Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al....
Transcript of Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al....
![Page 1: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/1.jpg)
Microarchitectural Side-Channel Attacks
for Privileged Software Adversaries
Jo Van Bulck
DistriNet reunion, February 5, 2020
� imec-DistriNet, KU Leuven Q [email protected] 7 jovanbulck
![Page 2: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/2.jpg)
![Page 3: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/3.jpg)
Processor security: Hardware isolation mechanisms
VM OS
AppApp
Hypervisor (VMM)
VM OS
EnclaveApp
• Different software protection domains: user processes, virtual machines, enclaves
• CPU builds “walls” for memory isolation between applications and privilege levels
↔ Architectural protection walls permeate microarchitectural side-channels!
1
![Page 4: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/4.jpg)
Processor security: Hardware isolation mechanisms
VM OS
AppApp
Hypervisor (VMM)
VM OS
EnclaveApp
• Different software protection domains: user processes, virtual machines, enclaves
• CPU builds “walls” for memory isolation between applications and privilege levels
↔ Architectural protection walls permeate microarchitectural side-channels!
1
![Page 5: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/5.jpg)
Processor security: Hardware isolation mechanisms
VM OS
AppApp
Hypervisor (VMM)
VM OS
EnclaveApp
• Different software protection domains: user processes, virtual machines, enclaves
• CPU builds “walls” for memory isolation between applications and privilege levels
↔ Architectural protection walls permeate microarchitectural side-channels!
1
![Page 6: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/6.jpg)
A primer on software security
Secure program: convert all input to expected output
INPUT OUTPUT
2
![Page 7: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/7.jpg)
A primer on software security
Buffer overflow vulnerabilities: trigger unexpected behavior
INPUT OUTPUT
2
![Page 8: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/8.jpg)
A primer on software security
Safe languages & formal verification: preserve expected behavior
INPUT OUTPUT
2
![Page 9: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/9.jpg)
A primer on software security
Side-channels: observe side-effects of the computation
INPUT OUTPUT
2
![Page 10: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/10.jpg)
A primer on software security
Constant-time code: eliminate secret-dependent side-effects
INPUT OUTPUT
2
![Page 11: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/11.jpg)
![Page 12: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/12.jpg)
![Page 13: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/13.jpg)
A vulnerable example program and its constant-time equivalent
1 vo i d check pwd ( cha r ∗ i n pu t )
2 {3 f o r ( i n t i =0; i < PWD LEN; i++)
4 i f ( i n pu t [ i ] != pwd [ i ] )
5 r e t u r n 0 ;
6
7 r e t u r n 1 ;
8 }
Overall execution time reveals correctness of individual password bytes!
→ reduce brute-force attack from an exponential to a linear effort. . .
3
![Page 14: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/14.jpg)
A vulnerable example program and its constant-time equivalent
1 vo i d check pwd ( cha r ∗ i n pu t )
2 {3 f o r ( i n t i =0; i < PWD LEN; i++)
4 i f ( i n pu t [ i ] != pwd [ i ] )
5 r e t u r n 0 ;
6
7 r e t u r n 1 ;
8 }
1 vo i d check pwd ( char ∗ i n pu t )
2 {3 i n t r v = 0x0 ;
4 f o r ( i n t i =0; i < PWD LEN; i++)
5 r v |= inpu t [ i ] ˆ pwd [ i ] ;
6
7 r e t u r n ( r e s u l t == 0) ;
8 }
Rewrite program such that execution time does not depend on secrets
→ manual, error-prone solution; side-channels are likely here to stay. . .
3
![Page 15: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/15.jpg)
What’s inside the black box?
4
![Page 16: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/16.jpg)
![Page 17: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/17.jpg)
Enclaved execution: Reducing attack surface
Mem HDD
OS kernel
CPU
AppApp
TPM
Hypervisor
AppApp
Traditional layered designs: large trusted computing base
5
![Page 18: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/18.jpg)
Enclaved execution: Reducing attack surface
Mem HDD
OS kernel
CPU
AppApp
TPM
Hypervisor
Enclave app
Intel SGX promise: hardware-level isolation and attestation
5
![Page 19: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/19.jpg)
Enclaved execution: Privileged side-channel attacks
Mem HDD
OS kernel
CPU
AppApp
TPM
Hypervisor
Enclave app
Game-changer: Untrusted OS → new class of powerful side-channels
5
![Page 20: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/20.jpg)
Enclaved execution: Privileged side-channel attacks
Mem HDD
OS kernel
CPU
AppApp
TPM
Hypervisor
Enclave app
Game-changer: Untrusted OS → new class of powerful side-channels
5 Xu et al. “Controlled-channel attacks: Deterministic side-channels for untrusted operating systems”, IEEE S&P 2015
![Page 21: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/21.jpg)
Enclaved execution: Privileged side-channel attacks
Mem HDD
OS kernel
CPU
AppApp
TPM
Hypervisor
Enclave appIR
Q late
ncy 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Instruction (interrupt number)
Game-changer: Untrusted OS → new class of powerful side-channels
5 Van Bulck et al. “Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic”, CCS 2018
![Page 22: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/22.jpg)
Enclaved execution: Privileged side-channel attacks
Mem HDD
OS kernel
CPU
AppApp
TPM
Hypervisor
Enclave appIR
Q late
ncy 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Instruction (interrupt number)
Game-changer: Untrusted OS → new class of powerful side-channels
5 Van Bulck et al. “Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic”, CCS 2018
![Page 23: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/23.jpg)
We can communicate across protection walls
using microarchitectural side-channels!
