Cache Timing Side-Channel Vulnerability Checking with Computation - PowerPoint PPT Presentation

Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie Xiong and Jakub Szefer Yale University HASP June 2, 2018

Memory System Cache Memory CPU Typical set-associative cache sets ways cache enables fast access to the data 2

Cache State Machine ISA-level Microarchitecture-level {probe} {miss} ld s 0 s 2 issue slow latency ↔ cache {hit} access timing latency ⟷ hit or miss s 1 {force fast cache hit & miss evict} access s 6 s 5 {replace} {bypass} ld s 3 s 4 return {return data} 3

Cache Timing Side-Channel Attacks • For load/store instruction, time differs between hits and misses • For flush instruction, time depends on data existence • Attacker’s Goal: get information of the address of victim’s sensitive data by observing the timing difference • Threat Model: – An attacker (A) shares the same cache with a victim (V) – The attacker cannot directly access the cache state machine – The attacker can observe the timing of the victim or itself – The attacker can combine timing observation with some other knowledge • The attacker knows some source code of the victim • The attacker can force victim to execute a specific function • E.g. Flush + Reload Attack 4

E.g. Prime + Probe Attack 1- Attacker Access primes each Set-associative cache Time Evicted cache set 2- Victim accesses sets critical data 3- Attacker ways probes each cache set (measure time) 5

E.g. Flush + Reload Attack 1- Flush each line in the cache Access Set-associative cache Evicted Time 2- Victim accesses critical data sets 3- Attacker reloads critical ways data by running specific process (measure time) 6

Spectre & Meltdown Attack • speculative executions – Variant 1: Bounds Check – Variant 2: Branch Target Injection – Variant 3: Rogue Data Cache • Variant 3a: Rogue System Register – Variant 4: Speculative Store • timing side-channel in the cache 7

Spectre & Meltdown Attack • Uses speculative executions • Leverages timing side-channel in the cache 8

Contribution Develop Analyze Use Cache Access Timing Computation Model Vulnerabilities Tree Logic (CTL) Three-step Exhaustive Model execution single-cache- search for paths of the block-access possible attacks processor cache model based on three- focusing on side- construction step model channel attacks 9

Three-Step Single-Cache-Block-Access Model We use three steps to model all possible cache side channel attacks: Actions of victim Interference & The initial state of or attacker final observation the cache block 𝑇𝑢𝑓𝑞0 ⇝ 𝑇𝑢𝑓𝑞1 ⇝ 𝑇𝑢𝑓𝑞2 # /𝐵 # , 𝑊 & , 𝑊 ' /𝐵 ' , ⋆ 𝑊 # /𝐵 # , 𝑊 & , 𝑊 𝑊 ' /𝐵 ' # /𝐵 # , 𝑊 & , 𝑊 𝑊 ' /𝐵 ' condition description 𝑊 # /𝐵 # A specific known memory location. 𝑊 A piece of memory containing data from a range of & victim’s memory addresses is accessed. 𝑊 ' /𝐵 ' single-cache-block access to “remove” the cache block contents ⋆ Attacker has no knowledge about memory location 10

Vulnerability Examples • Prime + Probe Attack Access Set-associative cache Time Evicted sets ways 3- Attacker 1- Attacker 2- Victim Probes each Primes each accesses cache set cache set critical data (measure time) – 𝐹𝐺(𝐹(𝐹 𝐵 # 𝑉𝑊 & 𝑉𝐵 # )) 11

Vulnerability Examples • Flush + Reload Attack 1- Flush each line in the cache Access Evicted Time Set-associative cache 2- Victim accesses critical data sets 3- Attacker Reloads critical ways data by running specific process – 𝐵 ' ⇝ 𝑊 & ⇝ 𝐵 # (measure time) – 𝑊 ' ⇝ 𝑊 & ⇝ 𝐵 # condition description 𝑊 # /𝐵 # A specific known memory location. 𝑊 A piece of memory containing data from a range of victim’s & memory addresses is accessed. 𝑊 ' /𝐵 ' single-cache-block access to “remove” the cache block contents 12

