DAWG : A Defense Against Cache Timing Attacks in Speculative - - PowerPoint PPT Presentation

DAWG: A Defense Against 
 Cache Timing Attacks in 
 Speculative Execution Processors

Vladimir Kiriansky, Ilia Lebedev, 
 Saman Amarasinghe, Srinivas Devadas, Joel Emer

{vlk, ilebedev, saman, devadas, emer}@csail.mit.edu MICRO'18 
 October 24, 2018 Fukuoka, Japan

DAWG

Outline

• Cache access timing attacks
• DAWG protection mechanism: Cache, Core
• OS support: System Calls, Resource Management
• Performance and security evaluation
• Conclusion & Q/A

2

DAWG

Trust Boundaries

3

OS Process

DAWG

Trust Boundaries

4

OS Sand
 box Enclave Hypervisor Process

DAWG

Trust Boundaries

5

OS Sand
 box Enclave OS Hypervisor Process Process

DAWG

OS Hypervisor OS Process Process Sand
 box

Trust Boundary Crossing
 APIs / Attack Vectors

6

Enclave

Legal API

DAWG

OS Hypervisor OS Process Process Sand
 box

Trust Boundary Crossing
 APIs / Attack Vectors

7

Enclave

Illegal Channel Legal API

DAWG

Side Channels and 
 Covert Channels

8

Attacker's 
 Protection Domain Victim's 
 Protection Domain

!

Secret 
 data

!

Stolen 
 data

DAWG

Side Channels and 
 Covert Channels

9

Attacker's 
 Protection Domain

!

• Accessor

• Existing code - non-speculative, traditional

• Synthesized - Spectre 1.0, 1.1 - unresolved

Secret 
 data Accessor


⛓ ⛓ ⛓ ⛓

Victim's 
 Protection Domain

DAWG

Side Channels and 
 Covert Channels

10

Attacker's 
 Protection Domain

!

covert
 channel

• Accessor

• Existing code - non-speculative, traditional

• Synthesized - Spectre 1.0, 1.1 - unresolved

!

Secret 
 data Transmitter


!

Accessor
 Receiver


⛓ ⛓ ⛓ ⛓

!

Stolen 
 data

Victim's 
 Protection Domain

DAWG

Side Channels and 
 Covert Channels

11

Attacker's 
 Protection Domain

!

covert
 channel

• Accessor

• Existing code - non-speculative, traditional

• Synthesized - Spectre 1.0, 1.1 - unresolved
• Channel = micro-architectural state:


cache, TLB, branch predictor state, etc.

!

Secret 
 data Transmitter


!

Accessor
 Receiver


⛓ ⛓ ⛓ ⛓

!

Stolen 
 data

Victim's 
 Protection Domain

DAWG

Side Channels and 
 Covert Channels

12

Attacker's 
 Protection Domain

!

• Accessor

• Existing code - non-speculative, traditional

• Synthesized - Spectre 1.0, 1.1 - unresolved
• Channel = micro-architectural state:


cache, TLB, branch predictor state, etc.

!

Secret 
 data Transmitter


!

Accessor
 Receiver


⛓ ⛓ ⛓ ⛓

!

Stolen 
 data

Victim's 
 Protection Domain

blocked
 channel

DAWG

Cache Covert Channel

13

Attacker's 
 Protection Domain

!

cache
 covert
 channel

! !

Transmitter


Victim's 
 Protection Domain

Receiver


DAWG

Cache Covert Channel:
 Shared Cache Ways

14

2-way
 Cache Set

DAWG

Cache Covert Channel:
 Shared Cache Ways

15

• 1. Receiver evicts block A


Flush / Evict / Thrash


2-way
 Cache Set

[Flush+Reload, Evict+Reload, Thrash+Reload]

A

DAWG

Cache Covert Channel:
 Shared Cache Ways

16

• 1. Receiver evicts block A


Flush / Evict / Thrash


2-way
 Cache Set

DAWG

Cache Covert Channel:
 Shared Cache Ways

17

1

• 1. Receiver evicts block A


Flush / Evict / Thrash


• 2. Transmitter sends a 0 or 1


secret bit via access to A


A

DAWG

Cache Covert Channel:
 Shared Cache Ways

18

A

1

• 1. Receiver evicts block A


Flush / Evict / Thrash


• 2. Transmitter sends a 0 or 1


secret bit via access to A


• 3. Receiver times access to A

A

DAWG

Cache Covert Channel:
 Shared Cache Ways

19

A A A

1

• 1. Receiver evicts block A


Flush / Evict / Thrash


• 2. Transmitter sends a 0 or 1


secret bit via access to A


• 3. Receiver times access to A

> ! infers secret bit

DAWG

Cache Covert Channel

20

☹

!

