Researchers Crack Open AMD's Server VM Encryption

Shaun Nichols, reporting for The Register: A group of German researchers have devised a method to thwart the VM security in AMD's server chips. Dubbed SEVered (PDF), the attack would potentially allow an attacker, or malicious admin who had access to the hypervisor, the ability to bypass AMD's Secure Encrypted Virtualization (SEV) protections.

The problem, say Fraunhofer AISEC researchers Mathias Morbitzer, Manuel Huber, Julian Horsch and Sascha Wessel, is that SEV, which is designed to isolate VMs from the prying eyes of the hypervisor, doesn't fully isolate and encrypt the VM data within the physical memory itself.

Re:"malicious admin"

Hey, Intel paid a lot of shekels for this very valuable research!

Re:"malicious admin"

The old adage applies regardless: "He who has physical access, owns the data."

It doesn't matter what it's running. If they have physical access, or local admin access, they own the data. All permissions derive from the admin account that set the system up in the first place. Trying to protect the system from the person who set it up / is responsible for maintaining it, is a fool's errand.

The only reason we are having this discussion, is because everyone is too busy trying to save money by outsourcing the complexities and costs of IT to others while still trying to claim that they are the sole possessors of the data / processes. Nobody cares about the actual security, all they care about is the money. Well guess what? IT is a cost center. It doesn't make you money directly, but it is required to enable you to make money in a modern marketplace. You get from it exactly what you put into it. You don't wanna pay to manage your own IT? Don't expect the admin that's not under your control to abide by your desires. Sure you can have "agreements" and "contracts" with them, but remember this: Contracts and agreements only specify redress. They don't prevent a leak or malicious intent from happening in the first place. If your sole value in something is it's information. Then giving it to others should be the last thing on your mind. Especially if you are a service economy that doesn't produce enough to maintain itself if worse comes to worst and the info is copied without your consent by a competitor.

TL;DR if you don't trust the person with permission to manage your IT with the data the IT contains, then you need to find someone you do trust to do it. Beyond that, the only assurance you have is the time it will take to copy it.