A group of scientists from the Technical University of Graz, the University of Birmingham, have revealed details of the new Platypus attacks. Security researchers use the RAPL interface of current processors, which is intended for power measurement, to get hold of secret information.
The RAPL interface is actually intended for monitoring processors, especially in cloud networks. Some servers provide a framework for this. For example, if part of the power supply fails, the consumption of servers can be reduced in order to avoid overheating or crashes. However, RAPL also reveals, how much performance the CPU is currently consuming.
The performance consumption unit changes depending on the calculation it is currently performing. Side attacks that exploit this network to draw conclusions about the processed information have been known for decades. That is why security chips have strong abilities for key cards, that protect against such cyber attacks. Most cyber attacks require that the hackers have access to the target network in order to be able to connect a power processor for example.
The Platypus Malware Also Works Remotely
The RAPL interface can even be queried from the operating network without administration rights. To make malware more difficult, the kernel scrambles show that this is called like a kernel space layout. A Platypus malware should be able to distinguish between valid and invalid memory data within 20 seconds. This already suggests that Platypus will probably not be used for wide spread malware; it is particularly important for cloud servers and less for desktop PCs.
An entry on the Intel security for November picks out some advisories on dangerous attack methods and particularly dangerous security vulnerabilities. According to the researchers, other processors are also hacked; they were also able to carry out close measurements on various Ryzen networks. But administration rights were required there for RAPL access.