VoltJockey: A New Dynamic Voltage Scaling based Fault Injection Attack on Intel SGX

Intel software guard extensions (SGX) increase the security of applications by enabling them to be performed in a highly trusted space (called enclave ). Most state-of-the-art attacks on SGX focus on either mining the software vulnerabilities in the enclave or speculating the secret data with side channels. In this study, we report our recent work on breaking SGX by inducing voltage-oriented hardware faults. The novelty and importance of this attack are that it is completely controlled by software and does not require any security vulnerability in the software. Our proposed attack, called VoltJockey, exploits a vulnerability in the implementation of dynamic voltage and frequency scaling (DVFS) that achieves energy saving by dynamically adjusting the processor’s operating voltage and thus clock frequency. However, if the operating voltage is lower than a certain critical level, the circuit’s timing constraint will fail and hardware fault would be created. We propose to deliberately trigger such voltage-oriented hardware faults by a loadable kernel module that can set the processor’s voltage through Intel’s undocumented model-specific register (MSR). We first utilize the module to furnish the processor with a transient low voltage with controlled timing to inject a temporal fault into the target location of the program running in the enclave. Then, we perform a differential fault attack on the outputs before and after the injection of faults. For demonstration, we successfully deploy the proposed attack to extract the key of an AES executed in the enclave and lead an SGX-protected RSA to output our specified result.