Researcher Names: Pietro Borrello, Andreas Kogler, Martin Schwarzl, Moritz Lipp, Daniel Gruss, Michael Schwarz
AEPIC Leak: the first architectural CPU bug that leaks stale data from the microarchitecture without using a side channel.
AEPIC Leak is a new architectural CPU bug which can leak data without even using a side channel. AEPIC Leak works on the latest CPUs from one of the major CPU vendors, and allows attacks against Trusted Execution Environments. It targets leaking data in use, e.g., register values and memory loads, as well as data at rest, e.g., data pages. AEPIC Leak introduces techniques to improve the control of these leaks, which allows our end-to-end attack to extract secret data from a TEE within a few seconds. AEPIC Leak is not a transient execution attack, but an architectural bug leveraged to disclose data.
AEPIC Leak is the first architectural CPU bug that leaks stale data from the microarchitecture without using a side channel. AEPIC Leak works on all recent Sunny-Cove-based Intel CPUs (i.e., Ice Lake and Alder Lake) and does not require hyperthreading enabled. It is not a transient execution attack and it architecturally leaks stale data incorrectly returned by reading undefined APIC-register ranges. AEPIC Leak samples data transferred between the L2 and last-level cache, including SGX enclave data, from the superqueue. It targets data in use, e.g., register values and memory loads, as well as data at rest, e.g., SGX-enclave data pages. Even if AEPIC Leak is a sampling-based attack, we introduce techniques to precisely influence from which page and offset the attack leaks from.
The end-to-end attack extracts AES-NI, RSA, and even the Intel SGX attestation keys from enclaves within a few seconds. The only short-term mitigations for AEPIC Leak are to disable APIC MMIO or not rely on SGX.