Soundness of Three-Step Model Why three-step model can cover all? • One cache access – Interference does not exist • Two cache accesses – Same as three-step model with 𝑇𝑢𝑓𝑞0 to be “ ⋆ ” • More than three cache accesses – {⋯ ⇝⋆⇝ ⋯ } can be divided into two parts ' ⇝ ⋯ , {⋯ ⇝ – ⋯ ⇝ 𝐵 ' ⇝ 𝐵 ' ⇝ ⋯ , ⋯ ⇝ 𝐵 ' ⇝ 𝑊 # ⇝ ⋯ }, {⋯ ⇝ 𝑊 𝐵 # ⇝ 𝑊 & ⇝ 𝑊 & ⇝ ⋯ } , … can be reduced ' ⇝ ⋯ , {⋯ ⇝ 𝑊 to ⋯ ⇝ 𝐵 ' ⇝ ⋯ , ⋯ ⇝ 𝑊 # ⇝ ⋯ }, ⋯ ⇝ 𝑊 & ⇝ ⋯ , … , respectively – ⋯ ⇝ (𝐵 ' /𝑊 ' ∕ 𝐵 # ∕ 𝑊 # ) ⇝ 𝑊 & ⇝ (𝐵 ' /𝑊 ' ∕ 𝐵 # ∕ 𝑊 # ) ⇝ ⋯ maps to effective vulnerabilities represented by three- step model 13

Soundness of Three-step Model (b) • More than three cache accesses – {⋯ ⇝⋆⇝ ⋯ } can be divided into two parts ' ⇝ ⋯ , … , {⋯ ⇝ – ⋯ ⇝ 𝐵 ' ⇝ 𝐵 ' ⇝ ⋯ , ⋯ ⇝ 𝐵 ' ⇝ 𝑊 # ⇝ ⋯ } , … , {⋯ ⇝ 𝑊 𝐵 # ⇝ 𝑊 & ⇝ 𝑊 & ⇝ ⋯ } can be reduced ' ⇝ ⋯ , … , {⋯ ⇝ 𝑊 to ⋯ ⇝ 𝐵 ' ⇝ ⋯ , ⋯ ⇝ 𝑊 # ⇝ ⋯ } , … , {⋯ ⇝ 𝑊 & ⇝ ⋯ } , respectively – ⋯ ⇝ (𝐵 ' /𝑊 ' ∕ 𝐵 # ∕ 𝑊 # ) ⇝ 𝑊 & ⇝ (𝐵 ' /𝑊 ' ∕ 𝐵 # ∕ 𝑊 # ) ⇝ ⋯ maps to known vulnerabilities represented by three-step model 14

Exhaustive Vulnerability Search • Explicit enumeration of all the possible three steps (6x5x5=150) • Identify 28 types of cache attacks – 20 types already known or categorized – 8 types previously not in literature • Can be applied to evaluate any cache architecture with CTL logic 15

Vulnerability Exhaustive List S0 S1 S2 Recognized Categor S0 S1 S2 Recognized name Catego name ization rization 𝑾 𝒚 𝑩 𝑺 𝑾 𝒚 Type A 𝑊 𝑊 𝐵 ' Flush+Flush Type O & & 𝑾 𝒚 𝑾 𝑺 𝑾 𝒚 Type B 𝐵 ' 𝑊 𝑊 Flush+Flush Type P & ' 𝑩 𝑺 𝑩 𝟐 𝑾 𝒚 Type C 𝑊 𝑊 𝑊 Flush+Flush Type Q ' & ' 𝑾 𝑺 𝑩 𝟐 𝑾 𝒚 Type D 𝑊 𝑊 𝑊 Flush+Flush Type R & & ' 𝑩 𝟐 𝑩 𝟐 𝑾 𝒚 Type E 𝐵 ' 𝑊 𝐵 # Flush(Evict)+Reload Type S & 𝑾 𝟐 𝑩 𝟐 𝑾 𝒚 Type F 𝑊 𝑊 𝐵 # Flush(Evict)+Reload Type T ' & 𝑊 𝐵 # 𝑊 Evict+Time Type G 𝐵 # 𝑊 𝐵 # Prime+Probe Type U & & & 𝐵 ' 𝑊 𝑊 Cache Collision Type H 𝑾 𝟐 𝑾 𝒚 𝑩 𝟐 Type V # & 𝑊 𝑊 𝑊 Cache Collision Type I 𝑊 𝑊 𝐵 # Flush(Evict)+Reload Type W ' # & & & 𝐵 # 𝑊 𝑊 Cache Collision Type J 𝐵 ' 𝑊 𝑊 Cache Collision Type X # & & # 𝑊 𝑊 𝑊 Cache Collision Type K 𝑊 𝑊 𝑊 Cache Collision Type Y # # & ' & # 𝑊 𝑊 𝑊 Bernstein’s attack Type L 𝑩 𝟐 𝑾 𝒚 𝑾 𝟐 Type Z & # & 𝑊 𝑊 𝑊 𝐵 ' 𝑊 𝐵 ' Bernstein’s attack Type AA Flush+Flush Type M # & # & 𝑊 𝑊 𝐵 ' 𝑊 𝑊 𝑊 Flush+Flush Type N Cache Collision Type AB & & # ' & 16