![Page 24: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/24.jpg)
Leaky processors: Jumping over protection walls with side-channels
VM OS
AppApp
Hypervisor (VMM)
VM OS
EnclaveApp
6
![Page 25: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/25.jpg)
![Page 26: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/26.jpg)
Can we do better? Can we demolish architectural
protection walls instead of just peaking over?
![Page 27: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/27.jpg)
Enclaved execution: Side-channel attacks
Mem HDD
OS kernel
CPU
AppApp
TPM
Hypervisor
Enclave app
Untrusted OS → new class of powerful side-channels
7 Van Bulck et al. “Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution”, USENIX 2018
![Page 28: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/28.jpg)
Enclaved execution: Transient-execution attacks
Mem HDD
OS kernel
CPU
AppApp
TPM
Hypervisor
Enclave app
Trusted CPU → exploit microarchitectural bugs/design flaws
7 Van Bulck et al. “Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution”, USENIX 2018
![Page 29: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/29.jpg)
Leaky processors: Breaking isolation mechanisms
VM OS
AppApp
Hypervisor (VMM)
VM OS
EnclaveApp
• Meltdown breaks user/kernel isolation
• Foreshadow breaks SGX enclave and virtual machine isolation
• Spectre breaks software-defined isolation on various levels
• . . . many more – but all exploit the same underlying insights!
8
![Page 30: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/30.jpg)
Leaky processors: Breaking isolation mechanisms
VM OS
AppApp
Hypervisor (VMM)
VM OS
EnclaveApp
• Meltdown breaks user/kernel isolation
• Foreshadow breaks SGX enclave and virtual machine isolation
• Spectre breaks software-defined isolation on various levels
• . . . many more – but all exploit the same underlying insights!
8
![Page 31: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/31.jpg)
Leaky processors: Breaking isolation mechanisms
VM OS
AppApp
Hypervisor (VMM)
VM OS
EnclaveApp
• Meltdown breaks user/kernel isolation
• Foreshadow breaks SGX enclave and virtual machine isolation
• Spectre breaks software-defined isolation on various levels
• . . . many more – but all exploit the same underlying insights!
8
![Page 32: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/32.jpg)
Leaky processors: Breaking isolation mechanisms
VM OS
AppApp
Hypervisor (VMM)
VM OS
EnclaveApp
• Meltdown breaks user/kernel isolation
• Foreshadow breaks SGX enclave and virtual machine isolation
• Spectre breaks software-defined isolation on various levels
• . . . many more – but all exploit the same underlying insights!
8
![Page 33: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/33.jpg)
Leaky processors: Breaking isolation mechanisms
VM OS
AppApp
Hypervisor (VMM)
VM OS
EnclaveApp
• Meltdown breaks user/kernel isolation
• Foreshadow breaks SGX enclave and virtual machine isolation
• Spectre breaks software-defined isolation on various levels
• . . . many more – but all exploit the same underlying insights!
8
![Page 34: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/34.jpg)
![Page 35: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/35.jpg)
Out-of-order and speculative execution
Key discrepancy:
• Programmers write sequential instructions
• Modern CPUs are inherently parallel
⇒ Execute instructions ahead of time
Best-effort: What if triangle fails?
→ Commit in-order, roll-back square
. . . But side-channels may leave traces (!)
9
![Page 36: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/36.jpg)
Out-of-order and speculative execution
Key discrepancy:
• Programmers write sequential instructions
• Modern CPUs are inherently parallel
⇒ Execute instructions ahead of time
Best-effort: What if triangle fails?
→ Commit in-order, roll-back square
. . . But side-channels may leave traces (!)
9
![Page 37: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/37.jpg)
Out-of-order and speculative execution
OverflowexceptionRoll-back
Key discrepancy:
• Programmers write sequential instructions
• Modern CPUs are inherently parallel
⇒ Execute instructions ahead of time
Best-effort: What if triangle fails?
