Google Cloud Security and Project Zero researchers, working with Intel experts, discovered multiple vulnerabilities in the Intel Trust Domain Extensions (TDX).
The Intel Trust Domain Extensions (Intel® TDX) allows to deploy hardware-isolated, virtual machines (VMs) called trust domains (TDs). Intel TDX is designed to isolate VMs from the virtual-machine manager (VMM)/hypervisor and any other non-TD software on the platform to protect TDs from a broad range of software.
The Google researchers discovered ten security issues in Intel TDX during a nine-month audit.
The researchers reviewed the source code of the core Intel TDX software components and the design and documentation provided by Intel. The issues inspected by the researchers included arbitrary code execution in a privileged security context, cryptographic weaknesses and oracles, temporary and permanent denial of service, and weaknesses in debug or deployment facilities.
“The review resulted in 81 potential attack vectors and resulted in 10 confirmed security issues and 5 defense in depth changes over a period of 9 months.” reads the report released by Google.
Intel addressed nine of the discovered issues by changing the TDX code, while the tenth flaw required changes to the guide for writing a BIOS to support TDX.
These flaws were not assigned CVE identifiers, but Intel internally assigned CVSS v3.1 scores to them.
The most serious issue discovered by the researchers was the Exit Path Interrupt Hijacking when returning from ACM mode. The issue received a CVSS score of 9.3, experts pointed out that an attacker can trigger it to achieve arbitrary code execution in the privileged ACM execution mode.
“It’s positive to note that of the security issues discovered only 2 would be considered memory safety issues. By far the most common class of security issues discovered were logical bugs due to the complexity of Intel processors generally, and the TDX feature specifically.” continues the analysis. “For example the Exit Path Interrupt Hijacking issue was a result of the complex set of steps necessary to switch between the privileged ACM mode and normal operating mode. Completely eliminating these logical issues is much more difficult than moving to a memory safe language such as Rust.”
The above were mitigated before the production release of the 4th gen Intel Xeon Scalable processors.
“The review met its expected goals and was able to ensure significant security issues were resolved before the final release of Intel TDX. Overall, the review provided Google with a better understanding of how the TDX feature functions which can be used to guide deployment,” Google concludes.
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, TDX)