Vulnerability Examples • Flush + Reload Attack • New Type V Attack (Type S, T Attack) – 𝐵 ' ⇝ 𝑊 & ⇝ 𝐵 # – 𝑊 # ⇝ 𝑊 & ⇝ 𝐵 # – 𝑊 ' ⇝ 𝑊 & ⇝ 𝐵 # Access Access Evicted Set-associative cache Time Set-associative cache Time Evicted sets sets ways 3- Attacker ways 3- Attacker 1- Flush 2- Victim reloads critical 1- Victim probes each 2- Victim each line in accesses data by running primes each accesses cache set the cache critical data specific process cache set critical data (measure time) (measure time) 17

Computation Tree Logic Treats time as discrete and branching Can explore different execution paths • Atomic propositions: , ,… • Boolean operators: ¬𝜒, 𝜒 ∨ 𝜔, 𝜒 ∧ 𝜔, … • Temporal modalities: 𝜔 – X 𝜔 “next 𝜔 ” … 𝜒 𝜒 𝜔 – 𝜒 𝑉 𝜔 “ 𝜒 until 𝜔 ” … – F 𝜒 “eventually 𝜒 ” 𝜒 … – G 𝜒 “always 𝜒 ” … 𝜒 𝜒 𝜒 𝜒 𝜒 𝜔 • Path quantifiers: E 𝜔 A 𝜔 – 18 𝜔 𝜔 𝜔 𝜔 𝜔

Three-Step Model in CTL logic For a single cache block, model execution paths that represent vulnerabilities to attacks: Actions of victim Interference & The initial state of or attacker final observation the cache block M, s ⊨ 𝐹𝐺(𝐹(𝐹 𝑇𝑢𝑓𝑞0 𝑉 𝑇𝑢𝑓𝑞1 𝑉 𝑇𝑢𝑓𝑞2)) Eventually there exists a Step0 path that corresponds to the vulnerability: Step1 𝑇𝑢𝑓𝑞0 ⇝ 𝑇𝑢𝑓𝑞1 ⇝ 𝑇𝑢𝑓𝑞2 Step2 E.g. 𝐵 ' ⇝ 𝑊 & ⇝ 𝐵 # ↔ 𝐹𝐺(𝐹(𝐹 𝐵 ' 𝑉𝑊 & 𝑉𝐵 # )) 19

Bounded Computation Tree (s 0 ,0) three-step model: (s 2 ,1) (s 1 ,1) Step 0 (s 4 ,2) (s 3 ,2) {probe} s 0 (s 0 ,3) (s 4 ,3) (s 0 ,4) (s 1 ,4) (s 2 ,4) {hit} {miss} s 1 s 2 Unfold from s 0 to (s 2 ,5) (s 1 ,5) (s 4 ,5) (s 3 ,5) computation tree Step 1 (s 4 ,6) (s 3 ,6) (s 0 ,6) (s 4 ,6) s 3 {replace} (s 0 ,7) (s 1 ,7) (s 2 ,7) (s 0 ,7) (s 4 ,7) s 4 {return (s 0 ,7) (s 1 ,8) (s 2 ,8) (s 1 ,8) (s 2 ,8) data} (s 4 ,8) (s 3 ,8) Step 2 (s 1 ,8) (s 2 ,8) (s 4 ,9) (s 4 ,9) (s 4 ,9) (s 3 ,9) (s 3 ,9) (s 3 ,10) (s 4 ,10) (s 4 ,10) (s 4 ,10) (s 4 ,11) 20