→ Commit in-order, roll-back square
. . . But side-channels may leave traces (!)
9
![Page 38: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/38.jpg)
Transient-execution attacks: Welcome to the world of fun!
CPU executes ahead of time in transient world
• Success → commit results to normal world ,• Fail → discard results, compute again in normal world /
Transient world (microarchitecture) may temp bypass architectural software intentions:
10
![Page 39: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/39.jpg)
Transient-execution attacks: Welcome to the world of fun!
Key finding of 2018
⇒ Transmit secrets from transient to normal world
Transient world (microarchitecture) may temp bypass architectural software intentions:
10
![Page 40: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/40.jpg)
Transient-execution attacks: Welcome to the world of fun!
Key finding of 2018
⇒ Transmit secrets from transient to normal world
Transient world (microarchitecture) may temp bypass architectural software intentions:
Delayed exception handling Control flow prediction
10
![Page 41: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/41.jpg)
Transient-execution attacks: Welcome to the world of fun!
Key finding of 2018
⇒ Transmit secrets from transient to normal world
Transient world (microarchitecture) may temp bypass architectural software intentions:
CPU access control bypassSpeculative buffer overflow/ROP
10
![Page 42: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/42.jpg)
The transient-execution zoo https://transient.fail
Transient cause
Spectre-type
Meltdown-type
Spectre-PHT
Spectre-BTB
Spectre-RSB
Spectre-STL
Meltdown-NM-REG
Meltdown-PF
Meltdown-BR
Meltdown-GP
Meltdown-MCA
Cross-address-space
Same-address-space
Cross-address-space
Same-address-space
Cross-address-space
Same-address-space
Meltdown-US
Meltdown-P
Meltdown-RW
Meltdown-PK-L1
Meltdown-SM-SB
Meltdown-MPX
Meltdown-BND
Meltdown-CPL-REG
Meltdown-NC-SB
Meltdown-AD
Meltdown-AVX-LP
PHT-CA-IP
PHT-CA-OP
PHT-SA-IP
PHT-SA-OP
BTB-CA-IP
BTB-CA-OP
BTB-SA-IP
BTB-SA-OP
RSB-CA-IP
RSB-CA-OP
RSB-SA-IP
RSB-SA-OP
Meltdown-US-L1
Meltdown-US-LFB
Meltdown-US-SB
Meltdown-P-L1
Meltdown-P-LFB
Meltdown-P-SB
Meltdown-P-LP
Meltdown-AD-LFB
Meltdown-AD-SB
11 Canella et al. “A systematic evaluation of transient execution attacks and defenses”, USENIX Security 2019
![Page 43: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/43.jpg)
![Page 44: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/44.jpg)
Meltdown: Transiently encoding unauthorized memory
Unauthorized access
12
![Page 45: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/45.jpg)
Meltdown: Transiently encoding unauthorized memory
Unauthorized access Transient out-of-order window
oracle array
secre
t id
x
12
![Page 46: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/46.jpg)
Meltdown: Transiently encoding unauthorized memory
Unauthorized access Transient out-of-order window Exception
(discard architectural state)
12
![Page 47: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/47.jpg)
Meltdown: Transiently encoding unauthorized memory
Unauthorized access Transient out-of-order window
oracle array
cache hit
Exception handler
12
![Page 48: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/48.jpg)
![Page 49: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/49.jpg)
![Page 50: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/50.jpg)
![Page 51: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/51.jpg)
Building Foreshadow: Evade the abort page
Straw man: (Speculative) accesses in non-enclave mode are dropped
15 Van Bulck et al. “Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution”, USENIX 2018
![Page 52: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/52.jpg)
Building Foreshadow: Evade the abort page
Stone man: Bypass abort page via untrusted page table
15 Van Bulck et al. “Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution”, USENIX 2018
![Page 53: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/53.jpg)
Building Foreshadow: Evade the abort page
Stone man: Bypass abort page via untrusted page table
Unprivileged system call
mprotect( secret_ptr & 0xFFF, 0x1000, PROT_NONE );
15 Van Bulck et al. “Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution”, USENIX 2018
![Page 54: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/54.jpg)
Foreshadow-NG: Breaking the virtual memory abstraction
L1-Terminal Fault: match unmapped physical address (!)
PTwalk?
