asia-17-gorka-Cache side channel attack exploitability and ...11 • No flush instruction? •...
Transcript of asia-17-gorka-Cache side channel attack exploitability and ...11 • No flush instruction? •...
-
CacheSideChannelAttack:ExploitabilityandCountermeasures
Gorka IrazoquiXiaofei (Rex)Guo,Ph.D.girazoki *noSPAM*wpi.edu
xiaofei.rex.guo*noSPAM*tetrationanalytics.com
-
WhoareWe?
• GorkaIrazoqui• PhDcandidateinWPI• InternatIntelinsummer2016• Focusonmicro-architecturalattacks
-
WhoareWe?
• Xiaofei (Rex)Guo• TechnicalleadatCiscoTetration Analytics
• Visibilitytoeverythingindatacenterinrealtime• Automatedanddynamicpolicygenerationandenforcement
• WorkedatIntelSecurityCenterofExcellenceandQualcommProductSecurityInitiative• IoT andmobileplatformsecurity,infrastructuresecurity,and
applicationsecurity• PhDfromNewYorkUniversity
-
Wedon’tspeakforouremployer.Alltheopinionsandinformationhereareourresponsibilityincludingmistakesandbadjokes.
Disclaimer
-
“Youmustbekidding,cacheattacksarenotpractical!”
-
“Youmustbekidding,cacheattacksarenotpractical!”
-
“Youmustbekidding,cacheattacksarenotpractical!”
-
“Youmustbekidding,cacheattacksarenotpractical!”
-
“Youmustbekidding,cacheattacksarenotpractical!”
-
FeasibilityTrendIntel,Spark,AMD|Linux|OpenSSLAES
-
FeasibilityTrendIntel,Spark,AMD|Linux|OpenSSLAES
Intel|Linux|OpenSSLRSA
-
FeasibilityTrendIntel,Spark,AMD|Linux|OpenSSLAES
Intel|Linux|OpenSSLRSA
Intel(Cross-core)|Linux(deduplication)|GnuPGRSA
-
FeasibilityTrend
Intel(Cross-Core)|Linux(nodeduplication)|GnuPGRSA
Intel,Spark,AMD|Linux|OpenSSLAES
Intel|Linux|OpenSSLRSA
Intel(Cross-core)|Linux(deduplication)|GnuPGRSA
-
FeasibilityTrend
Intel(Cross-Core)|Linux(nodeduplication)|GnuPGRSA
Intel,Spark,AMD|Linux|OpenSSLAES
Intel|Linux|OpenSSLRSA
Intel(Cross-core)|Linux(deduplication)|GnuPGRSA
AMD(crossCPU)|Linux|OpenSSLAESandGnuPGElGamal
-
FeasibilityTrend
Intel(Cross-Core)|Linux(nodeduplication)|GnuPGRSA
Intel,Spark,AMD|Linux|OpenSSLAES
Intel|Linux|OpenSSLRSA
Intel(Cross-core)|Linux(deduplication)|GnuPGRSA
AMD(crossCPU)|Linux|OpenSSLAESandGnuPGElGamalARM(crosscore/CPU)|Android|BouncyCastleAES
-
Functionality
-
LLCasaSideChannel?• Caches:fastaccessmemories• WhywouldanattackeruseLLCascovertchannel?
• Cross-core• Inclusiveness• High resolution
-
• Setassociative:cachedividedinn-waysets• Locationinthecachedeterminedbyphysicaladdress
CacheArchitecture
Cachetag Set Byte
Offset
OffsetPhysicalPage
VirtualPage
MMU
S0S1
Sn
Cache
00001
....
....
....
tag
tag
tag
B0B0
B0
Bn
Bn
Bn
.
.
.
