Cache Timing Side-Channel Vulnerability Checking with Computation - - PowerPoint PPT Presentation

cache timing side channel vulnerability checking with
SMART_READER_LITE
LIVE PREVIEW

Cache Timing Side-Channel Vulnerability Checking with Computation - - PowerPoint PPT Presentation

Oct 09, 2023 382 likes •644 views

Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic Shuwen Deng , Wenjie Xiong and Jakub Szefer Yale University HASP June 2, 2018 Memory System Cache Memory CPU Typical set-associative cache sets ways cache

slide-1
SLIDE 1

Cache Timing Side-Channel Vulnerability Checking with Computation Tree Logic

Shuwen Deng, Wenjie Xiong and Jakub Szefer Yale University HASP June 2, 2018

slide-2
SLIDE 2

Memory System

2

Typical set-associative cache ways sets

Cache

cache enables fast access to the data

CPU Memory

slide-3
SLIDE 3

3

s0 s1 s4 s2 s6 ld issue {probe} {hit} {miss} {replace} {bypass} ISA-level Microarchitecture-level ld return {force evict} s3 {return data} s5

latency ↔ cache hit or miss

Cache State Machine

fast access slow access

timing latency ⟷ cache hit & miss

slide-4
SLIDE 4

4

  • For load/store instruction, time differs between hits and misses
  • For flush instruction, time depends on data existence
  • Attacker’s Goal: get information of the address of victim’s

sensitive data by observing the timing difference

  • Threat Model:

– An attacker (A) shares the same cache with a victim (V) – The attacker cannot directly access the cache state machine – The attacker can observe the timing of the victim or itself – The attacker can combine timing observation with some other knowledge

  • The attacker knows some source code of the victim
  • The attacker can force victim to execute a specific function
  • E.g. Flush + Reload Attack

Cache Timing Side-Channel Attacks

slide-5
SLIDE 5

5

Set-associative cache ways sets 1- Attacker primes each cache set 2- Victim accesses critical data 3- Attacker probes each cache set (measure time) Evicted Access Time

E.g. Prime + Probe Attack

slide-6
SLIDE 6

E.g. Flush + Reload Attack

6

Evicted Access Time Set-associative cache ways sets 1- Flush each line in the cache 2- Victim accesses critical data 3- Attacker reloads critical data by running specific process (measure time)

slide-7
SLIDE 7

7

Spectre & Meltdown Attack

  • speculative executions

– Variant 1: Bounds Check – Variant 2: Branch Target Injection – Variant 3: Rogue Data Cache

  • Variant 3a: Rogue System Register

– Variant 4: Speculative Store

  • timing side-channel in the cache
slide-8
SLIDE 8

8

Spectre & Meltdown Attack

  • Uses speculative executions
  • Leverages timing side-channel in

the cache

slide-9
SLIDE 9

9

Use Computation Tree Logic (CTL)

Model execution paths of the processor cache focusing on side- channel attacks

Develop Cache Access Model

Three-step single-cache- block-access model construction

Analyze Timing Vulnerabilities

Exhaustive search for possible attacks based on three- step model

Contribution

slide-10
SLIDE 10

10

condition description 𝑊

#/𝐵#

A specific known memory location. 𝑊

&

A piece of memory containing data from a range of victim’s memory addresses is accessed. 𝑊

'/𝐵'

single-cache-block access to “remove” the cache block contents ⋆ Attacker has no knowledge about memory location 𝑊

#/𝐵#, 𝑊 &, 𝑊 '/𝐵', ⋆

𝑊

#/𝐵#, 𝑊 &, 𝑊 '/𝐵'

𝑊

#/𝐵#, 𝑊 &, 𝑊 '/𝐵'

Three-Step Single-Cache-Block-Access Model

We use three steps to model all possible cache side channel attacks: 𝑇𝑢𝑓𝑞0 ⇝ 𝑇𝑢𝑓𝑞1 ⇝ 𝑇𝑢𝑓𝑞2

