Cash Attacks on SGX Daniel Gruss, Michael Schwarz September 9, 2017 - - PowerPoint PPT Presentation

SCIENCE PASSION TECHNOLOGY

Cash Attacks on SGX

Daniel Gruss, Michael Schwarz September 9, 2017

Graz University of Technology

Outline

www.tugraz.at 2 Daniel Gruss, Michael Schwarz — Graz University of Technology

Outline

www.tugraz.at 2 Daniel Gruss, Michael Schwarz — Graz University of Technology

Outline

www.tugraz.at

SGX

2 Daniel Gruss, Michael Schwarz — Graz University of Technology

Outline

www.tugraz.at

SGX

2 Daniel Gruss, Michael Schwarz — Graz University of Technology

Outline

www.tugraz.at

SGX

2 Daniel Gruss, Michael Schwarz — Graz University of Technology

Outline

www.tugraz.at

SGX

2 Daniel Gruss, Michael Schwarz — Graz University of Technology

SGX

www.tugraz.at

Application Untrusted part Operating System

3 Daniel Gruss, Michael Schwarz — Graz University of Technology

SGX

www.tugraz.at

Application Untrusted part

Create Enclave

Operating System

3 Daniel Gruss, Michael Schwarz — Graz University of Technology

SGX

www.tugraz.at

Application Trusted part Call Gate Untrusted part

Create Enclave Trusted Fnc.

Operating System

3 Daniel Gruss, Michael Schwarz — Graz University of Technology

SGX

www.tugraz.at

Application Trusted part Call Gate Untrusted part

Create Enclave Call Trusted Fnc. Trusted Fnc.

Operating System

3 Daniel Gruss, Michael Schwarz — Graz University of Technology

SGX

www.tugraz.at

Application Trusted part Call Gate Untrusted part

Create Enclave Call Trusted Fnc. Trusted Fnc.

Operating System

3 Daniel Gruss, Michael Schwarz — Graz University of Technology

SGX

www.tugraz.at

Application Trusted part Call Gate Untrusted part

Create Enclave Call Trusted Fnc. Trusted Fnc.

Operating System

3 Daniel Gruss, Michael Schwarz — Graz University of Technology

SGX

www.tugraz.at

Application Trusted part Call Gate Untrusted part

Create Enclave Call Trusted Fnc. Trusted Fnc. Return

Operating System

3 Daniel Gruss, Michael Schwarz — Graz University of Technology

SGX

www.tugraz.at

Application Trusted part Call Gate Untrusted part

Create Enclave Call Trusted Fnc. Trusted Fnc. Return

Operating System

3 Daniel Gruss, Michael Schwarz — Graz University of Technology

SGX

www.tugraz.at

Application Trusted part Call Gate Untrusted part

Create Enclave Call Trusted Fnc. . . . Trusted Fnc. Return

Operating System

3 Daniel Gruss, Michael Schwarz — Graz University of Technology

SGX

www.tugraz.at

Application Trusted part Call Gate Untrusted part

Create Enclave Call Trusted Fnc. . . . Trusted Fnc. Return

Operating System

3 Daniel Gruss, Michael Schwarz — Graz University of Technology

SGX Wallets

www.tugraz.at

• Ledger SGX Enclave for blockchain applications
• BitPay Copay Bitcoin wallet
• Teechain payment channel using SGX

4 Daniel Gruss, Michael Schwarz — Graz University of Technology

SGX Wallets

www.tugraz.at

• Ledger SGX Enclave for blockchain applications
• BitPay Copay Bitcoin wallet
• Teechain payment channel using SGX

Teechain [...] We assume the TEE guarantees to hold and do not consider side-channel attacks [5, 35, 46] on the TEE. Such attacks and their mitigations [36, 43] are outside the scope of this work. [...]