-
• Requirement1:deduplication• Identicalread-onlymemory
pagesareshared• Attackerandvictimaccessthe
sameaddress• LinuxandKVM(KSM),Vmware
(TPS)andAndroid(Zygote)• Requirement2:flush
instruction(e.g.,clflush inx86)• CVE2014-3356:Vmware
enableddeduplicationbydefault
Flush+ReloadAttack
-
• Attackerflushesacachedmemorylocation
Flush+ReloadAttackCache
-
• Attackerflushesacachedmemorylocation
Flush+ReloadAttack
Flush
Cache
-
• Attackerflushesacachedmemorylocation
• Victimaccesses/doesnotaccess
Flush+ReloadAttackCache
Access
-
• Attackerflushesacachedmemorylocation
• Victimaccesses/doesnotaccess
• Attackerre-accessesmemorylocation• Fastaccesstime->victim
accessed• Slowaccesstime->victimdidnot
access
Flush+ReloadAttack
Reload
Cache
-
• Pros:• Lownoise:focusononeline,
noisyprocessneedstofillanentireset
• ApplicableacrossCPUsockets!FlushinstructioninvalidatesmemoryinotherCPUs
• Worksinnon-inclusivecaches• Cons:
• Requirementmightbemetinsomescenarios
• Canonlyrecoverstaticallyallocateddata
Flush+ReloadAttackSummary
-
Evict+ReloadAttack
11
• Noflushinstruction?• AttackerneedstoevictdatafromLLC• Attackercanusehugepages• Physicaladdressselectsthesetto
occupy
-
Evict+ReloadAttack
Evict
Cache• Noflushinstruction?• AttackerneedstoevictdatafromLLC• Attackercanusehugepages• Physicaladdressselectsthesetto
occupy• Attackerevicts(fillsset)
-
Evict+ReloadAttack
Evict
Cache• Noflushinstruction?• AttackerneedstoevictdatafromLLC• Attackercanusehugepages• Physicaladdressselectsthesetto
occupy• Attackerevicts(fillsset)
-
Evict+ReloadAttack
Cache
Access
• Noflushinstruction?• AttackerneedstoevictdatafromLLC• Attackercanusehugepages• Physicaladdressselectsthesetto
occupy• Attackerevicts(fillsset)• Victimaccesses/doesnotaccess
-
Evict+ReloadAttack
Reload
Cache• Noflushinstruction?• AttackerneedstoevictdatafromLLC• Attackercanusehugepages• Physicaladdressselectsthesetto
occupy• Attackerevicts(fillsset)• Victimaccesses/doesnotaccess• Attackerreloads
• Fastaccesstime->victimaccessed• Slowaccesstime->victimdidnotaccess
-
• Pros:• Applicableinprocessorswithoutflushinstruction(e.g.mostARM
processors)
• Cons:• Canonlytargetstaticallyallocatedmemory• DealwithLLCslices(undocumented)• Onlyworkswithinclusivecaches• OnlyworksinthesameCPUsocket
Evict+ReloadAttackSummary
-
• Nosharedmemorypages?• Attackercanknowthesetutilized
bythevictim
• AttackerPrimes
Prime+ProbeAttack
Prime
Cache
-
• Nosharedmemorypages?• Attackercanknowthesetutilized
bythevictim
• AttackerPrimes• Victimaccesses/notaccesses
Prime+ProbeAttack
Cache
Access
-
• Nosharedmemorypages?• Attackercanknowthesetutilized
bythevictim
• AttackerPrimes• Victimaccesses/notaccesses• Attackerre-accesses
• Fastaccesstime->victimaccessed
• Slowaccesstime->victimdidnotaccess
Prime+ProbeAttack
Probe
Cache
-
• Pros• Doesnotneedsharedmemory!(Broaderimpact)• Cantargetstaticanddynamicallyallocatedmemory!
• Cons:• NoisierthanFlush+ Reload• DealingwithLLCslices(undocumented)• Onlyworkswithinclusivecaches• OnlyworksinthesameCPUsocket• Needtoidentifythetargetset
Prime+ProbeAttackSummary
-
Howtoretrieveinformation?MontgomeryladderRSA
P=0x7fffc480Physicaladdress
FlushandReload
P
Cache
-
Howtoretrieveinformation?
FlushandReloadCache
MontgomeryladderRSA
P=0x7fffc480Physicaladdress
-
Howtoretrieveinformation?
FlushandReloadCache
MontgomeryladderRSA
P=0x7fffc480Physicaladdress
-
Howtoretrieveinformation?
FlushandReload
P
Cache
MontgomeryladderRSA
P=0x7fffc480Physicaladdress
-
Howtoretrieveinformation?
FlushandReload
P
Cache
MontgomeryladderRSA
P=0x7fffc480Physicaladdress
-
Howtoretrieveinformation?
PrimeandProbeCache
MontgomeryladderRSA
P=0x7fffc480Physicaladdress
-
Howtoretrieveinformation?
PrimeandProbeCache
P
MontgomeryladderRSA
P=0x7fffc480Physicaladdress
-
Howtoretrieveinformation?
