AMD’s Secure Encrypted Virtualization (SEV) is an emerging security feature
on AMD processors that allows virtual machines to run on encrypted memory and
perform confidential computing even with an untrusted hypervisor. This paper
first demystifies SEV’s improper use of address space identifier (ASID) for
controlling accesses of a VM to encrypted memory pages, cache lines, and TLB
entries. We then present the CROSSLINE attacks, a novel class of attacks
against SEV that allow the adversary to launch an attacker VM and change its
ASID to that of the victim VM to impersonate the victim. We present two
variants of CROSSLINE attacks: CROSSLINE V1 decrypts victim’s page tables or
memory blocks following the format of a page table entry; CROSSLINE V2
constructs encryption and decryption oracles by executing instructions of the
victim VM. We have successfully performed CROSSLINE attacks on SEV and SEV-ES
processors.
