Modern enterprises increasingly take advantage of cloud infrastructures. Yet, outsourcing code and data into the cloud requires enterprises to trust cloud providers not to meddle with their data. To reduce the level of trust towards cloud providers, AMD has introduced Secure Encrypted Virtualization (SEV). By encrypting Virtual Machines (VMs), SEV aims to ensure data confidentiality, despite a compromised or curious Hypervisor. The SEV Encrypted State (SEV-ES) extension additionally protects the VM's register state from unauthorized access. Yet, both extensions do not provide integrity of the VM's memory, which has already been abused to leak the protected data or to alter the VM's control-flow. In this paper, we introduce the SEVerity attack; a missing puzzle piece in the series of attacks against the AMD SEV family. Specifically, we abuse the system's lack of memory integrity protection to inject and execute arbitrary code within SEV-ES-protected VMs. Contrary to previous code execution attacks against the AMD SEV family, SEVerity neither relies on a specific CPU version nor on any code gadgets inside the VM. Instead, SEVerity abuses the fact that SEV-ES prohibits direct memory access into the encrypted memory. Specifically, SEVerity injects arbitrary code into the encrypted VM through I/O channels and uses the Hypervisor to locate and trigger the execution of the encrypted payload. This allows us to sidestep the protection mechanisms of SEV-ES. Overall, our results demonstrate a success rate of 100% and hence highlight that memory integrity protection is an obligation when encrypting VMs. Consequently, our work presents the final stroke in a series of attacks against AMD SEV and SEV-ES and renders the present implementation as incapable of protecting against a curious, vulnerable, or malicious Hypervisor.
翻译:现代企业越来越多地利用云层基础设施。然而,将代码和数据外包到云层,要求企业信任云源提供者,不要干扰数据。为了降低对云源提供者的信任度,AMD引入了安全加密虚拟化(SEV)。SEV通过加密虚拟机器(VM),旨在确保数据保密,尽管有一个妥协或好奇的超视镜。SEV加密国家(SEV-ES)的扩展进一步保护了VM注册国家不受未经授权的进入。然而,两个扩展都无法提供云源供应商的完整记忆,因为VM的记忆已经被滥用以泄漏受保护的数据或改变VM的控制流。为了降低对云源供应商的信任,AM引入了SEVES的SEV攻击;在AME系列袭击中,我们滥用了对记忆完整性的保护,在SEVM的S-RO运行过程中,SEVM的S-S-DR运行运行率和任何代码中,SEVM的S-DR的运行率和SEVDR的运行规则被直接引入了。