ÆPIC Leak

Architecturally Leaking Uninitialized Data from the Microarchitecture

ÆPIC Leak is the first CPU bug able to architecturally disclose sensitive data. It leverages a vulnerability in recent Intel CPUs to leak secrets from the processor itself: on most 10th, 11th and 12th generation Intel CPUs the APIC MMIO undefined range incorrectly returns stale data from the cache hierarchy.

In contrast to transient execution attacks like Meltdown and Spectre, ÆPIC Leak is an architectural bug: the sensitive data gets directly disclosed without relying on any (noisy) side channel.

ÆPIC Leak is like an uninitialized memory read in the CPU itself.

A privileged attacker (Administrator or root) is required to access APIC MMIO. Thus, most systems are safe from ÆPIC Leak. However, systems relying on SGX to protect data from privileged attackers would be at risk, thus, have to be patched.

@inproceedings{Borrello2022AEPIC,
    title = {{ÆPIC Leak}: Architecturally Leaking Uninitialized Data from the Microarchitecture},
    author = {Borrello, Pietro and Kogler, Andreas and Schwarzl, Martin and Lipp, Moritz and Gruss, Daniel and Schwarz, Michael},
    booktitle = {31st USENIX Security Symposium (USENIX Security 22)},
    year = {2022},
}

ÆPIC Leak in Action

In our demo, we show how an attacker can disclose data from a protected SGX enclave.

Questions & Answers

If you have a recent Intel CPU probably yes. But if you do not rely on SGX, you don't have to worry.

Intel provides a list with all affected products here and the technical advisory.

No, in our current assessment, we believe that ÆPIC Leak is only relevant to Intel SGX enclaves. ÆPIC Leak requires access to the physical APIC MMIO page that can be achieved only with a high privileges. Traditional applications do not have to worry about ÆPIC Leak.

Virtual Machines have no access to physical memory since no hypervisor allows it. We empirically verified that APIC virtualization (Intel APICv) is not affected by ÆPIC Leak.

Intel Software Guard eXtensions (SGX) is an innovative processor technology released in 2015 to create isolated environments in the computer's memory, so-called enclaves. SGX acts like a secure vault in the processor itself, combining strong encryption and hardware-level isolation to safeguard enclave programs, and the data they operate on, even against very advanced types of malware that compromise the operating system, hypervisor, or firmware (BIOS).

The Advanced Programmable Interrupt Controller (APIC) is an integrated CPU component responsible for accepting, prioritizing, and dispatching interrupts to processors. The APIC can operate in xAPIC mode, in which APIC configuration registers are exposed through a memory-mapped I/O (MMIO) page.

No. This is a bug in the processor. Software can work around this bug, which costs performance. Future processors will have integrated fixes.

No. This is an architectural bug in the processor.

Differently than Meltdown, Foreshadow, ZombieLoad, LVI, RIDL and Fallout, that leak data by leveraging transient execution, ÆPIC Leak leverages a bug in the CPU that reveals data where it should not, like an uninitialized memory read in the CPU itself.

This is not a transient execution attack, thus, it bypasses all existing mitigations. Intel released microcode and SGX SDK updates to fix the issue.

We do not have any data on this. The exploitation might not leave any traces in traditional log files.

If your system is affected, our proof-of-concept ÆPIC Leak exploit can read stale data, which may correspond to data previously accessed by the same processor core.

We don't know. But probably not.

Yes, there is an academic paper.

CVE-2022-21233 is the official reference to ÆPIC Leak. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

The logo is free to use, rights waived via CC0. Logo designed by Theresa Dachauer.

SVG PNG
Logo

Yes, there is a GitHub repository containing source code for the ÆPIC Leak attack.

In alternative, here is a minimal PoC of ÆPIC Leak:

u8* apic_base = map_phys_addr(0xFEE00000);
dump(apic_base);

Acknowledgements

We would like to thank Intel for working with us during the responsible disclosure.

Funding for part of this research was provided by generous gifts from Amazon and Red Hat.