4 Daniel Gruss, Michael Schwarz — Graz University of Technology

Signatures (RSA)

www.tugraz.at

M = C

d mod n

5 Daniel Gruss, Michael Schwarz — Graz University of Technology

Signatures (RSA)

www.tugraz.at

M = C

d mod n 1 1 1 1 0 . . . Result = C

5 Daniel Gruss, Michael Schwarz — Graz University of Technology

Signatures (RSA)

www.tugraz.at

M = C

d mod n 1 1 1 1 0 . . . Result = Result × Result × C square multiply

5 Daniel Gruss, Michael Schwarz — Graz University of Technology

Signatures (RSA)

www.tugraz.at

M = C

d mod n 1 1 1 1 0 . . . Result = Result × Result square

5 Daniel Gruss, Michael Schwarz — Graz University of Technology

Signatures (RSA)

www.tugraz.at

M = C

d mod n 1 1 1 1 0 . . . Result = Result × Result square

5 Daniel Gruss, Michael Schwarz — Graz University of Technology

Signatures (RSA)

www.tugraz.at

M = C

d mod n 1 1 1 1 0 . . . Result = Result × Result × C square multiply

5 Daniel Gruss, Michael Schwarz — Graz University of Technology

Signatures (RSA)

www.tugraz.at

M = C

d mod n 1 1 1 1 0 . . . Result = Result × Result × C square multiply

5 Daniel Gruss, Michael Schwarz — Graz University of Technology

Signatures (RSA)

www.tugraz.at

M = C

d mod n 1 1 1 1 0 . . . Result = Result × Result square

5 Daniel Gruss, Michael Schwarz — Graz University of Technology

ECDSA

www.tugraz.at

• Used to sign transactions

6 Daniel Gruss, Michael Schwarz — Graz University of Technology

ECDSA

www.tugraz.at

• Used to sign transactions
• Point multiplication is similar to RSA exponentiation

6 Daniel Gruss, Michael Schwarz — Graz University of Technology

ECDSA

www.tugraz.at

• Used to sign transactions
• Point multiplication is similar to RSA exponentiation
• Simplest implemention double-and-add or constant-time

Montgomery ladder

6 Daniel Gruss, Michael Schwarz — Graz University of Technology

ECDSA

www.tugraz.at

• Used to sign transactions
• Point multiplication is similar to RSA exponentiation
• Simplest implemention double-and-add or constant-time

Montgomery ladder

• Both algorithms have secret-dependent memory accesses

6 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe Cache Attack

www.tugraz.at

Prime+Probe [OST06; Liu+15; Mau+17]...

7 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe Cache Attack

www.tugraz.at

Prime+Probe [OST06; Liu+15; Mau+17]...

• exploits the timing difference when accessing...

7 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe Cache Attack

www.tugraz.at

Prime+Probe [OST06; Liu+15; Mau+17]...

• exploits the timing difference when accessing...
• cached data (fast)

7 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe Cache Attack

www.tugraz.at

Prime+Probe [OST06; Liu+15; Mau+17]...

• exploits the timing difference when accessing...
• cached data (fast)
• uncached data (slow)

7 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe Cache Attack

www.tugraz.at

Prime+Probe [OST06; Liu+15; Mau+17]...

• exploits the timing difference when accessing...
• cached data (fast)
• uncached data (slow)
• is used to attack secret-dependent memory accesses

7 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe Cache Attack

www.tugraz.at

Prime+Probe [OST06; Liu+15; Mau+17]...

• exploits the timing difference when accessing...
• cached data (fast)
• uncached data (slow)
• is used to attack secret-dependent memory accesses
• is applied to a part of the CPU cache, a cache set

7 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe Cache Attack

www.tugraz.at

Prime+Probe [OST06; Liu+15; Mau+17]...

• exploits the timing difference when accessing...
• cached data (fast)
• uncached data (slow)
• is used to attack secret-dependent memory accesses
• is applied to a part of the CPU cache, a cache set
• works across CPU cores as the last-level cache is shared

7 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe

www.tugraz.at

Attacker address space

Cache

Victim address space Step 0: Attacker fills the cache (prime)

8 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe

www.tugraz.at

Attacker address space

Cache

Victim address space Step 0: Attacker fills the cache (prime)

8 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe

www.tugraz.at

Attacker address space

Cache

Victim address space Step 0: Attacker fills the cache (prime)

