Recently information was released about a new attack on Intel processors, called "AEPIC Leak" (already cataloged under CVE-2022-21233), this new attack leads to leakage of sensitive data from isolated enclaves of intel sgx (Software Guard eXtensions).
Unlike the Specter class attacks, a leak in AEPIC Leak occurs without the use of third-party recovery methods, since the information about sensitive data is transmitted directly by getting the contents of the registers reflected in the MMIO (memory mapped I/O) memory page.
En general, the attack allows to determine the data transferred between the caches of the second and last level, including the contents of registers and the results of memory read operations, which were previously processed on the same CPU core.
I/O address scanning on Intel CPUs based on the Sunny Cove microarchitecture revealed that the assigned recordss in-memory Advanced Programmable Interrupt Local Controller (APIC) are not
correctly initialized. As a result, architectural reading of these registers returns stale data from the microarchitecture, so no data transferred between L2 and the last level cache can be read through these registers.
As the address space of I/O is only accessible to privileged users, ÆPIC Leak Targets Intel's TEE, SGX. ÆPIC can leak data from SGX enclaves running on the same physical core. While ÆPIC Leak would pose an immense threat in virtualized environments, hypervisors typically make them not expose local APIC logs to virtual machines, eliminating the threat in cloud-based scenarios.
Similar to the previous transient execution attack targeting SGX, ÆPIC Leak is most effective when executed in parallel to the enclave on the sibling hyperprocess. However, the ÆPIC leak does not require hyperthreading and can also leak enclave data if hyperthreading is not available or disabled.
We introduce two new techniques for filtering data in use, that is, enclave register values, and data at rest, that is, data stored in enclave memory. With Cache Line Freezing, we introduce a technique that puts targeted pressure on the cache hierarchy without overwriting stale data…
These cache lines still appear to travel through the cache hierarchy, but they don't overwrite stale data. For this purpose we log leaks of cache line values in the safe state area (SSA).The second technique, Enclave Shaking, exploits the ability of the operating system to securely swap enclave pages. By alternately swapping the enclave pages out and in, the cached pages force data through the cache hierarchy, allowing ÆPIC to filter values without even continuing the enclave execution. We exploit ÆPIC Leak in combination with
Cache Line Freezing and Enclave Shaking to extract AES-NI keys and RSA keys from the Intel IPP library and Intel SGX. Our attack leaks enclave memory at 334,8 B/s and a 92,2% hit rate.
Given that the attack requires access to the physical pages of the APIC MMIO, i.e. administrator privileges are required, the method is limited to attacking SGX enclaves to which the administrator does not have direct access.
Researchers have developed a set of tools that allows, in a few seconds, to determine the AES-NI and RSA keys stored in SGX, as well as Intel SGX attestation keys and pseudo-random number generator parameters. The code of the attack is published on GitHub.
Intel announced that it is preparing a fix in the form of an update of microcode that adds support for buffer flushing and adds additional measures to protect enclave data.
A new version of the SDK for Intel SGX has also been prepared with changes to prevent data leaks. OS and hypervisor developers are encouraged to use x2APIC mode instead of legacy xAPIC mode, which uses MSR registers instead of MMIO to access APIC registers.
The issue affects Intel 10th, 11th, and 12th generation CPUs (including the new Ice Lake and Alder Lake series) and is caused by an architectural flaw that allows access to uninitialized data left on the CPUs. APIC (Advanced Programmable Interrupt Controller) records from previous operations.
finally if you are interested in knowing more about it, you can check the details in the following link.