Ahoi Attacks: Disrupting TEEs with Malicious Notifications

Over the past decade, hardware manufacturers have introduced special support to enable cloud users to safely perform computation on untrusted cloud deployments. This technology, called confidential computing, provides cloud users with guarantees about the applications that they execute and confidentiality and integrity for the data. Currently, confidential computing is employed across various sectors including finance, healthcare, and government, where the need to maintain data privacy and integrity is paramount.

State-of-the art confidential computing solutions Intel TDX and AMD SEV-SNP allow users to create confidential VMs that are managed by a cloud-provider controlled software called the hypervisor. Researchers from the SECTRS group have now discovered a new class of attacks, dubbed Ahoi attacks, that exploit vulnerabilities in the notification framework in Intel TDX and AMD SEV-SNP. Specifically, the cloud-provider controlled hypervisor sends malicious notifications (called interrupts) to the confidential VMs to compromise their security (see the explainer video). Using this vulnerability the researchers demonstrate two concrete attacks: Heckler and WeSee.

When a confidential VM receives an interrupt, it executes a corresponding interrupt handler that performs interrupt-specific tasks (e.g., updating memory values, setting global state). In Heckler, the researchers use legacy interrupts in confidential VMs to arbitrarily trigger interrupt handlers that change the global state of a security-sensitive application. For example, they demonstrate an attack on Intel TDX and AMD SEV-SNP that bypasses the authentication flow in the confidential VMs to gain uncontrolled access to all code and data. The researchers responsibly reported these vulnerabilities to Intel and AMD. The hardware vendors acknowledged the report and the vulnerabilities are tracked under 2 CVEs :  CVE-2024-25744, CVE-2024-25743. For more details check out the paper to appear at USENIX Security ’24 below.

HECKLER: Breaking Confidential VMs with Malicious Interrupts
Benedict Schlüter, Supraja Sridhara, Mark Kuhne, Andrin Bertschi, Shweta Shinde

With the second attack, called WeSee, the researchers demonstrate attacks using vulnerabilities in a newly introduced interrupt (#VC) for AMD SEV-SNP. With the new interrupt, AMD SEV-SNP also introduces a new handler for #VC. The researchers show that a malicious hypervisor can build expressive attacks by arbitrarily injecting #VC to the confidential VM. For example, with WeSee the researchers build an attack that allows the attacker to gain complete privileged control of the confidential VM. The researchers responsibly disclosed the vulnerability to AMD who acknowledged the attack. The vulnerability is tracked under CVE-2024-25742. For more details check out the paper to appear at IEEE S&P ’24 below.

WeSee: Using Malicious #VC Interrupts to Break AMD SEV-SNP
Benedict Schlüter, Supraja Sridhara, Andrin Bertschi, Shweta Shinde

These attacks highlight the need to carefully examine both legacy and newly added features for confidential computing. Ahoi attacks show the need to revamp the long-ignored notification frameworks of these confidential computing solutions. In light of these attacks, hardware vendors should rethink this vital notification framework and introduce native primitives for secure notification delivery to CVMs.

To know more read the full news article here.