation for further microarchitectural attack research against SEV, we introduce the reusable SEV-Step framework. Besides reliable single-stepping, SEV-Step provides easy access to common attack primitives like page fault tracking and cache attacks against SEV. All features can be used interactively from user space. We demonstrate SEV-Step’s capabilities by carrying out an end-toend cache attack against SEV that leaks the volume key of a LUKS2-encrypted disk. Finally, we show for the first time that SEV is vulnerable to Nemesis-style attacks, which allow to extract information about the type and operands of single-stepped instructions from SEV-protected VMs.
BibTeX
@article{tches-2023-33666,
  title={SEV-Step A Single-Stepping Framework for AMD-SEV},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={024 No. 1},
  pages={180-206},
  url={https://tches.iacr.org/index.php/TCHES/article/view/11250},
  doi={10.46586/tches.v2024.i1.180-206},
  author={Luca Wilke and Jan Wichelmann and Anja Rabich and Thomas Eisenbarth},
  year=2023
}