PrimeandProbeCache
MontgomeryladderRSA
P=0x7fffc480Physicaladdress
-
AttackComparison
Flush+Reload Evict+Reload Prime+Probe
RequireMemoryDeduplication
Y Y N
Requireflushinstruction
Y N N
Attackmemory type
static static static +dynamic
Noise low low high
-
Applicability
-
• VMsshareunderlyinghardware• Hardwareisolationisusuallynot
provided• ExampleRSAinAmazonEC2[INCI16]• Pros:
• OwnvirtualizedOS.Accesstotimersorhugepages
• Ifdeduplication enabled,both attacksareapplicable
• Cons:• Requiresco-residencyofVMs• Highamountofnoise
IaaS/PaaSCloudInfrastructures
Hardware
VMM
GuestOS#1 GuestOS#2
VM VM
SpyVictim
-
• Howtofindco-residency?• Useavailableinformation!• ProfilethetargetLLCaccesses• Doesthecachetracematchthetracewe
expect?• Ifyes,co-residency• Ifno,openmoreVMs
• Othermechanismsutilizememorybuslockingattacks
• ExampleRSAexponentiationseasilydistinguishable
IaaS/PaaSCloudInfrastructureshttprequest
0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 110000
50
100
150
200
250
timeslot
Rel
oad
time
DecryptionStart
First SecretExponent (dp)
Second SecretExponent (dq)
GuestOS#2
VM
Spy GuestOS#1
VM
Victim
-
Demo:AESKeyRecoveryAcrossVMs• WeutilizeKVMhypervisor• ServerusingT-tableAES(T-tables
shared)• Serverencryptingplaintextwith
unknownkey• Attackerrequestsdecryptionsand
recoversthekey• WecheckwhethertheentriesoftheT-
tableshavebeenused• WeXORwiththeciphertext afterdoing
statisticstogetthekey
0x00
-
• AttackerembedsJSintothewebsite• Victimaccessesthewebsite• Victim’sbrowserexecutestheJS• Example:Incognitobrowsingprofiling[OREN15]• Pros:
• Noneedtofindco-residenttarget• Attackexecutedinlocalmachine(although
sandboxed)
• Cons:• FlushandReloadcannotbeapplied• Finegraintimershardtoachieve
BrowserJavascript
Hardware
www.yyyyy.com
-
• SmartphoneapplicationsarelogicallyisolatedbytheOS
• However,aswithTEEs,allapplicationsutilizethehardwarecaches
• Micro-architecturalattackslookasinnocentbinaries,astheyonlyperformtimedmemoryaccesses
• Example:AESkeystealacrossapps[LIPP16]
SmartPhoneApplications
Hardware
-
SmartPhoneApplications• Pros:
• Deduplication isgenerallyused(e.g.Android)
• Easydeployment• Cons
• Flush instructionhastobeenabledbySoC (onlySamsunS6fornow)
• PseudoRandomReplacementpolicies(reverseengineered)
• Devicedependent algorithms (e.g.non-inclusivecachesorlockdown)
-
TrustedExecutionEnvironment• Trustedexecutionenvironments
designedtoachieveisolationfromuntrustedprocesses
• Butbothtrustedanduntrustedenvironmentsaccesssamehardwarecaches!
• Enclavetoenclaveorhosttoenclaveattacksarepossible
• Example:TrustZoneAESkeysteal[BRM15]
• Example:IntelSGXRSAkeysteal[SCW17]
TEEEnclave
LLC
Untrustedprocess
DRAM
Encrypted NonEncrypted
NonEncrypted
NonEncrypted
-
• Pros• Higherresolution:TheOScanbe
malicious!morefinegrainresources(includingscheduling)
• Noneedtofindco-residenttarget• Limitednoise:maliciousOScan
interruptprocessesafter(virtually)everymemoryaccess
• Cons• FlushandReloadnotapplicable
(deduplicationdisabled)
TrustExecutionEnvironment
Prime
Cache
-
• Pros• Higherresolution:TheOScanbe
malicious!morefinegrainresources(includingscheduling)
• Noneedtofindco-residenttarget• Limitednoise:maliciousOScan
interruptprocessesafter(virtually)everymemoryaccess
• Cons• FlushandReloadnotapplicable
(deduplicationdisabled)
TrustExecutionEnvironment
Cache
Access
-
• Pros• Higherresolution:TheOScanbe
malicious!morefinegrainresources(includingscheduling)
• Noneedtofindco-residenttarget• Lownoise:maliciousOScaninterrupt
processesafter(virtually)everymemoryaccess
• Cons• FlushandReloadnotapplicable