8 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe

www.tugraz.at

Attacker address space

Cache

Victim address space Step 0: Attacker fills the cache (prime)

8 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe

www.tugraz.at

Attacker address space

Cache

Victim address space Step 0: Attacker fills the cache (prime)

8 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe

www.tugraz.at

Attacker address space

Cache

Victim address space Step 0: Attacker fills the cache (prime)

8 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe

www.tugraz.at

Attacker address space

Cache

Victim address space Step 0: Attacker fills the cache (prime)

8 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe

www.tugraz.at

Attacker address space

Cache

Victim address space Step 0: Attacker fills the cache (prime)

8 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe

www.tugraz.at

Attacker address space

Cache

Victim address space Step 0: Attacker fills the cache (prime)

8 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe

www.tugraz.at

Attacker address space

Cache

Victim address space Step 0: Attacker fills the cache (prime)

8 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe

www.tugraz.at

Attacker address space

Cache

Victim address space Step 0: Attacker fills the cache (prime) Step 1: Victim evicts cache lines by accessing own data loads data

8 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe

www.tugraz.at

Attacker address space

Cache

Victim address space Step 0: Attacker fills the cache (prime) Step 1: Victim evicts cache lines by accessing own data loads data

8 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe

www.tugraz.at

Attacker address space

Cache

Victim address space Step 0: Attacker fills the cache (prime) Step 1: Victim evicts cache lines by accessing own data l

• a

d s d a t a

8 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe

www.tugraz.at

Attacker address space

Cache

Victim address space Step 0: Attacker fills the cache (prime) Step 1: Victim evicts cache lines by accessing own data l

• a

d s d a t a

8 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe

www.tugraz.at

Attacker address space

Cache

Victim address space Step 0: Attacker fills the cache (prime) Step 1: Victim evicts cache lines by accessing own data

8 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe

www.tugraz.at

Attacker address space

Cache

Victim address space Step 0: Attacker fills the cache (prime) Step 1: Victim evicts cache lines by accessing own data Step 2: Attacker probes data to determine if the set was accessed

8 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe

www.tugraz.at

Attacker address space

Cache

Victim address space Step 0: Attacker fills the cache (prime) Step 1: Victim evicts cache lines by accessing own data Step 2: Attacker probes data to determine if the set was accessed fast access

8 Daniel Gruss, Michael Schwarz — Graz University of Technology

Prime+Probe

www.tugraz.at

Attacker address space

Cache

Victim address space Step 0: Attacker fills the cache (prime) Step 1: Victim evicts cache lines by accessing own data Step 2: Attacker probes data to determine if the set was accessed slow access

8 Daniel Gruss, Michael Schwarz — Graz University of Technology

Attack

Attack Settings

www.tugraz.at

Victim

9 Daniel Gruss, Michael Schwarz — Graz University of Technology

Attack Settings

www.tugraz.at SGX

Victim

9 Daniel Gruss, Michael Schwarz — Graz University of Technology

Attack Settings

www.tugraz.at SGX

Transaction Signature

+ private key

Wallet API

Victim

9 Daniel Gruss, Michael Schwarz — Graz University of Technology

Attack Settings

www.tugraz.at

Attacker

SGX

Transaction Signature

+ private key

Wallet API

Victim

9 Daniel Gruss, Michael Schwarz — Graz University of Technology

Attack Settings

www.tugraz.at SGX

Attacker

SGX

Transaction Signature

+ private key

Wallet API

Victim

9 Daniel Gruss, Michael Schwarz — Graz University of Technology

Attack Settings

www.tugraz.at SGX

Key Extractor Loader

Attacker

SGX

Transaction Signature

+ private key

Wallet API

Victim

9 Daniel Gruss, Michael Schwarz — Graz University of Technology

Attack Settings

www.tugraz.at SGX

Key Extractor Loader

Attacker

SGX

Transaction Signature

+ private key

Wallet API

Victim

9 Daniel Gruss, Michael Schwarz — Graz University of Technology

Attack Settings

www.tugraz.at SGX

Key Extractor Loader

Attacker L1/L2 Cache

SGX

Transaction Signature

+ private key

Wallet API

Victim L1/L2 Cache

9 Daniel Gruss, Michael Schwarz — Graz University of Technology

Attack Settings

www.tugraz.at SGX

Key Extractor

(Prime+Probe)