The initial state of the cache block Actions of victim

  • r attacker

Interference & final observation

slide-11
SLIDE 11

11

  • Prime + Probe Attack

– 𝐹𝐺(𝐹(𝐹 𝐵# 𝑉𝑊

& 𝑉𝐵#))

Vulnerability Examples

Set-associative cache ways sets 1- Attacker Primes each cache set 2- Victim accesses critical data 3- Attacker Probes each cache set (measure time) Evicted Access Time

slide-12
SLIDE 12

12

  • Flush + Reload Attack

– 𝐵' ⇝ 𝑊

& ⇝ 𝐵#

– 𝑊

' ⇝ 𝑊 & ⇝ 𝐵#

Vulnerability Examples

Evicted Access Time Set-associative cache ways sets 1- Flush each line in the cache 2- Victim accesses critical data 3- Attacker Reloads critical data by running specific process (measure time)

condition description 𝑊

#/𝐵#

A specific known memory location. 𝑊

&

A piece of memory containing data from a range of victim’s memory addresses is accessed. 𝑊

'/𝐵'

single-cache-block access to “remove” the cache block contents

slide-13
SLIDE 13

13

Why three-step model can cover all?

  • One cache access

– Interference does not exist

  • Two cache accesses

– Same as three-step model with 𝑇𝑢𝑓𝑞0 to be “ ⋆ ”

  • More than three cache accesses

– {⋯ ⇝⋆⇝ ⋯ } can be divided into two parts – ⋯ ⇝ 𝐵' ⇝ 𝐵' ⇝ ⋯ , ⋯ ⇝ 𝐵' ⇝ 𝑊

' ⇝ ⋯ , {⋯ ⇝

𝐵# ⇝ 𝑊

# ⇝ ⋯ }, {⋯ ⇝ 𝑊 & ⇝ 𝑊 & ⇝ ⋯ }, … can be reduced

to ⋯ ⇝ 𝐵' ⇝ ⋯ , ⋯ ⇝ 𝑊

' ⇝ ⋯ , {⋯ ⇝ 𝑊 # ⇝

⋯ }, ⋯ ⇝ 𝑊

& ⇝ ⋯ , … , respectively

– ⋯ ⇝ (𝐵'/𝑊

' ∕ 𝐵# ∕ 𝑊 #) ⇝ 𝑊 & ⇝ (𝐵'/𝑊 ' ∕ 𝐵# ∕ 𝑊 #) ⇝ ⋯

maps to effective vulnerabilities represented by three- step model

Soundness of Three-Step Model

slide-14
SLIDE 14

14

  • More than three cache accesses

– {⋯ ⇝⋆⇝ ⋯ } can be divided into two parts – ⋯ ⇝ 𝐵' ⇝ 𝐵' ⇝ ⋯ , ⋯ ⇝ 𝐵' ⇝ 𝑊

' ⇝ ⋯ , … , {⋯ ⇝

𝐵# ⇝ 𝑊

# ⇝ ⋯ }, … , {⋯ ⇝ 𝑊 & ⇝ 𝑊 & ⇝ ⋯ } can be reduced

to ⋯ ⇝ 𝐵' ⇝ ⋯ , ⋯ ⇝ 𝑊

' ⇝ ⋯ , … , {⋯ ⇝ 𝑊 # ⇝

⋯ }, … , {⋯ ⇝ 𝑊

& ⇝ ⋯ }, respectively

– ⋯ ⇝ (𝐵'/𝑊

' ∕ 𝐵# ∕ 𝑊 #) ⇝ 𝑊 & ⇝ (𝐵'/𝑊 ' ∕ 𝐵# ∕ 𝑊 #) ⇝ ⋯

maps to known vulnerabilities represented by three-step model

Soundness of Three-step Model (b)

slide-15
SLIDE 15

15

  • Explicit enumeration of all the possible three

steps (6x5x5=150)