Attacker

!

! !

Transmitter
 Receiver


Victim

cache
 covert
 channel

DAWG

Block
 Cache Covert Channel?

21

Attacker

!

! !

Transmitter
 Receiver


Victim

DAWG

DAWG: Dynamically Allocated Way Guard

• Cache Protection Domains
• Non-interference by any action:


hit / flush / eviction / fill

22

DAWG

DAWG: Dynamically Allocated Way Guard

• Cache Protection Domains
• Non-interference by any action:


hit / flush / eviction / fill

• Partitioned ways of set-associative structures
• Domain-private cache tag state

23

Way-partitioned
 Cache Set

DAWG

DAWG: Dynamically Allocated Way Guard

• Cache Protection Domains
• Non-interference by any action:


hit / flush / eviction / fill

• Partitioned ways of set-associative structures
• Domain-private cache tag state
• Domain-private replacement metadata

24

Way-partitioned
 Cache Set

DAWG

No Cache Covert Channel:
 Private Cache Ways

25

Per-Domain
 Ways

Attacker Victim

DAWG

No Cache Covert Channel:
 Private Cache Ways

26

• 1. Receiver evicts block A?


Flush / Evict / Thrash


DAWG

No Cache Covert Channel:
 Private Cache Ways

27

• 1. Receiver evicts block A


Flush / Evict / Thrash


DAWG

No Cache Covert Channel:
 Private Cache Ways

28

1

• 1. Receiver evicts block A


Flush / Evict / Thrash


• 2. Transmitter sends a 0 or 1


secret bit via access to A


A

DAWG

No Cache Covert Channel:
 Private Cache Ways

29

A

1

• 1. Receiver evicts block A


Flush / Evict / Thrash


• 2. Transmitter sends a 0 or 1


secret bit via access to A


• 3. Receiver times access to A

A

DAWG

No Cache Covert Channel:
 Private Cache Ways

30

A A

1

• 1. Receiver evicts block A


Flush / Evict / Thrash


• 2. Transmitter sends a 0 or 1


secret bit via access to A


• 3. Receiver times access to A

= no signal

A A

DAWG

No Cache Covert Channel:
 Private Cache Ways

31

1

• 1. Receiver evicts block A


Flush / Evict / Thrash


• 2. Transmitter sends a 0 or 1


secret bit via access to A


• 3. Receiver times access to A

?!

= no signal

A A A A

DAWG

No Cache Covert Channel

32

Receiver

Attacker
 Domain Victim 
 Domain

Transmitter

!

!

!

DAWG

CAT: QoS Cache Partitioning

• Starting point in production silicon: 


Intel's Cache Allocation Technology for LLC

• Iyer et al [SC'04, SIGMETRICS'07, MICRO'07]


From concept to reality in Haswell [HPCA'16]

• Not a security barrier

33

Quality of Service goal: prevent one
 application from dominating the cache

DAWG

CAT: Way-Partitioned Set-associative Caches

34

Set Index == == == == Tag

replacement policy

updated set metadata Address

set metadata way hits cache line

Cache controller state machine

cache line write data way write enables

coherence logic

new cache line set index way write enable

W0 W1 W2 W3

Tag Line

cache way

...

cache set metadata

hit


• Way-partitioning LLC
• Protection domain IDs
• Fill mask

DAWG 35

... W0 W1 W2 W3

cache set metadata

Set Index == == == == Tag

replacement policy updated set metadata Address set metadata policy-masked way hits cache line

Tag Line

Cache controller state machine

cache line write data way write enables coherence logic cache way

new cache line set index way write enable

policies hit isolation

• Way-partitioning L1-L3
• Protection domain IDs
• Fill mask

DAWG: Dynamically Allocated Way Guard


 metadata
 
 hit
 fill
 isolation

DAWG 36

... W0 W1 W2 W3

cache set metadata

Set Index == == == == Tag

replacement policy updated set metadata Address set metadata policy-masked way hits cache line

Tag Line

Cache controller state machine

cache line write data way write enables coherence logic cache way

new cache line set index way write enable

policies hit isolation

• Way-partitioning L1-L3
• Protection domain IDs
• Fill mask
• Hit mask

• Hits


DAWG: Dynamically Allocated Way Guard


 metadata
 
 hit
 isolation fill
 isolation

DAWG

... W0 W1 W2 W3

cache set metadata

Set Index == == == == Tag

replacement policy updated set metadata Address set metadata policy-masked way hits cache line