Loader

Attacker L1/L2 Cache

SGX

Transaction Signature

+ private key

Wallet API

Victim L1/L2 Cache

Shared LLC

9 Daniel Gruss, Michael Schwarz — Graz University of Technology

SGX Limitations

www.tugraz.at

Classical Prime+Probe cannot be mounted within SGX:

10 Daniel Gruss, Michael Schwarz — Graz University of Technology

SGX Limitations

www.tugraz.at

Classical Prime+Probe cannot be mounted within SGX:

• No access to high-precision timer (rdtsc)

10 Daniel Gruss, Michael Schwarz — Graz University of Technology

SGX Limitations

www.tugraz.at

Classical Prime+Probe cannot be mounted within SGX:

• No access to high-precision timer (rdtsc)
• No syscalls

10 Daniel Gruss, Michael Schwarz — Graz University of Technology

SGX Limitations

www.tugraz.at

Classical Prime+Probe cannot be mounted within SGX:

• No access to high-precision timer (rdtsc)
• No syscalls
• No shared memory

10 Daniel Gruss, Michael Schwarz — Graz University of Technology

SGX Limitations

www.tugraz.at

Classical Prime+Probe cannot be mounted within SGX:

• No access to high-precision timer (rdtsc)
• No syscalls
• No shared memory
• No physical addresses

10 Daniel Gruss, Michael Schwarz — Graz University of Technology

SGX Limitations

www.tugraz.at

Classical Prime+Probe cannot be mounted within SGX:

• No access to high-precision timer (rdtsc)
• No syscalls
• No shared memory
• No physical addresses
• No 2 MB large pages

10 Daniel Gruss, Michael Schwarz — Graz University of Technology

Timer

www.tugraz.at

• We have to build our own timer

11 Daniel Gruss, Michael Schwarz — Graz University of Technology

Timer

www.tugraz.at

• We have to build our own timer
• Timer resolution must be in the order of cycles

11 Daniel Gruss, Michael Schwarz — Graz University of Technology

Timer

www.tugraz.at

• We have to build our own timer
• Timer resolution must be in the order of cycles
• Start a thread that continuously increments a global variable

11 Daniel Gruss, Michael Schwarz — Graz University of Technology

Timer

www.tugraz.at

• We have to build our own timer
• Timer resolution must be in the order of cycles
• Start a thread that continuously increments a global variable
• The global variable is our timestamp

11 Daniel Gruss, Michael Schwarz — Graz University of Technology

Timer

www.tugraz.at

• We have to build our own timer
• Timer resolution must be in the order of cycles
• Start a thread that continuously increments a global variable
• The global variable is our timestamp
• This is even 15 % faster than the native timestamp counter

1 mov &timestamp , %rcx 2 1:

i n c %rax

3 mov %rax ,

(%rcx )

4 jmp 1b

11 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

• Cache set is determined by part of physical address [Mau+15]

12 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

• Cache set is determined by part of physical address [Mau+15]
• We have no knowledge of physical addresses

12 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

• Cache set is determined by part of physical address [Mau+15]
• We have no knowledge of physical addresses
• Use the reverse-engineered DRAM mapping [Pes+16]

12 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

• Cache set is determined by part of physical address [Mau+15]
• We have no knowledge of physical addresses
• Use the reverse-engineered DRAM mapping [Pes+16]
• Exploit timing differences to find DRAM row borders

12 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

• Cache set is determined by part of physical address [Mau+15]
• We have no knowledge of physical addresses
• Use the reverse-engineered DRAM mapping [Pes+16]
• Exploit timing differences to find DRAM row borders
• The 18 LSBs are ‘0’ at a row border

12 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

127 4095

4 kB Page #1

Page #2 Page #3 Page #4 Page #5 Page #6 Page #7 Page #8 Page #1

8 kB row x in BG0 (1) and channel (1)