  • Identify 28 types of cache attacks

– 20 types already known or categorized – 8 types previously not in literature

  • Can be applied to evaluate any cache

architecture with CTL logic

Exhaustive Vulnerability Search

slide-16
SLIDE 16

16

S0 S1 S2 Recognized name Categor ization 𝑾𝒚 𝑩𝑺 𝑾𝒚 Type A 𝑾𝒚 𝑾𝑺 𝑾𝒚 Type B 𝑩𝑺 𝑩𝟐 𝑾𝒚 Type C 𝑾𝑺 𝑩𝟐 𝑾𝒚 Type D 𝑩𝟐 𝑩𝟐 𝑾𝒚 Type E 𝑾𝟐 𝑩𝟐 𝑾𝒚 Type F 𝑊

&

𝐵# 𝑊

&

Evict+Time Type G 𝐵' 𝑊

#

𝑊

&

Cache Collision Type H 𝑊

'

𝑊

#

𝑊

&

Cache Collision Type I 𝐵# 𝑊

#

𝑊

&

Cache Collision Type J 𝑊

#

𝑊

#

𝑊

&

Cache Collision Type K 𝑊

&

𝑊

#

𝑊

&

Bernstein’s attack Type L 𝐵' 𝑊

&

𝐵' Flush+Flush Type M 𝑊

'

𝑊

&

𝐵' Flush+Flush Type N

Vulnerability Exhaustive List

S0 S1 S2 Recognized name Catego rization 𝑊

&

𝑊

&

𝐵' Flush+Flush Type O 𝐵' 𝑊

&

𝑊

'

Flush+Flush Type P 𝑊

'

𝑊

&

𝑊

'

Flush+Flush Type Q 𝑊

&

𝑊

&

𝑊

'

Flush+Flush Type R 𝐵' 𝑊

&

𝐵# Flush(Evict)+Reload Type S 𝑊

'

𝑊

&

𝐵# Flush(Evict)+Reload Type T 𝐵# 𝑊

&

𝐵# Prime+Probe Type U 𝑾𝟐 𝑾𝒚 𝑩𝟐 Type V 𝑊

&

𝑊

&

𝐵# Flush(Evict)+Reload Type W 𝐵' 𝑊

&

𝑊

#

Cache Collision Type X 𝑊

'

𝑊

&

𝑊

#

Cache Collision Type Y 𝑩𝟐 𝑾𝒚 𝑾𝟐 Type Z 𝑊

#

𝑊

&

𝑊

#

Bernstein’s attack Type AA 𝑊

&

𝑊

&

𝑊

#

Cache Collision Type AB

slide-17
SLIDE 17

17

  • Flush + Reload Attack

(Type S, T Attack)

– 𝐵' ⇝ 𝑊

& ⇝ 𝐵#

– 𝑊

' ⇝ 𝑊 & ⇝ 𝐵#

Vulnerability Examples

  • New Type V Attack

– 𝑊

# ⇝ 𝑊 & ⇝ 𝐵# Set-associative cache ways sets 1- Victim primes each cache set 2- Victim accesses critical data 3- Attacker probes each cache set (measure time) Evicted Access Time

Evicted Access Time Set-associative cache ways sets 1- Flush each line in the cache 2- Victim accesses critical data 3- Attacker reloads critical data by running specific process (measure time)

slide-18
SLIDE 18

𝜔 𝜔 𝜔 𝜔 𝜔

18

Treats time as discrete and branching Can explore different execution paths

  • Atomic propositions:

, ,…

  • Boolean operators: ¬𝜒, 𝜒 ∨ 𝜔, 𝜒 ∧ 𝜔, …
  • Temporal modalities:

– X 𝜔 … “next 𝜔” – 𝜒 𝑉 𝜔 … “𝜒 until 𝜔” – F 𝜒 … “eventually 𝜒” – G 𝜒 … “always 𝜒”

  • Path quantifiers:

– E 𝜔 A 𝜔

𝜔 𝜔 𝜒 𝜒 𝜔 𝜒 𝜒 𝜒 𝜒 𝜒 𝜒

Computation Tree Logic

slide-19
SLIDE 19

Step0 Step1 Step2

19

For a single cache block, model execution paths that represent vulnerabilities to attacks:

