CSE 610 Special Topics: System Security - Attack and Defense for - - PowerPoint PPT Presentation

cse 610 special topics system security attack and defense
SMART_READER_LITE
LIVE PREVIEW

CSE 610 Special Topics: System Security - Attack and Defense for - - PowerPoint PPT Presentation

Aug 06, 2023 97 likes •540 views

CSE 610 Special Topics: System Security - Attack and Defense for Binaries Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM Todays Agenda 1. Cache side channel attack Speed Gap Between CPU and

slide-1
SLIDE 1

CSE 610 Special Topics: System Security - Attack and Defense for Binaries

Instructor: Dr. Ziming Zhao Location: Frnczk 408, North campus Time: Monday, 5:20 PM - 8:10 PM

slide-2
SLIDE 2

Today’s Agenda

1. Cache side channel attack

slide-3
SLIDE 3

Speed Gap Between CPU and DRAM

slide-4
SLIDE 4

A tradeoff between Speed, Cost and Capacity Memory Hierarchy

slide-5
SLIDE 5

A cache is a small amount of fast, expensive memory (SRAM). The cache goes between the CPU and the main memory (DRAM). It keeps a copy of the most frequently used data from the main memory. All levels of caches are integrated onto the processor chip.

CPU Cache

slide-6
SLIDE 6

Access Time in 2012 Cache Static RAM 0.5 - 2.5 ns Memory Dynamic RAM 50- 70 ns Secondary Flash 5,000 - 50,000 ns Magnetic disks 5,000,000 - 20,000,000 ns

Access Time

slide-7
SLIDE 7

A cache hit occurs if the cache contains the data that we’re looking for. A cache miss occurs if the cache does not contain the requested data.

Cache Hits and Misses

slide-8
SLIDE 8

Cache Hierarchy

L1 Cache is closest to the CPU. Usually divided in Code and Data cache L2 and L3 cache are usually unified.

slide-9
SLIDE 9

Cache Hierarchy

slide-10
SLIDE 10

Cache Hierarchy

slide-11
SLIDE 11
slide-12
SLIDE 12

Cache Line/Block

The minimum unit of information that can be either present or not present in a cache. 64 bytes in modern Intel and ARM CPUs

slide-13
SLIDE 13

n-Way Set-Associative Cache

Any given block/line in the main memory may be cached in any

  • f the n cache lines in one cache set.
slide-14
SLIDE 14

Tag Set, Index

32KB 4-way set-associative data cache, 64 bytes per line Number of sets = Cache Size / (Number of ways * Line size) = 32 * 1024 / (4 * 64) = 128

Offset 31

n-Way Set-Associative Cache

5 6 13 12

slide-15
SLIDE 15

Tag Set, Index

32KB 4-way set-associative data cache, 64 bytes per line

Offset 31 127 ... Way 0 127 ... Way 1 127 ... Way 2 127 ... Way 3 5 6 12 13

n-Way Set-Associative Cache

slide-16
SLIDE 16

Tag Set, Index

32KB 4-way set-associative data cache, 64 bytes per line

Offset 31 127 ... Way 0 127 ... Way 1 127 ... Way 2 127 ... Way 3 5 6 12 13

n-Way Set-Associative Cache

slide-17
SLIDE 17

Tag Set, Index

32KB 4-way set-associative data cache, 64 bytes per line

Offset 31 127 ... Way 0 127 ... Way 1 127 ... Way 2 127 ... Way 3 5 6 12 13

n-Way Set-Associative Cache

slide-18
SLIDE 18

Tag Set, Index

32KB 4-way set-associative data cache, 64 bytes per line

Offset 31 127 ... Way 0 127 ... Way 1 127 ... Way 2 127 ... Way 3 5 6 12 13

n-Way Set-Associative Cache

slide-19
SLIDE 19

Tag Set, Index

32KB 4-way set-associative data cache, 64 bytes per line

Offset 31 127 ... Way 0 127 ... Way 1 127 ... Way 2 127 ... Way 3 5 6 12 13

n-Way Set-Associative Cache

slide-20
SLIDE 20

Tag Set, Index

32KB 4-way set-associative data cache, 64 bytes per line

Offset 31 127 ... Way 0 127 ... Way 1 127 ... Way 2 127 ... Way 3 5 6 12 13

n-Way Set-Associative Cache

slide-21
SLIDE 21

Cache Line/Block Content

Tag Set, Index

32KB 4-way set-associative data cache, 64 bytes per line

Offset 31 127 ... Way 0 127 ... Way 1 127 ... Way 2 127 ... Way 3 5 6 12 13

Tag Data D V

slide-22
SLIDE 22

Congruent Addresses

Each memory address maps to one of these cache sets. Memory addresses that map to the same cache set are called congruent. Congruent addresses compete for cache lines within the same set, where replacement policy needs to decide which line will be replaced.