Page #3 Page #4 Page #5 Page #6 Page #7 Page #8 Page #1 Page #2

8 kB row x in BG0 (0) and channel (1)

Page #4 Page #5 Page #6 Page #7 Page #8 Page #1 Page #2 Page #3

8 kB row x in BG0 (1) and channel (0)

Page #5 Page #6 Page #7 Page #8 Page #1 Page #2 Page #3 Page #4

8 kB row x in BG0 (0) and channel (0)

13 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

BG0 (0), Channel (0) BG0 (0), Channel (0) BG0 (0), Channel (0) BG0 (0), Channel (0) BG0 (0), Channel (0) BG0 (0), Channel (0) BG0 (0), Channel (0) BG0 (0), Channel (0) 127 4095

4 kB Page #1

Page #2 Page #3 Page #4 Page #5 Page #6 Page #7 Page #8 Page #1

8 kB row x in BG0 (1) and channel (1)

Page #3 Page #4 Page #5 Page #6 Page #7 Page #8 Page #1 Page #2

8 kB row x in BG0 (0) and channel (1)

Page #4 Page #5 Page #6 Page #7 Page #8 Page #1 Page #2 Page #3

8 kB row x in BG0 (1) and channel (0)

Page #5 Page #6 Page #7 Page #8 Page #1 Page #2 Page #3 Page #4

8 kB row x in BG0 (0) and channel (0)

13 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (0) BG0 (1), Channel (0) 127 4095

4 kB Page #1

Page #2 Page #3 Page #4 Page #5 Page #6 Page #7 Page #8 Page #1

8 kB row x in BG0 (1) and channel (1)

Page #3 Page #4 Page #5 Page #6 Page #7 Page #8 Page #1 Page #2

8 kB row x in BG0 (0) and channel (1)

Page #4 Page #5 Page #6 Page #7 Page #8 Page #1 Page #2 Page #3

8 kB row x in BG0 (1) and channel (0)

Page #5 Page #6 Page #7 Page #8 Page #1 Page #2 Page #3 Page #4

8 kB row x in BG0 (0) and channel (0)

13 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (1) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (1) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (1) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (1) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (1) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (1) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (1) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (1) 127 4095

4 kB Page #1

Page #2 Page #3 Page #4 Page #5 Page #6 Page #7 Page #8 Page #1

8 kB row x in BG0 (1) and channel (1)

Page #3 Page #4 Page #5 Page #6 Page #7 Page #8 Page #1 Page #2

8 kB row x in BG0 (0) and channel (1)

Page #4 Page #5 Page #6 Page #7 Page #8 Page #1 Page #2 Page #3

8 kB row x in BG0 (1) and channel (0)

Page #5 Page #6 Page #7 Page #8 Page #1 Page #2 Page #3 Page #4

8 kB row x in BG0 (0) and channel (0)

13 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (1) BG0 (1), Channel (1) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (1) BG0 (1), Channel (1) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (1) BG0 (1), Channel (1) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (1) BG0 (1), Channel (1) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (1) BG0 (1), Channel (1) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (1) BG0 (1), Channel (1) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (1) BG0 (1), Channel (1) BG0 (0), Channel (0) BG0 (1), Channel (0) BG0 (0), Channel (1) BG0 (1), Channel (1) 127 4095

4 kB Page #1

Page #2 Page #3 Page #4 Page #5 Page #6 Page #7 Page #8 Page #1

8 kB row x in BG0 (1) and channel (1)

Page #3 Page #4 Page #5 Page #6 Page #7 Page #8 Page #1 Page #2

8 kB row x in BG0 (0) and channel (1)

Page #4 Page #5 Page #6 Page #7 Page #8 Page #1 Page #2 Page #3

8 kB row x in BG0 (1) and channel (0)

Page #5 Page #6 Page #7 Page #8 Page #1 Page #2 Page #3 Page #4

8 kB row x in BG0 (0) and channel (0)

13 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

row n row n + 1 row n + 2 row n + 3 row n + 4 row n + 5

14 Daniel Gruss, Michael Schwarz — Graz University of Technology

Physical Addresses

www.tugraz.at

Result on an Intel i5-6200U 200 400 600 800 1,000 1,200 1,400 1,600 1,800 2,000 500 600 Array index [kB] Latency [cycles]