Tag Line

Cache controller state machine

cache line write data way write enables coherence logic cache way

new cache line set index way write enable

policies hit isolation

• Way-partitioning L1-L3
• Protection domain IDs
• Fill mask
• Hit mask

• Hits

• PLRU updates

DAWG: Dynamically Allocated Way Guard

37


 metadata
 isolation
 hit
 isolation fill
 isolation

DAWG

Higher Security than
 QoS Cache Partitioning

38

Hits
 Cross-Domain

• Production QoS


way-partitioning (CAT)
 by design allows 
 hits across domains

• Not a security barrier


CAT DAWG Way allocation

✅ ✅

Hits in victim

❌ ✅

DAWG

Higher Security than
 QoS Cache Partitioning

39

CAT DAWG Way allocation

✅ ✅

Hits in victim

❌ ✅

Flush in victim

❌ ✅

Flush

• Production QoS


way-partitioning (CAT)
 by design allows 
 hits across domains

• Not a security barrier


DAWG

Higher Security than
 QoS Cache Partitioning

40

LRU

CAT DAWG Way allocation

✅ ✅

Hits in victim

❌ ✅

Flush in victim

❌ ✅

PLRU/NRU 


leak

❌ ✅

• Production QoS


way-partitioning (CAT)
 by design allows 
 hits across domains

• Not a security barrier


DAWG

Shared Memory ↛ Shared Cache


41

CAT DAWG Hits in victim

❌ ✅

Flush in victim

❌ ✅

Flush+Reload
 Evict+Reload
 Thrash+Reload

CAT DAWG

DAWG

Shared Sets ↛ Shared Metadata


42


 PLRU-Prime+Probe

LRU LRU LRU

CAT DAWG

PLRU/NRU 


leak

❌ ✅

CAT DAWG

OS Support and 
 Resource Management

DAWG

OS Hypervisor OS Process Process Sand
 box

Protection Domain Isolation

44

Enclave

Illegal Channels Legal API

DAWG

OS Hypervisor OS Process Process Sand
 box

Protection Domain Isolation

45

Enclave

Illegal Channels Legal API

❌

DAWG

OS Hypervisor OS Process Process Sand
 box

Protection Domain Isolation

46

Enclave

Legal API

❌

DAWG

Fast System Calls

• 1. OS can access

everything in process memory

• 2. In/out arguments in

cache (dirty)

• 3. OS must not leak

47

OS Process

DAWG

Core & OS changes:
 Domain Descriptors

48

Fill Mask

• Existing support for CAT

Domain Descriptors
 Global

0111 1000 1

DAWG

Core & OS changes:
 Domain Descriptors

49

Fill Mask Hit Mask

Domain Descriptors
 Global

• Existing support for CAT + DAWG

0111,0111 1000,1000 1

DAWG

Core & OS changes:
 Domain Selectors

• Existing support for SMAP 


(Supervisor Mode Access Protection) Few routines access user-data & toggle SMAP

50

copy_from_user copy_to_user

...

DAWG

Core & OS changes:
 Domain Selectors

Code: Store: Load:

51

Domain Selectors
 Per-Thread

• Existing support for SMAP + DAWG 

• Core MSR: separate code / load / store selectors

DAWG

Core & OS changes:
 System calls

Code:

User

Store: Load:

User User

52

Fill Mask Hit Mask

Domain Selectors
 Per-Thread

• Existing support for CAT & SMAP + DAWG

• Core MSR: separate code / load / store selectors

DAWG

Core & OS changes:
 System calls

53

copy_from_user

User OS OS

Code: Store: Load:

• Existing support for CAT & SMAP + DAWG

• Core MSR: separate code / load / store selectors

DAWG

Core & OS changes:
 System calls

54

copy_to_user

OS User OS

Code: Store: Load:

• Existing support for CAT & SMAP + DAWG

• Core MSR: separate code / load / store selectors

DAWG

Resource Management

55

Fill Mask Hit Mask

• Extends CAT support + secure domain reallocation
• Secure dynamic way reassignment

DAWG

Secure Dynamic Way Reassignment

56

Fill Mask Hit Mask Flush blocks 
 in revoked way

• Secure way sanitization
• Concurrent for shared caches

DAWG

Secure Dynamic Way Reassignment

57

Fill Mask Hit Mask

DAWG

Secure Dynamic Way Reassignment

58

Fill Mask Hit Mask

DAWG

Secure Dynamic Way Reassignment

59

Fill Mask Hit Mask

DAWG

DAWG Beyond Cache Partitioning

• Cache Way Locking

60

Fill Mask Hit Mask

DAWG

Core & OS changes

• Shared libraries, memory mapped I/O, 


VM page sharing, and cache coherence

• Details in our paper

61

Performance
 Evaluation

DAWG

Matching Performance of 
 QoS Cache Partitioning

• Typical use case: 


public cloud VM isolation 
 (no page sharing, no core sharing, no SMT)
 