M, s ⊨𝐹𝐺(𝐹(𝐹 𝑇𝑢𝑓𝑞0 𝑉 𝑇𝑢𝑓𝑞1 𝑉 𝑇𝑢𝑓𝑞2))

Eventually there exists a path that corresponds to the vulnerability:

𝑇𝑢𝑓𝑞0 ⇝ 𝑇𝑢𝑓𝑞1 ⇝ 𝑇𝑢𝑓𝑞2

Three-Step Model in CTL logic

E.g. 𝐵' ⇝ 𝑊

& ⇝ 𝐵#

↔ 𝐹𝐺(𝐹(𝐹 𝐵'𝑉𝑊

& 𝑉𝐵#))

The initial state of the cache block Actions of victim

  • r attacker

Interference & final observation

slide-20
SLIDE 20

20

s0 s1 s4 s2 {probe} {miss} {replace} s3 {return data} {hit} Unfold from s0 to computation tree (s0,0) (s1,1) (s2,1) (s3,2) (s4,2) (s0,3) (s4,3) (s0,4) (s1,4) (s2,4) (s3,5) (s4,5) (s0,6) (s4,6) (s0,7) (s1,7) (s2,7) (s1,5) (s2,5) (s3,6) (s4,6) (s0,7) (s4,7) (s1,8) (s2,8) (s3,8) (s4,8) (s4,9) (s1,8) (s2,8) (s1,8) (s2,8) (s3,9) (s4,9) (s4,10) (s0,7) (s3,9) (s4,9) (s4,10) (s3,10) (s4,10) (s4,11) Step 0 Step 1 Step 2

three-step model:

Bounded Computation Tree

slide-21
SLIDE 21

21

  • hardware design of secure caches
  • cache state machine modeling
  • checking of vulnerability in CTL logic
  • improve CTL modeling

Future Work

slide-22
SLIDE 22

22

Summary

  • cache state machine modeling
  • checking of vulnerability in CTL logic
  • improve CTL modeling

Thank you! Use Computation Tree Logic (CTL)

Model execution paths of the processor cache focusing on side- channel attacks

Develop Cache Access Model

Three-step single-cache- block-access model construction

Analyze Timing Vulnerabilities

Exhaustive search for possible attacks based on three- step model

slide-23
SLIDE 23

23

back up slides

slide-24
SLIDE 24

24

  • One cache access

– Interference does not exist

  • Two cache accesses

– Same as three-step model with 𝑇𝑢𝑓𝑞0 to be “ ⋆ ” – None of them can form an attack

  • Three cache accesses

– Exhaustive vulnerability Search and effective vulnerabilities derived

Soundness of Three-step Model (a)

slide-25
SLIDE 25

25

  • More than three cache accesses

– {⋯ ⇝⋆⇝ ⋯ } can be divided into two parts – ⋯ ⇝ 𝐵' ⇝ 𝐵' ⇝ ⋯ , ⋯ ⇝ 𝐵' ⇝ 𝑊

' ⇝ ⋯ , {⋯ ⇝ 𝐵# ⇝

𝑊

# ⇝ ⋯ }, ⋯ ⇝ 𝑊 & ⇝ 𝑊 & ⇝ ⋯ , … can be reduced to

⋯ ⇝ 𝐵' ⇝ ⋯ , ⋯ ⇝ 𝑊

' ⇝ ⋯ , ⋯ ⇝ 𝑊 # ⇝ ⋯ , {⋯ ⇝

𝑊

& ⇝ ⋯ }, …, respectively

– ⋯ ⇝ (𝐵'/𝑊

' ∕ 𝐵# ∕ 𝑊 #) ⇝ 𝑊 & ⇝ (𝐵'/𝑊 ' ∕ 𝐵# ∕ 𝑊 #) ⇝ ⋯

maps to effective vulnerabilities represented by three- step model

Soundness of Three-step Model (b)