15 Daniel Gruss, Michael Schwarz — Graz University of Technology

Combining Everything

www.tugraz.at

• 1. Use the counting primitive to measure DRAM accesses

16 Daniel Gruss, Michael Schwarz — Graz University of Technology

Combining Everything

www.tugraz.at

• 1. Use the counting primitive to measure DRAM accesses
• 2. Through the DRAM side channel, determine the row borders

16 Daniel Gruss, Michael Schwarz — Graz University of Technology

Combining Everything

www.tugraz.at

• 1. Use the counting primitive to measure DRAM accesses
• 2. Through the DRAM side channel, determine the row borders
• 3. Row borders have the 18 LSBs set to ‘0’ → maps to cache set ‘0’

16 Daniel Gruss, Michael Schwarz — Graz University of Technology

Combining Everything

www.tugraz.at

• 1. Use the counting primitive to measure DRAM accesses
• 2. Through the DRAM side channel, determine the row borders
• 3. Row borders have the 18 LSBs set to ‘0’ → maps to cache set ‘0’
• 4. Build the eviction set for the Prime+Probe attack

16 Daniel Gruss, Michael Schwarz — Graz University of Technology

Combining Everything

www.tugraz.at

• 1. Use the counting primitive to measure DRAM accesses
• 2. Through the DRAM side channel, determine the row borders
• 3. Row borders have the 18 LSBs set to ‘0’ → maps to cache set ‘0’
• 4. Build the eviction set for the Prime+Probe attack
• 5. Mount Prime+Probe on the buffer containing the

multiplier [Sch+17]

16 Daniel Gruss, Michael Schwarz — Graz University of Technology

Results

Measured Trace

www.tugraz.at

Raw Prime+Probe trace...

17 Daniel Gruss, Michael Schwarz — Graz University of Technology

Measured Trace

www.tugraz.at

...processed with a simple moving average...

18 Daniel Gruss, Michael Schwarz — Graz University of Technology

Measured Trace

www.tugraz.at

...allows to clearly see the bits of the exponent

1 1 1 00 1 1 1 01 1 1 00000001 000 1 0 1 00 1 1 00 1 1 0 1 1 1 1 1 0 1 1 1 1 0 1 000 1 00 1 1 1 0 1 000 1 1 1 0000 1 1 1 19 Daniel Gruss, Michael Schwarz — Graz University of Technology

Performance Counters

www.tugraz.at

L1 Hits L1 Misses L3 Hits L3 Misses 0.5 1 ·109 Performance counter value Native

20 Daniel Gruss, Michael Schwarz — Graz University of Technology

Performance Counters

www.tugraz.at

L1 Hits L1 Misses L3 Hits L3 Misses 0.5 1 ·109 Performance counter value Native SGX

20 Daniel Gruss, Michael Schwarz — Graz University of Technology

Countermeasures

Source Level

www.tugraz.at

• Cache attacks can be prevented on source level

21 Daniel Gruss, Michael Schwarz — Graz University of Technology

Source Level

www.tugraz.at

• Cache attacks can be prevented on source level
• Use side-channel resistant crypto implementations

21 Daniel Gruss, Michael Schwarz — Graz University of Technology

Source Level

www.tugraz.at

• Cache attacks can be prevented on source level
• Use side-channel resistant crypto implementations
• Exponent blinding for RSA prevents multi-trace attacks

21 Daniel Gruss, Michael Schwarz — Graz University of Technology

Source Level

www.tugraz.at

• Cache attacks can be prevented on source level
• Use side-channel resistant crypto implementations
• Exponent blinding for RSA prevents multi-trace attacks
• Bit-sliced implementations are not vulnerable to cache attacks

21 Daniel Gruss, Michael Schwarz — Graz University of Technology

Operating System Level

www.tugraz.at

• Trusting the operating system weakens SGX threat model

22 Daniel Gruss, Michael Schwarz — Graz University of Technology

Operating System Level

www.tugraz.at

• Trusting the operating system weakens SGX threat model
• Method for the operating system to inspect enclave code