 → DAWG's performance is identical to production LLC way-partitioning (Intel's CAT)

63

VM1 VM2

Cycles / Edge (K)

5 10 15 12 13 14 15 16 17 18 19 20

8/16 ways 15/16 ways 16/16 ways

12 13 14 15 16 17 18 19 20 12 13 14 15 16 17 18 19 20

Cycles / Edge (K)

1 2 3 12 13 14 15 16 17 18 19 20 12 13 14 15 16 17 18 19 20

Graph Size (log N)

12 13 14 15 16 17 18 19 20

bc pr tc bfs cc sssp

[in zsim]

Power-law graphs [GAPBS]

(1 way for OS)

Way-Partitioning

(fair share) (insecure baseline)

Cycles / Edge (K)

5 10 15 12 13 14 15 16 17 18 19 20

8/16 ways 15/16 ways 16/16 ways

12 13 14 15 16 17 18 19 20 12 13 14 15 16 17 18 19 20

Cycles / Edge (K)

1 2 3 12 13 14 15 16 17 18 19 20 12 13 14 15 16 17 18 19 20

Graph Size (log N)

12 13 14 15 16 17 18 19 20

bc pr tc bfs cc sssp

Way-Partitioning

[in zsim]

Power-law graphs [GAPBS]

(1 way for OS) (fair share) (insecure baseline)

DAWG 66

15 16 17 18 19 20 21 22 23

Graph Size (log N)

15 16 17 18 19 20 21 22 23

Slowdown

0.8 0.9 1 1.1 1.2 15 16 17 18 19 20 21 22 23 15 16 17 18 19 20 21 22 23 15 16 17 18 19 20 21 22 23

Slowdown

0.8 0.9 1 1.1 1.2 15 16 17 18 19 20 21 22 23

Private vs Shared (Haswell) bc pr tc bfs cc sssp

[on Haswell]

Shared Data: DAWG vs CAT

Shared read-only mapping

Security
 Evaluation

DAWG

OS Hypervisor OS Process Process Sand
 box

Cache Partitioning ≈ Dedicated Host Per Domain

68

Illegal Channels

❌

Isolating peers

DAWG

OS Hypervisor OS Process Process Sand
 box

Cache Partitioning ≈ Dedicated Host Per Domain

69

Illegal Channels

❌

Isolating peers

DAWG

OS Hypervisor OS Process Process Sand
 box

Cache Partitioning ≈ Dedicated Host Per Domain

70

Illegal Channels

❌

Isolating peers and parents

DAWG

OS Hypervisor OS Process Process Sand
 box

Cache Partitioning ≈ Dedicated Host Per Domain

71

Illegal Channels

❌

Secure API Secure communication

DAWG

Attacker OS Hypervisor OS Process Process Sand
 box

Dedicated Host Insufficient: Remote Cache Timing Attacks

72

Dedicated Host

Attacker
 Process Hypervisor

• High-bandwidth remote cache timing attack

DAWG

Remote Cache Reflection:
 Attacks and Defenses

73

victim’s protection domain (kernel)

secret syscall 1 syscall 2

attacker’s protection domain (malicious unprivileged app)

secret receiver

syscall completion time channel, not closed by DAWG caches

cache state

afgected by

afgects

secret is passed indirectly, via timing of cache accesses, within a single protection domain attacker orchestrates syscalls to infer secret via syscall completion time syscalls interact via the cache; latency of 2nd syscall depends on accesses made by 1st

• High-bandwidth remote cache timing attack

DAWG

Conclusion

• Partitioning is the foundation
• Minimal changes to hardware: Build on CAT
• Minimal changes to OS: Build on SMAP
• Minimal performance overhead:


Zero or small over CAT QoS

• DAWG applies beyond caches: TLB, etc

74

DAWG

Thanks

75 75

Vladimir Kiriansky vlk@csail.mit.edu

Backup Slides

DAWG

Beyond Cache Partitioning:
 Code Prioritization

81

CS:

Data Data

ES: DS:

Code

DAWG

Beyond Cache Partitioning
 Streaming Data Isolation

• Graph application use case:


1-way for streaming edges
 3-ways for per-vertex data

82

CS:

Data Edges

ES: DS: