Visible to the public SEVerity: Code Injection Attacks against Encrypted Virtual Machines

TitleSEVerity: Code Injection Attacks against Encrypted Virtual Machines
Publication TypeConference Paper
Year of Publication2021
AuthorsMorbitzer, Mathias, Proskurin, Sergej, Radev, Martin, Dorfhuber, Marko, Salas, Erick Quintanar
Conference Name2021 IEEE Security and Privacy Workshops (SPW)
Date Publishedmay
KeywordsAMD SEV, AMD SEV ES, cloud computing, Code Execution Attacks, composability, cryptography, cyber physical systems, Encrypted Virtual Machines, Memory management, outsourcing, privacy, pubcrawl, Registers, resilience, Resiliency, Virtual machine monitors, virtual machine security, Virtual machining, virtualization
AbstractModern enterprises increasingly take advantage of cloud infrastructures. Yet, outsourcing code and data into the cloud requires enterprises to trust cloud providers not to meddle with their data. To reduce the level of trust towards cloud providers, AMD has introduced Secure Encrypted Virtualization (SEV). By encrypting Virtual Machines (VMs), SEV aims to ensure data confidentiality, despite a compromised or curious Hypervisor. The SEV Encrypted State (SEV-ES) extension additionally protects the VM's register state from unauthorized access. Yet, both extensions do not provide integrity of the VM's memory, which has already been abused to leak the protected data or to alter the VM's control-flow. In this paper, we introduce the SEVerity attack; a missing puzzle piece in the series of attacks against the AMD SEV family. Specifically, we abuse the system's lack of memory integrity protection to inject and execute arbitrary code within SEV-ES-protected VMs. Contrary to previous code execution attacks against the AMD SEV family, SEVerity neither relies on a specific CPU version nor on any code gadgets inside the VM. Instead, SEVerity abuses the fact that SEV-ES prohibits direct memory access into the encrypted memory. Specifically, SEVerity injects arbitrary code into the encrypted VM through I/O channels and uses the Hypervisor to locate and trigger the execution of the encrypted payload. This allows us to sidestep the protection mechanisms of SEV-ES. Overall, our results demonstrate a success rate of 100% and hence highlight that memory integrity protection is an obligation when encrypting VMs. Consequently, our work presents the final stroke in a series of attacks against AMD SEV and SEV-ES and renders the present implementation as incapable of protecting against a curious, vulnerable, or malicious Hypervisor.
Citation Keymorbitzer_severity_2021