22 Daniel Gruss, Michael Schwarz — Graz University of Technology

Operating System Level

www.tugraz.at

• Trusting the operating system weakens SGX threat model
• Method for the operating system to inspect enclave code
• Re-enable certain performance counters, such as L3 hits/misses

22 Daniel Gruss, Michael Schwarz — Graz University of Technology

Operating System Level

www.tugraz.at

• Trusting the operating system weakens SGX threat model
• Method for the operating system to inspect enclave code
• Re-enable certain performance counters, such as L3 hits/misses
• Enclave coloring to prevent cross-enclave attacks

22 Daniel Gruss, Michael Schwarz — Graz University of Technology

Operating System Level

www.tugraz.at

• Trusting the operating system weakens SGX threat model
• Method for the operating system to inspect enclave code
• Re-enable certain performance counters, such as L3 hits/misses
• Enclave coloring to prevent cross-enclave attacks
• Heap randomization to randomize cache sets

22 Daniel Gruss, Michael Schwarz — Graz University of Technology

Hardware Level

www.tugraz.at

• Intel could prevent attacks by changing the hardware

23 Daniel Gruss, Michael Schwarz — Graz University of Technology

Hardware Level

www.tugraz.at

• Intel could prevent attacks by changing the hardware
• Combine Cache Allocation Technology (CAT) with SGX

23 Daniel Gruss, Michael Schwarz — Graz University of Technology

Hardware Level

www.tugraz.at

• Intel could prevent attacks by changing the hardware
• Combine Cache Allocation Technology (CAT) with SGX
• Instead of controlling CAT from the OS, combine it with eenter

23 Daniel Gruss, Michael Schwarz — Graz University of Technology

Hardware Level

www.tugraz.at

• Intel could prevent attacks by changing the hardware
• Combine Cache Allocation Technology (CAT) with SGX
• Instead of controlling CAT from the OS, combine it with eenter
• Entering an enclave would automatically activate CAT for this core

23 Daniel Gruss, Michael Schwarz — Graz University of Technology

Hardware Level

www.tugraz.at

• Intel could prevent attacks by changing the hardware
• Combine Cache Allocation Technology (CAT) with SGX
• Instead of controlling CAT from the OS, combine it with eenter
• Entering an enclave would automatically activate CAT for this core
• L3 is then isolated from all other enclaves and applications

23 Daniel Gruss, Michael Schwarz — Graz University of Technology

Hardware Level

www.tugraz.at

• Intel could prevent attacks by changing the hardware
• Combine Cache Allocation Technology (CAT) with SGX
• Instead of controlling CAT from the OS, combine it with eenter
• Entering an enclave would automatically activate CAT for this core
• L3 is then isolated from all other enclaves and applications
• Provide a non-shared secure memory element which is not cached

23 Daniel Gruss, Michael Schwarz — Graz University of Technology

Conclusion

Conclusion

www.tugraz.at

• Side channels can cost you money

24 Daniel Gruss, Michael Schwarz — Graz University of Technology

Conclusion

www.tugraz.at

• Side channels can cost you money
• Do not consider side channels out-of-scope

24 Daniel Gruss, Michael Schwarz — Graz University of Technology

Conclusion

www.tugraz.at

• Side channels can cost you money
• Do not consider side channels out-of-scope
• Exploitable code + SGX = exploitable SGX enclave

24 Daniel Gruss, Michael Schwarz — Graz University of Technology

Thank you!

SCIENCE PASSION TECHNOLOGY

Cash Attacks on SGX

Daniel Gruss, Michael Schwarz September 9, 2017

Graz University of Technology

References

www.tugraz.at

• F. Liu, Y. Yarom, Q. Ge, G. Heiser, and R. B. Lee. Last-Level Cache Side-Channel Attacks

are Practical. In: S&P. 2015.

• C. Maurice, N. Le Scouarnec, C. Neumann, O. Heen, and A. Francillon. Reverse

Engineering Intel Complex Addressing Using Performance Counters. In: RAID. 2015.

