Cache Storage Channels Alias-driven Attacks Formally Verified - - PowerPoint PPT Presentation

cache storage channels alias driven attacks formally
SMART_READER_LITE
LIVE PREVIEW

Cache Storage Channels Alias-driven Attacks Formally Verified - - PowerPoint PPT Presentation

Feb 20, 2024 35 likes •679 views

Roberto Guanciale Mads Dam Hamed Nemati Christoph Baumann Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified Platforms Caches Excluded Formally Verified from the analysis Platforms Caches Excluded

slide-1
SLIDE 1

Cache Storage Channels Alias-driven Attacks

Roberto Guanciale Mads Dam Hamed Nemati Christoph Baumann

slide-2
SLIDE 2

Formally Verified Platforms

slide-3
SLIDE 3

Formally Verified Platforms

slide-4
SLIDE 4

Formally Verified Platforms Caches Excluded from the analysis

slide-5
SLIDE 5

Formally Verified Platforms Caches Excluded from the analysis

slide-6
SLIDE 6

Formally Verified Platforms Caches Excluded from the analysis

slide-7
SLIDE 7

Formally Verified Platforms Caches Excluded from the analysis

slide-8
SLIDE 8

Formally Verified Platforms Caches Excluded from the analysis Models should be Sound

slide-9
SLIDE 9

Formally Verified Platforms Caches Excluded from the analysis Models should be Sound Storage Channels can invalidate results

slide-10
SLIDE 10

Virtual Address MMU Cacheable (std-memory) Non-cacheable (devices)

Incoherent Cache Behaviors

Page T ables

slide-11
SLIDE 11

Mismatched cacheability attributes

slide-12
SLIDE 12

do not do this Mismatched cacheability attributes

slide-13
SLIDE 13

do not do this Please, Mismatched cacheability attributes

slide-14
SLIDE 14

do not do this Please, Mismatched cacheability attributes Incoherent Cache Behaviors

slide-15
SLIDE 15

ARM-terminology: unexpected cache hit if the data cache reports a hit on a memory location that is marked as non- cacheable, the cache might access the memory disregarding such hit.

do not do this Please, Mismatched cacheability attributes Incoherent Cache Behaviors

slide-16
SLIDE 16

Hypervisor OS OS

Scenarios

slide-17
SLIDE 17

Hypervisor OS OS OS ARM TrustZone Service

Scenarios

slide-18
SLIDE 18

Hypervisor OS OS OS ARM TrustZone Service Kernel Device Driver User Process

Scenarios

slide-19
SLIDE 19

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c line dirty

Attacker Victim

cache memory

slide-20
SLIDE 20

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

Attacker Victim

VA_nc PA VA_c line dirty cache memory

slide-21
SLIDE 21

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

Attacker Victim

VA_nc PA VA_c line dirty cache memory

slide-22
SLIDE 22

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

Attacker Victim

VA_nc PA VA_c line dirty cache memory

slide-23
SLIDE 23

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c line dirty

Attacker Victim

cache memory

slide-24
SLIDE 24

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c line dirty

Attacker Victim

cache memory

slide-25
SLIDE 25

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c line dirty

Attacker Victim

cache memory

slide-26
SLIDE 26

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c F line dirty

Attacker Victim

cache memory

slide-27
SLIDE 27

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c F line dirty

Attacker Victim

cache memory

slide-28
SLIDE 28

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c F line dirty

Attacker Victim

cache 1 memory

slide-29
SLIDE 29

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c F line dirty

Attacker Victim

cache 1 memory

slide-30
SLIDE 30

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c F line dirty

Attacker Victim

cache 1 memory

slide-31
SLIDE 31

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c F line dirty

Attacker Victim

cache 1 memory

slide-32
SLIDE 32

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c F line dirty

Attacker Victim

cache 1 memory

slide-33
SLIDE 33

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c F line dirty

Attacker Victim

cache 1 memory

slide-34
SLIDE 34

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c F line dirty

Attacker Victim

cache 1 memory

slide-35
SLIDE 35

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c F line dirty

Attacker Victim

cache 1 memory

slide-36
SLIDE 36

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c F line dirty

Attacker Victim

cache 1 memory

slide-37
SLIDE 37

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c F line dirty

Attacker Victim

cache 1 memory

D = =

slide-38
SLIDE 38

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c F line dirty

Attacker Victim

cache 1 memory

D = =

slide-39
SLIDE 39

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c F line dirty

Attacker Victim

cache 1 memory

e v i c t i

  • n
slide-40
SLIDE 40

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c line dirty

Attacker Victim

cache 1 memory

e v i c t i

  • n
slide-41
SLIDE 41

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c line dirty

Attacker Victim

cache 1 memory

slide-42
SLIDE 42

VA_nc PA VA_c line dirty

Attacker Victim

cache 1 memory

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

slide-43
SLIDE 43

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c line dirty

Attacker Victim

cache 1 memory

slide-44
SLIDE 44

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c 1 F line dirty

Attacker Victim

cache 1 memory

slide-45
SLIDE 45

w r i t e ( V A _ n c , ) … w r i t e ( V A _ n c , 1 ) f r e e ( V A _ n c ) D = a c c e s s ( V A _ c ) … D = a c c e s s ( V A _ c ) i f n

  • t

p

  • l

i c y ( D ) R e j e c t ( ) … u s e ( V A _ c )

