Heckler: Breaking Confidential VMs with Malicious Interrupts

TL;DR

Heckler identifies a novel class of attacks against confidential VMs by abusing hypervisor-controlled interrupt delivery to trigger explicit-effect handlers inside the CVM. By carefully injecting non-genuine interrupts (notably int 0x80) at precise execution points, the hypervisor can alter registers and control flow, bypassing authentication in OpenSSH and sudo and degrading the integrity of workloads in SEV-SNP and TDX. The work combines formal trace-based reasoning with end-to-end proofs in multiple workloads (OpenSSH, sudo, MLP, JSAT, TextAnalysis.jl) and provides detailed implementation guidance, defense analyses, and CVE disclosures. Its findings highlight that current software and hardware defenses are insufficient to neutralize such malicious interrupts, motivating hardware-level filtering and stricter interrupt-control policies for CVMs to preserve confidentiality and integrity in cloud confidential computing. The paper also contributes open-source tooling and a thorough discussion of mitigations and future directions for secure interrupt handling in TEEs.

Abstract

Hardware-based Trusted execution environments (TEEs) offer an isolation granularity of virtual machine abstraction. They provide confidential VMs (CVMs) that host security-sensitive code and data. AMD SEV-SNP and Intel TDX enable CVMs and are now available on popular cloud platforms. The untrusted hypervisor in these settings is in control of several resource management and configuration tasks, including interrupts. We present Heckler, a new attack wherein the hypervisor injects malicious non-timer interrupts to break the confidentiality and integrity of CVMs. Our insight is to use the interrupt handlers that have global effects, such that we can manipulate a CVM's register states to change the data and control flow. With AMD SEV-SNP and Intel TDX, we demonstrate Heckler on OpenSSH and sudo to bypass authentication. On AMD SEV-SNP we break execution integrity of C, Java, and Julia applications that perform statistical and text analysis. We explain the gaps in current defenses and outline guidelines for future defenses.

Figures (9)

• Figure 1: Virtualized interrupt for CVMs. Solid arrows (①, ③): asserted interrupt lines; dotted arrows (②, ④): memory-mapped write. The interrupt controller (IC) delivers a physical interrupt to the hypervisor ①. The hypervisor writes to a memory-mapped region of memory ② that emulates a virtual Interrupt Controller (vIC) for the vCPU to forward the virtual interrupt ③. The OS writes to a memory-mapped register in the vIC to acknowledge the interrupt ④.
• Figure 2: Inject int 0x80 for OpenSSH authentication. mm_answer_authpassword is invoked during ssh authentication. It returns $0$ when authentication fails. A malicious int 0x80 triggers a call to the syscall $0$ handler which sets eax to a non-zero value when auth_password returns, resulting in a successful authentication.
• Figure 3: $T_{Benign}$ and $T_{Malicious}$ represent traces for benign and malicious execution of $P$ under input $I$. This leads to traces $S_0, S_i, S_j, \dots, S_n$ and $S_0, S_i, S'_i, S'_j, \dots, S'_n$ to produce outputs $O$ and $O'$ respectively. The attacker injects int 0x0 when $P$ is in state $S_i$. This induces a state $S'_i: S_i[mem|mem[a]\mapsto 1]$, where the memory that holds variable $a$ (i.e., $mem[a]$) is set to $1$.
• Figure 4: For int 0x80, the Linux kernel executes a system call corresponding to the number (#n) stored in eax by the application. When returning to the application, the kernel stores the result of the system call in the eax register.
• Figure 5: (a) $P_{1}^{\tt{ssh}}$ and $P_{2}^{\tt{ssh}}$: gadget pages in the OpenSSH binary. (b) sudo $P_{1}^{\tt{sudo}}$ and $P_{2}^{\tt{sudo}}$: gadget pages in the pam shared library used by the sudo binary.