• C. Maurice, M. Weber, M. Schwarz, L. Giner, D. Gruss, C. A. Boano, S. Mangard, and
• K. R¨
• mer. Hello from the Other Side: SSH over Robust Cache Covert Channels in the
• Cloud. In: NDSS. 2017.
• D. A. Osvik, A. Shamir, and E. Tromer. Cache Attacks and Countermeasures: the Case of
• AES. In: CT-RSA. 2006.
• P. Pessl, D. Gruss, C. Maurice, M. Schwarz, and S. Mangard. DRAMA: Exploiting DRAM

Addressing for Cross-CPU Attacks. In: USENIX Security Symposium. 2016.

• M. Schwarz, S. Weiser, D. Gruss, C. Maurice, and S. Mangard. Malware Guard Extension:

Using SGX to Conceal Cache Attacks. In: DIMVA. 2017.

26 Daniel Gruss, Michael Schwarz — Graz University of Technology

Bonus: Error Probability

www.tugraz.at

Error probability depends on which cache set of the key we attack

1 2 3 4 5 6 7 8 9 10 20 30 40

33.68 29.87 29.83 6.96 4.19 3.75 6.1 5.36 4.29

Bit-error ratio [%]

4096-bit key 27 Daniel Gruss, Michael Schwarz — Graz University of Technology

Bonus: Error Probability

www.tugraz.at

Error probability depends on which cache set of the key we attack

1 2 3 4 5 6 7 8 9 10 20 30 40

33.68 29.87 29.83 6.96 4.19 3.75 6.1 5.36 4.29

Bit-error ratio [%]

4096-bit key

3 5 7 9 11 20 40 60 80

69 15 4 1

Traces Bit-errors

27 Daniel Gruss, Michael Schwarz — Graz University of Technology

Runtime

www.tugraz.at

Full recovery of a 4096-bit RSA key in approximately 5 minutes

Cache Set Detection (3 min) Prime+Probe (5 s) Pre-Processing (110 s) Key Recovery (20 s)

28 Daniel Gruss, Michael Schwarz — Graz University of Technology

Bonus: Timer

www.tugraz.at

CPU cycles one increment takes

rdtsc 1 4.7 4.67 0.87 1

1 timestamp = r d t s c ( ) ;

29 Daniel Gruss, Michael Schwarz — Graz University of Technology

Bonus: Timer

www.tugraz.at

CPU cycles one increment takes

C rdtsc 1 4.7 4.67 0.87 1 4.7

1 while (1)

{

2

timestamp++;

3 }

29 Daniel Gruss, Michael Schwarz — Graz University of Technology

Bonus: Timer

www.tugraz.at

CPU cycles one increment takes

Assembly C rdtsc 1 4.7 4.67 0.87 1 4.7 4.67

1 mov &timestamp , %rcx 2 1 :

i n c l (%rcx )

3 jmp 1b

29 Daniel Gruss, Michael Schwarz — Graz University of Technology

Bonus: Timer

www.tugraz.at

CPU cycles one increment takes

Optimized Assembly C rdtsc 1 4.7 4.67 0.87 1 4.7 4.67 0.87

1 mov &timestamp , %rcx 2 1 :

i n c %rax

3 mov %rax ,

(%rcx )

4 jmp 1b

29 Daniel Gruss, Michael Schwarz — Graz University of Technology

Bonus: Docker

www.tugraz.at SGX

Malware

(Prime+Probe)

Loader SGX

RSA

(+ private key)

API 30 Daniel Gruss, Michael Schwarz — Graz University of Technology

Bonus: Docker

www.tugraz.at SGX

Malware

(Prime+Probe)

Loader

Attacker container

SGX

RSA

(+ private key)

API

Victim container

Docker engine

30 Daniel Gruss, Michael Schwarz — Graz University of Technology

Bonus: Docker

www.tugraz.at SGX

Malware

(Prime+Probe)

Loader

Attacker container

SGX

RSA

(+ private key)

API

Victim container

SGX driver Docker engine

30 Daniel Gruss, Michael Schwarz — Graz University of Technology