VA_nc PA VA_c 1 F line dirty

Attacker Victim

cache 1 memory

slide-46
SLIDE 46

Integrity threat

  • Transfer of memory ownership
  • Time Of Check To Time Of Use attacks
  • No need of
  • simultaneous double mapping
  • concurrency

Natural preys: reference monitors

Storage channels

slide-47
SLIDE 47

cache VA_nc VA_c PA1 VA3 VA2 PA2 PA3 i n v a l i d a t e ( V A _ c ) w r i t e ( V A _ n c , ) D = r e a d ( V A _ c ) w r i t e ( V A _ n c , 1 ) c a l l v i c t i m D = r e a d ( V A _ c ) i f s e c r e t a c c e s s ( V A 2 ) e l s e a c c e s s ( V A 3 )

Attacker Victim

slide-48
SLIDE 48

cache VA_nc VA_c PA1 VA3 VA2 PA2 PA3

Accessed cache line is secret-dependent

i n v a l i d a t e ( V A _ c ) w r i t e ( V A _ n c , ) D = r e a d ( V A _ c ) w r i t e ( V A _ n c , 1 ) c a l l v i c t i m D = r e a d ( V A _ c ) i f s e c r e t a c c e s s ( V A 2 ) e l s e a c c e s s ( V A 3 )

Attacker Victim

slide-49
SLIDE 49

cache VA_nc VA_c PA1 VA3 VA2 PA2 PA3 i n v a l i d a t e ( V A _ c ) w r i t e ( V A _ n c , ) D = r e a d ( V A _ c ) w r i t e ( V A _ n c , 1 ) c a l l v i c t i m D = r e a d ( V A _ c ) i f s e c r e t a c c e s s ( V A 2 ) e l s e a c c e s s ( V A 3 )

Attacker Victim

Cache is a shared resource

slide-50
SLIDE 50

cache VA_nc VA_c PA1 VA3 VA2 PA2 PA3 i n v a l i d a t e ( V A _ c ) w r i t e ( V A _ n c , ) D = r e a d ( V A _ c ) w r i t e ( V A _ n c , 1 ) c a l l v i c t i m D = r e a d ( V A _ c ) i f s e c r e t a c c e s s ( V A 2 ) e l s e a c c e s s ( V A 3 )

Attacker Victim

Mismatched cacheability attributes

slide-51
SLIDE 51

Confidentiality threat

  • Access driven attacks
  • No external measure needed
  • Difficult to counter-measure at

probing time Natural preys: look-up tables Natural preys: reference monitors

Storage channels

Integrity threat

  • Transfer of memory ownership
  • Time Of Check To Time Of Use
  • No need of
  • simultaneous double mapping
  • concurrency
slide-52
SLIDE 52

Hypervisor

▸ Beagleboard

Paravirtualizing Hypervisor

PT PT Linux

Linux prepares a PT

slide-53
SLIDE 53

Linux

Hypervisor makes region read-only ▸ Beagleboard

Paravirtualizing Hypervisor

Hypervisor PT PT

slide-54
SLIDE 54

Hypervisor PT PT Linux

Hypervisor validates content ▸ Beagleboard

Paravirtualizing Hypervisor

slide-55
SLIDE 55

Hypervisor PT PT Linux

Hypervisor activates PT ▸ Beagleboard

Paravirtualizing Hypervisor

slide-56
SLIDE 56

Hypervisor PT PT Linux

Hypervisor activates PT ▸ Beagleboard

Paravirtualizing Hypervisor

slide-57
SLIDE 57

Hypervisor PT PT Linux

Hypervisor activates PT ▸ Beagleboard ▸ Linux takes complete control

Paravirtualizing Hypervisor

slide-58
SLIDE 58

OS TrustZone Service

Vulnerability: c[j]=Kn[j] xor T4[s[j]]

▸ Raspberry PI 2 ▸ 128-bit key extracted after 850 encryptions

AES Cryptoservice

slide-59
SLIDE 59

Integrity threat guarantee memory coherency

  • cache flushes

(8x overhead)

  • selective eviction

(0.2x overhead)

Countermeasures

slide-60
SLIDE 60

Integrity threat guarantee memory coherency

  • cache flushes

(8x overhead)

  • selective eviction

(0.2x overhead)

Countermeasures

Confidentiality threat standard timing approaches

  • secret-independent accesses

(5x overhead)

  • no cache for secret accesses

(6x overhead)

slide-61
SLIDE 61

Integrity threat guarantee memory coherency

  • cache flushes

(8x overhead)

  • selective eviction

(0.2x overhead)

Countermeasures

Confidentiality threat standard timing approaches

  • secret-independent accesses

(5x overhead)

  • no cache for secret accesses

(6x overhead) Vector specific

  • avoid uncacheable aliases

(0.15x overhead)

slide-62
SLIDE 62

Integrity threat guarantee memory coherency

  • cache flushes

(8x overhead)

  • selective eviction

(0.2x overhead)

Countermeasures

Confidentiality threat standard timing approaches

  • secret-independent accesses

(5x overhead)

  • no cache for secret accesses

(6x overhead) Vector specific

  • avoid uncacheable aliases

(0.15x overhead) HW Countermeasures

  • do not disregard

unexpected cache hit

slide-63
SLIDE 63

Confidentiality threat using self-modifying code

Concluding remarks

Ongoing work

  • Repair formal verification
  • TLBs / Branch prediction / …
  • Experimentation in multi-core
  • Evaluating HW countermeasures
slide-64
SLIDE 64

THANKS! Any questions?

You can find me at robertog@kth.se http://prosper.sics.se/ http://haspoc.sics.se/