(deduplicationdisabled)
TrustExecutionEnvironment
Interrupt
Cache
Probe
-
Countermeasures
-
DesignCacheLeakageFreeCode• Secretindependentinstructionaccesses• Secretindependentdataaccesses• Identificationofvariablesthatcontaininformationrelatedto
thesecret(manualinspection,taintanalysis,etc.)• Obtaincachetimingtracestocorrelatewiththesecret
variablestomeasuretheleakage
Collectcachetiming
informationCorrelation
Identifysecret
dependentaccess
Design
-
DesignCacheLeakageFreeCodeCVE-2016-7439
-
DesignCacheLeakageFreeCode
secretdependentinstructionaccess
CVE-2016-7439
-
DesignCacheLeakageFreeCode
Secretindependentinstructionaccess
CVE-2016-7439
-
DesignCacheLeakageFreeCode
Secretindependentinstructionaccess
Secretdependentdataaccess
CVE-2016-7439
-
DesignCacheLeakageFreeCode
Secretindependentinstructionaccess
Secretindependentdataaccess
-
PageColoring• AvoidingcollisionsintheLLC• LocationinLLCdeterminedbyphysicaladdress• Giveeachuseracolor(addressbits)
00xxxxxx
01xxxxxx
10xxxxxx
11xxxxxx
DRAM
c
LLCPhysicaladdressUsers
-
CacheAllocationTechnology• IntelCATprovideshardwareframeworktolockthecache• AllowsOS/hypervisortomarkcachewaysasun-evictable• Attackercannotinfluencevictim’scacheaccesses• Modifyhypervisortosupportmorelockpartitions[LIU16]
Lock
Cache
-
CacheAllocationTechnology• IntelCATprovideshardwareframeworktolockthecache• AllowsOS/hypervisortomarkcachewaysasun-evictable• Attackercannotinfluencevictim’scacheaccesses• Modifyhypervisortosupportmorelockpartitions[LIU16]
CachePrime
-
CacheAllocationTechnology• IntelCATprovideshardwareframeworktolockthecache• AllowsOS/hypervisortomarkcachewaysasun-evictable• Attackercannotinfluencevictim’scacheaccesses• Modifyhypervisortosupportmorelockpartitions[LIU16]
CacheProbe
-
BehaviorDetection• HardwarePerformanceCounters(HPCs)cantrackhardware
events(e.g.LLCmisses)• LLCattacksleaveacleartraceintermsofcachemisses/hits• Hypervisor/OStracksthiseventstodetectunusualbehavior• Detectioncanbeimprovedbyinspectingmemoryaccess
HardwareHPCs
GuestOS(Process) GuestOS(Process)
Hypervisor (OS)Detection
-
CountermeasureComparison(Requirements)
LeakageFreeCode
PageColoring IntelCAT BehaviorDetection
Require sourcecodechange
Y N N N
Require OS(hypervisor)update
N Y Y Depends
Require newhardware
N N Y N
-
CountermeasureComparison(Coverage)
LeakageFreeCode
PageColoring IntelCAT BehaviorDetection
IaaS/PaaS Y Y Depends Y
Javascript inbroswer
Y Depends Depends Y
Smartphone Y Y Depends Y
TEE Y N N N
-
KeyTakeaways• Cache attacks are complex but a real threat!• Flush+Reload, Evict+Reload, Prime+Probe• IaaS/PaaS, web browsers, smartphones, TEE,...What
else?• Call to action:
• Application level: introduce cache leakage free code design• Hypervisor/OS level: page coloring for cache isolation• System level: use software to leverage hardware features (Intel
CAT, performance counters)
-
[INCI16]Inci,M.,Gulmezoglu,B.,Irazoqui,G.,Eisenbarth,T.,Sunar,B.CacheAttacksEnableBulkKeyRecoveryontheCloud.CHES2016
[OREN15]Oren,Y.,Kemerlis,V.,Sethumadhavan,S,Keromytis,A.TheSpyintheSandbox:PracticalCacheAttacksinJavaScriptandtheirImplications.ACMCCS2015
[BRM15]Brumley,B.CacheStorageAttacks.CT-RSA2015[SCW17]Schwarz,M.,Weiser,S.,Gruss,D.,Maurice,C.,Mangard,S.Malware
GuardExtension:UsingSGXtoConcealCacheAttacks.Arxiv 2017[LIPP16]Lipp,M.,Gruss,D.,Spreitzer,R.,Maurice,C.,Mangard,S.
ARMageddon:CacheAttacksonMobileDevices.USENIX2016[LIU16]Liu,F.,Yarom,Y.,Mckeen,F.,Rozas,C.,Heiser,G.,LeeR.CATalyst:
Defeatinglast-levelcachesidechannelattacksincloudcomputing.HPCA2016
References