feature article
Subscribe Now

Plundervolt Plagues Intel x86 Processors

Another Obscure Hardware Bug Afflicts the Security Minded

“Little things console us because little things afflict us.” – Blaise Pascal

The latest Intel bug already has its own logo and website: Plundervolt.com. You know you’ve hit the big time when even the bugs are branded. 

Officially cataloged as CVE-2019-11157, the “Plundervolt” bug compromises the security of high-end Intel processors if conditions are just right. Like Spectre and Meltdown (and dozens of other bugs before and after them), Plundervolt is obscure, narrowly focused, and apparently unexploited in the wild. That is, it’s still a purely theoretical threat to your computer’s security, albeit one that’s been demonstrated on real hardware in the lab. How much you worry and lose sleep over it is up to you. 

As the clever name might suggest, Plundervolt strikes when the processor is subjected to an undervoltage condition. We all know that digital electronics act funny if the supply voltage isn’t just right, and, for high-end x86 processors, that’s a pretty narrow window. Generally speaking, the faster the processor, the tighter the tolerances – and the bigger the penalty for getting it wrong, even for a microsecond. A momentary dip in VCC at just the wrong moment could make your CPU do… funny things. Datasheets typically describe this behavior as “undefined.” 

Turns out, if the stars align just right and you undervolt the processor by just the right amount and at just the right time, you can cause the currently executing instruction(s) to fail. No surprise there. But what makes it fun is that certain x86 instructions will fail in predictable and repeatable ways. For example, you can make simple multiplication operations return the wrong answer, and it’s the same wrong answer every time. In fact, that’s how Plundervolt was initially discovered. 

Where it gets dangerous is when you momentarily dip the voltage while the processor is performing privileged operations. 

Conveniently for both hackers and good guys, Intel processors allow you to tweak their own incoming supply voltage in software, usually in small millivolt increments. That’s because all modern x86 CPUs carry on a two-way conversation with their power supplies, in essence saying, “I need a bit more voltage now… okay, now less… a little more… okay, that’s good.” Like overclocking, it allows you to fine-tune your CPU to get the power it needs without melting. The upshot is, you can deliberately over- or under-supply your processor if you have the appropriate supervisor-level access to the privileged instructions. You don’t need physical access to the power supply (or any other part of the system) to tamper with the voltage. Just software say-so. 

That’s the first hurdle to exploiting Plundervolt: you need to somehow get supervisor access to the voltage-tweaking instructions. Then it gets really hard. 

Recent-generation Intel chips also implement something called SGX, or Software Guard Extensions. This is a bundle of security features that, among other things, lets you wall off secure code into its own sandbox (an “enclave” in Intel parlance) thus making it remarkably difficult to tamper with (or even to examine) any code or data stored within. An SGX enclave is the ideal place to keep your cryptographic code. 

Combine the software-controlled voltage tweaker, the unwanted but predictable behavior of some instructions when they’re underpowered, and the previously impenetrable SGX enclave, and you have a recipe for potential mischief. Meticulous hackers can get enclave code to misbehave and corrupt their own data or code. Outside memory areas could also be corrupted. Unlike Spectre and Meltdown, Plundervolt does not expose security keys, at least not directly. Plundervolt is more about vandalism than theft. 

What’s the fix? Intel has released a patch, which is basically a BIOS update that prevents tweaking the processor’s supply voltage on the fly. That’s easy and solid, and it shouldn’t inconvenience anyone too much. Most of all, it leaves the SGX features in place. 

Which brings us around to another point: hardly anyone uses SGX in the first place. Even though dozens of different Intel CPUs have the SGX feature in hardware, it’s always disabled by default. Unless your system BIOS explicitly enables SGX – and very few operating systems do – then this whole problem is moot. Unless you wrote your own boot firmware, it’s a safe bet your system isn’t using SGX. It’s a great security feature that goes largely ignored and therefore unexploited. 

It’s hard for me to blame Intel for this kind of vulnerability. It’s really obscure, it’s difficult to exploit in any practical way, and it relies on the exquisitely timed interactions of separate independent features. Intel Skylake processors have up to 28 CPU cores and 1.75 billion transistors. The law of large numbers practically guarantees that bugs like this are going to happen. 

For the security minded, Plundervolt is another reminder that our machines aren’t entirely bulletproof or trustworthy. In this case, there’s a painless fix, but that hasn’t always been true. There are other ways to toughen up our systems, too, including a new security coprocessor from Rambus that we’ll cover in the weeks ahead. Stay safe out there. 

Leave a Reply

featured blogs
Oct 20, 2020
Voltus TM IC Power Integrity Solution is a power integrity and analysis signoff solution that is integrated with the full suite of design implementation and signoff tools of Cadence to deliver the... [[ Click on the title to access the full blog on the Cadence Community site...
Oct 19, 2020
Have you ever wondered if there may another world hidden behind the facade of the one we know and love? If so, would you like to go there for a visit?...
Oct 16, 2020
Another event popular in the tech event circuit is PCI-SIG® DevCon. While DevCon events are usually in-person around the globe, this year, like so many others events, PCI-SIG DevCon is going virtual. PCI-SIG DevCons are members-driven events that provide an opportunity to le...
Oct 16, 2020
[From the last episode: We put together many of the ideas we'€™ve been describing to show the basics of how in-memory compute works.] I'€™m going to take a sec for some commentary before we continue with the last few steps of in-memory compute. The whole point of this web...

featured video

Better PPA with Innovus Mixed Placer Technology – Gigaplace XL

Sponsored by Cadence Design Systems

With the increase of on-chip storage elements, it has become extremely time consuming to come up with an optimized floorplan with manual methods. Innovus Implementation’s advanced multi-objective placement technology, GigaPlace XL, provides automation to optimize at scale, concurrent placement of macros, and standard cells for multiple objectives like timing, wirelength, congestion, and power. This technology provides an innovative way to address design productivity along with design quality improvements reducing weeks of manual floorplan time down to a few hours.

Click here for more information about Innovus Implementation System

Featured Paper

The Cryptography Handbook

Sponsored by Maxim Integrated

The Cryptography Handbook is designed to be a quick study guide for a product development engineer, taking an engineering rather than theoretical approach. In this series, we start with a general overview and then define the characteristics of a secure cryptographic system. We then describe various cryptographic concepts and provide an implementation-centric explanation of physically unclonable function (PUF) technology. We hope that this approach will give the busy engineer a quick understanding of the basic concepts of cryptography and provide a relatively fast way to integrate security in his/her design.

Click here to download the whitepaper

Featured Chalk Talk

Use of Advanced Sensors in Smart Industry Applications

Sponsored by Mouser Electronics and ST Microelectronics

In industrial systems, sensors can give us real-time information about the condition and operation critical machinery. By monitoring vibration, temperature, and other factors, we can get early warning of failures and do predictive maintenance - avoiding costly downtime. In this episode of Chalk Talk, Amelia Dalton chats with Manuel Cantone of ST Microelectronics about the SensorTile Wireless Industrial Node - an integrated solution that makes industrial monitoring a snap.

More information about STMicroelectronics STWIN SensorTile Wireless Industrial Node