# ÆPIC Leak *Architecturally Leaking Uninitialized Data from the Microarchitecture* - Discovered: 2022 - Mitigated: 2022 - Patched: ??? (as of [[2022-11-18]]) - "Intel is expected to fully patch the vulnerability in future generations of its microarchitecture." - [ars technica article below](https://arstechnica.com/information-technology/2022/08/architectural-bug-in-some-intel-cpus-is-more-bad-news-for-sgx-users/) - Website: [aepicleak.com](https://aepicleak.com/) - [Paper](https://www.usenix.org/conference/usenixsecurity22/presentation/borrello) ([pdf](https://www.usenix.org/system/files/sec22-borrello.pdf)) - Intel advisory: [Stale Data Read from Legacy xAPIC](https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/stale-data-read-from-xapic.html) ## Articles ### [SGX, Intel’s supposedly impregnable data fortress, has been breached yet again](https://arstechnica.com/information-technology/2022/08/architectural-bug-in-some-intel-cpus-is-more-bad-news-for-sgx-users/) [[Ars Technica]] on [[2022-08-09]] (excerpts) - Good article, informative with lots of links **Affected chips** ![[Pasted image 20221118121606.png]] **Overview of the leak** ![[Pasted image 20221118121621.png]] **Intel statement** > The Advanced Programmable Interrupt Controller (APIC) is an integrated CPU component responsible for accepting, prioritizing, and dispatching interrupts to logical processors (LPs). The APIC can operate in xAPIC mode, in which APIC configuration registers are exposed through a memory-mapped I/O (MMIO) page. Researchers have demonstrated attacks against Intel SGX enclaves, where stale data may be exposed by an attacker who controls the OS and can read from the legacy xAPIC. On some processors, incorrectly aligned reads from addresses in the xAPIC MMIO page could return stale data, which may correspond to data previously read by the same processor core that is reading the xAPIC page. > > Intel recommends that operating systems (OSes) and virtual machine monitors (VMMs) enable x2APIC mode, which disables the xAPIC MMIO page and instead exposes APIC registers through model specific registers (MSRs), which mitigates this issue in affected products. APIC virtualization is not affected; this behavior only applies to access to the physical xAPIC MMIO page. > > Customers can and should continue to use Intel SGX. Intel has provided a microcode update for processors with Intel Software Guard Extensions (Intel SGX) to enable support to clear buffers and mitigate potential exposure of sensitive stale data when exiting Intel SGX enclaves. Intel is also providing an updated Intel SGX Software Development Kit (SDK) for Windows and Linux that helps mitigate the possibility that enclave data that might be inferred. Intel is not aware of this issue being exploited outside of a controlled lab environment. The company has also issued writeups [here](https://www.intel.com/content/www/us/en/security-center/default.html), [here](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00657.html), [here](https://www.intel.com/content/www/us/en/developer/articles/technical/softwaresecurity-guidance/advisory-guidance/stale-data-read-from-xapic.html), and [here](https://www.intel.com/content/www/us/en/developer/articles/technical/softwaresecurity-guidance/technical-documentation/cpuid-enumeration-and-architectural-msrs.html). In an email, researcher Pietro Borrello of the Sapienza University of Rome wrote, “From our point of view, disabling APIC MMIO and enforcing x2APIC from the microcode would have been a more effective mitigation with no performance impact (actually, it would have had a performance improvement). However, we do not know why they chose to flush buffers and disable hyperthreading, thus [requiring] a possibly costly mitigation. It may not be possible to enforce x2APIC internally, or they may have chosen this path for compatibility reasons.” The researchers’ proof-of-concept exploit, available [here](https://github.com/IAIK/AEPIC), is able to obtain a 128-bit AES decryption key on average in 1.35 seconds, with a success rate of 94 percent. The exploit can extract a 1024-bit RSA key on average in 81 seconds with a success rate of 74 percent. ÆPIC Leak also recovers attestation keys, a fundamental building block used in SGX, and another crucial secret known as the EPID Private Key, although the paper didn’t report the time required or the success rate. “Extracting the EPID keys allows an attacker to forge remote attestations, breaking the whole SGX system, as enclaves can then be emulated,” the researchers explained in their paper. “Thus, SGX could not be trusted anymore on any platform until the keys are replaced.” Recovering the attestation keys, meanwhile, allows an attacker to impersonate an enclave, breaking the ground assumptions of SGX. ### [Intel SGX: Not So Safe After All, ÆPIC Leak](https://thenewstack.io/intel-sgx-not-so-safe-after-all-aepic-leak/) [[The New Stack]] on [[2022-08-16]]