slide-23
SLIDE 23

Replacement Algorithm

Least recently used (LRU) First in first out (FIFO) Least frequently used (LFU) Random

slide-24
SLIDE 24

Cache Side-Channel Attacks

Cache side-channel attacks utilize time differences between a cache hit and a cache miss to infer whether specific code/data has been accessed.

slide-25
SLIDE 25

Memory Registers

Cache Side-Channel Attack

; Assume r0 = 0x3000 ; Load a word: LDR r1, [r0]

0x3000 ? 0x00000001 0x3000 0x00000002 0x3004 0x00000000 0x2FFC r0 r1

slide-26
SLIDE 26

Memory Registers

; Assume r0 = 0x3000 ; Load a word: LDR r1, [r0]

0x3000 0x0001 0x00000001 0x3000 0x00000002 0x3004 0x00000000 0x2FFC r0 r1

Cache Side-Channel Attack

slide-27
SLIDE 27

Memory Registers

; Assume r0 = 0x3000 ; Load a word: LDR r1, [r0]

0x3000 ? 0x00000001 0x3000 0x00000002 0x3004 0x00000000 0x2FFC r0 r1 Cache Way 0 Way 1 ...

Cache Side-Channel Attack

slide-28
SLIDE 28

Memory Registers

; Assume r0 = 0x3000 ; Load a word: LDR r1, [r0]

0x3000 0x0001 0x00000001 0x3000 0x00000002 0x3004 0x00000000 0x2FFC r0 r1 Cache Way 0 Way 1 ...

Cache Side-Channel Attack

slide-29
SLIDE 29

Memory Registers

; Assume r0 = 0x3000 ; Load a word: LDR r1, [r0]

0x3000 0x0001 0x00000001 0x3000 0x00000002 0x3004 0x00000000 0x2FFC r0 r1 Cache Way 0 Way 1 ...

Cache Side-Channel Attack

slide-30
SLIDE 30

Memory Registers

; Assume r0 = 0x3000 ; Load a word: LDR r1, [r0]

0x3000 0x0001 0x00000001 0x3000 0x00000002 0x3004 0x00000000 0x2FFC r0 r1 Cache Way 0 Way 1 ...

Cache Side-Channel Attack

slide-31
SLIDE 31

Memory Registers

; Assume r0 = 0x3000 ; Load a word:

;Get current time t1

LDR r1, [r0]

;Get current time t2; t2 - t1 0x3000 0x0001 0x00000001 0x3000 0x00000002 0x3004 0x00000000 0x2FFC r0 r1 Cache Way 0 Way 1 ...

Cache Side-Channel Attack

slide-32
SLIDE 32

Attack Primitives

Evict+Time Prime+Probe Flush+Flush Flush+Reload Evict+Reload

slide-33
SLIDE 33

Moritz Lipp, Cache Attacks on ARM, Graz University Of Technology

slide-34
SLIDE 34

Prime+Probe

127 ... Way 0 127 ... Way 1 127 ... Way 2 127 ... Way 3

Step 1 Prime: Attacker occupies a set

Attacker Address Space Victim Address Space

slide-35
SLIDE 35

Prime+Probe

127 ... Way 0 127 ... Way 1 127 ... Way 2 127 ... Way 3 Attacker Address Space Victim Address Space

Step 1 Prime: Attacker occupies a set

slide-36
SLIDE 36

Prime+Probe

127 ... Way 0 127 ... Way 1 127 ... Way 2 127 ... Way 3

Step 2: Victim runs

Attacker Address Space Victim Address Space

slide-37
SLIDE 37

Prime+Probe

127 ... Way 0 127 ... Way 1 127 ... Way 2 127 ... Way 3

Step 3 Probe: Attacker accesses memory again and measures the time

Attacker Address Space Victim Address Space

slide-38
SLIDE 38

Flush+Reload

127 ... Way 0 127 ... Way 1 127 ... Way 2 127 ... Way 3

A memory block is cached

Attacker Address Space Victim Address Space

slide-39
SLIDE 39

Flush+Reload

127 ... Way 0 127 ... Way 1 127 ... Way 2 127 ... Way 3

Step 1 Flush: Attacker flushes this memory block out of cache

Attacker Address Space Victim Address Space

slide-40
SLIDE 40

Flush+Reload

127 ... Way 0 127 ... Way 1 127 ... Way 2 127 ... Way 3

Step 2 Reload: Victim may / may not access that block again

Attacker Address Space Victim Address Space

slide-41
SLIDE 41

Flush+Reload

127 ... Way 0 127 ... Way 1 127 ... Way 2 127 ... Way 3

Step 3 Probe: Attacker accesses that block again and measure

Attacker Address Space Victim Address Space

slide-42
SLIDE 42