STUDY SPACE
WESEE: Using Malicious #VC Interrupts to Break AMD SEV-SNP

WESEE: Using Malicious #VC Interrupts to Break AMD SEV-SNP

2024 | Benedict Schlüter, Supraj Sridhara, Andrin Bertschi, Shweta Shinde
WESEE is an attack that exploits the #VC exception in AMD SEV-SNP to break its security guarantees. The attack allows the hypervisor to inject malicious #VC exceptions into a victim VM, enabling it to induce arbitrary behavior in the VM. The attack leverages the #VC exception handler, which copies data between the VM and the hypervisor, to leak sensitive information, corrupt kernel data, and inject arbitrary code. The attack demonstrates three case studies: leaking kTLS keys for NGINX, bypassing firewall rules, and obtaining a root shell. WESEE shows that the hypervisor can inject multiple malicious #VC exceptions to cascade the effects of the handler, enabling expressive attacks such as arbitrary code injection and execution. The attack relies on the page fault sequences of the victim VM to perform end-to-end attacks without requiring high-resolution information about the victim VM. WESEE was responsibly disclosed to AMD and cloud providers, and is assigned CVE-2024-25742. The attack highlights the need for robust hardware mechanisms to limit the hypervisor's capabilities.WESEE is an attack that exploits the #VC exception in AMD SEV-SNP to break its security guarantees. The attack allows the hypervisor to inject malicious #VC exceptions into a victim VM, enabling it to induce arbitrary behavior in the VM. The attack leverages the #VC exception handler, which copies data between the VM and the hypervisor, to leak sensitive information, corrupt kernel data, and inject arbitrary code. The attack demonstrates three case studies: leaking kTLS keys for NGINX, bypassing firewall rules, and obtaining a root shell. WESEE shows that the hypervisor can inject multiple malicious #VC exceptions to cascade the effects of the handler, enabling expressive attacks such as arbitrary code injection and execution. The attack relies on the page fault sequences of the victim VM to perform end-to-end attacks without requiring high-resolution information about the victim VM. WESEE was responsibly disclosed to AMD and cloud providers, and is assigned CVE-2024-25742. The attack highlights the need for robust hardware mechanisms to limit the hypervisor's capabilities.
Terms of Service
Privacy Policy
Reach us at info@study.space
[slides and audio] WeSee%3A Using Malicious %23VC Interrupts to Break AMD SEV-SNP