L1D
vadrs
CPU micro-architecture
Tag? Pass to out-of-order
SGX?EPT
walk?
hostpadrs
guestpadrs
15 Van Bulck et al. “Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution”, USENIX 2018
![Page 55: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/55.jpg)
Conclusions and take-away https://foreshadowattack.eu/
⇒ New emerging and powerful class of transient-execution attacks
⇒ Importance of fundamental side-channel research; no silver-bullet defenses
⇒ Security cross-cuts the system stack: hardware, OS, VMM, compiler, application
16
![Page 56: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/56.jpg)
Appendix
![Page 57: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/57.jpg)
References i
C. Canella, J. Van Bulck, M. Schwarz, M. Lipp, B. von Berg, P. Ortner,
F. Piessens, D. Evtyushkin, and D. Gruss.
A Systematic Evaluation of Transient Execution Attacks and Defenses.
In Proceedings of the 28th USENIX Security Symposium, 2019.
J. Van Bulck, M. Minkin, O. Weisse, D. Genkin, B. Kasikci, F. Piessens,
M. Silberstein, T. F. Wenisch, Y. Yarom, and R. Strackx.
Foreshadow: Extracting the keys to the Intel SGX kingdom with transient
out-of-order execution.
In Proceedings of the 27th USENIX Security Symposium. USENIX Association,
August 2018.
![Page 58: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/58.jpg)
References ii
J. Van Bulck, F. Piessens, and R. Strackx.
SGX-Step: A practical attack framework for precise enclave execution
control.
In Proceedings of the 2nd Workshop on System Software for Trusted Execution,
SysTEX’17, pp. 4:1–4:6. ACM, 2017.
J. Van Bulck, F. Piessens, and R. Strackx.
Nemesis: Studying microarchitectural timing leaks in rudimentary CPU
interrupt logic.
In Proceedings of the 25th ACM Conference on Computer and Communications
Security (CCS’18). ACM, October 2018.
![Page 59: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/59.jpg)
References iii
J. Van Bulck, N. Weichbrodt, R. Kapitza, F. Piessens, and R. Strackx.
Telling your secrets without page faults: Stealthy page table-based attacks
on enclaved execution.
In Proceedings of the 26th USENIX Security Symposium. USENIX Association,
August 2017.
![Page 60: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/60.jpg)
SGX-Step: Executing enclaves one instruction at a time
SGX-Step
user space
4 ERESUME
Van Bulck et al. “SGX-Step: A practical attack framework for precise enclave execution control”, SysTEX 2017
Van Bulck et al. “Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic”, CCS 2018
https://github.com/jovanbulck/sgx-step
![Page 61: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/61.jpg)
SGX-Step: Executing enclaves one instruction at a time
https://github.com/jovanbulck/sgx-step
![Page 62: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/62.jpg)
Mitigating Foreshadow
![Page 63: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/63.jpg)
Mitigating Foreshadow
Future CPUs
(silicon-based changes)
https://newsroom.intel.com/editorials/advancing-security-silicon-level/
![Page 64: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/64.jpg)
Mitigating Foreshadow
OS kernel updates
(sanitize page frame bits)
![Page 65: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/65.jpg)
Mitigating Foreshadow
Intel microcode updates
⇒ Flush L1 cache on enclave/VMM exit + disable HyperThreading
https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault
![Page 66: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/66.jpg)
Spectre v1: Speculative buffer over-read
secretuser buffer
• Programmer intention: never access out-of-bounds
memory
• Branch can be mistrained to speculatively (i.e., ahead
of time) execute with idx ≥ LEN in the transient world
• Insert explicit speculation barriers to tell the CPU to
halt the transient world...
• Huge manual, error-prone effort. . .
![Page 67: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/67.jpg)
Spectre v1: Speculative buffer over-read
secretuser buffer
• Programmer intention: never access out-of-bounds
memory
• Branch can be mistrained to speculatively (i.e., ahead
of time) execute with idx ≥ LEN in the transient world
• Insert explicit speculation barriers to tell the CPU to
halt the transient world...
• Huge manual, error-prone effort. . .
![Page 68: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/68.jpg)
Spectre v1: Speculative buffer over-read
secretuser buffer
• Programmer intention: never access out-of-bounds
memory
• Branch can be mistrained to speculatively (i.e., ahead
of time) execute with idx ≥ LEN in the transient world
• Insert explicit speculation barriers to tell the CPU to
halt the transient world...
• Huge manual, error-prone effort. . .
![Page 69: Microarchitectural Side-Channel Attacks - Jo Van Bulck · 2021. 1. 5. · 5 Van Bulck et al. \Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic",](https://reader036.fdocuments.us/reader036/viewer/2022071420/61195a35cbd9a4638d2e0f39/html5/thumbnails/69.jpg)
Spectre v1: Speculative buffer over-read
secretuser buffer
• Programmer intention: never access out-of-bounds
memory
• Branch can be mistrained to speculatively (i.e., ahead
of time) execute with idx ≥ LEN in the transient world
• Insert explicit speculation barriers to tell the CPU to
halt the transient world...
• Huge manual, error-prone effort. . .