SLIDE 1
Exploiting Microarchitectural Flaws
in the Heart of the Memory Subsystem
Daniel Moghimi, Worcester Polytechnic University Feb 20, 2020 Columbia University
2
Exploiting Microarchitectural Flaws in the Heart of the Memory - - PowerPoint PPT Presentation
Exploiting Microarchitectural Flaws in the Heart of the Memory - - PowerPoint PPT Presentation
Exploiting Microarchitectural Flaws in the Heart of the Memory Subsystem Daniel Moghimi, Worcester Polytechnic University Feb 20, 2020 Columbia University Spoiler!! 2 CPU Memory Subsystem Allocation Queue Front End CPU Memory Subsystem
SLIDE 2
SLIDE 3
CPU Memory Subsystem
Front End
Allocation Queue
SLIDE 4
CPU Memory Subsystem
Front End
Allocation Queue
stor $$, (add_A)
SLIDE 5
CPU Memory Subsystem
Front End
Allocation Queue
stor $$, (add_A)
Scheduler
Store Load Load ALU ALU
EUs ROB Back End
SLIDE 6
CPU Memory Subsystem
Front End
Allocation Queue
stor $$, (add_A)
Scheduler
Store Load Load ALU ALU
EUs ROB
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
Memory Subsystem Back End
SLIDE 7
CPU Memory Subsystem
7 Front End 7
Allocation Queue
stor $$, (add_A)
Scheduler
Store Load Load ALU ALU
EUs ROB DRAM L3 L2
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End
SLIDE 8
CPU Memory Subsystem
8 Front End 8
Allocation Queue
stor $$, (add_A)
Scheduler
Store Load Load ALU ALU
EUs ROB DRAM L3 L2
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End DTLB
P
RW US A …
Physical Page Number
… …
P
RW US A …
Physical Page Number
… …
P
RW US A …
Physical Page Number
… …
0x000401
Store Virtual Address
SLIDE 9
CPU Memory Subsystem
9 Front End 9
Allocation Queue
stor $$, (add_A)
Scheduler
Store Load Load ALU ALU
EUs ROB DRAM L3 L2
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End DTLB
P
RW US A …
Physical Page Number
… …
P
RW US A …
Physical Page Number
… …
P
RW US A …
Physical Page Number
… …
0x000401
Store Virtual Address PMH
SLIDE 10
CPU Memory Subsystem
10 Front End 10
Allocation Queue
stor $$, (add_A)
Scheduler
Store Load Load ALU ALU
EUs ROB DRAM L3 L2
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End DTLB
P
RW US A …
Physical Page Number
… …
P
RW US A …
Physical Page Number
… …
P
RW US A …
Physical Page Number
… …
0x000401
Store Virtual Address PMH Page Walk
SLIDE 11
CPU Memory Subsystem
11 Front End 11
Allocation Queue
stor $$, (add_A)
Scheduler
Store Load Load ALU ALU
EUs ROB DRAM L3 L2
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End
SLIDE 12
CPU Memory Subsystem
12 Front End 12
Allocation Queue
stor $$, (add_A)
Scheduler
Store Load Load ALU ALU
EUs ROB DRAM L3 L2
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End
SLIDE 13
CPU Memory Subsystem
13 Front End 13
Allocation Queue
load (add_B), AX
Scheduler
Store Load Load ALU ALU
EUs ROB DRAM L3 L2
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End
SLIDE 14
CPU Memory Subsystem
14 Front End 14
Allocation Queue
load (add_B), AX
Scheduler
Store Load Load ALU ALU
EUs ROB DRAM L3 L2
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End
SLIDE 15
CPU Memory Subsystem
15 Front End 15
Allocation Queue
load (add_B), AX
Scheduler
Store Load Load ALU ALU
EUs ROB DRAM L3 L2
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End
SLIDE 16
CPU Memory Subsystem
16 Front End 16
Allocation Queue
load (add_B), AX
Scheduler
Store Load Load ALU ALU
EUs ROB DRAM L3 L2
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End
SLIDE 17
CPU Memory Subsystem
17 Front End 17
Allocation Queue
stor $$, (add_A) stor ##, (add_B) load (add_C), CX add CX, BX
Scheduler
Store Load Load ALU ALU
EUs ROB
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End DRAM L3 L2
SLIDE 18
CPU Memory Subsystem – Store Forwarding
18 Front End 18
Allocation Queue
stor $$, (add_A) stor ##, (add_B) load (add_C), CX add CX, BX
Scheduler
Store Load Load ALU ALU
EUs ROB
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End DRAM L3 L2
SLIDE 19
CPU Memory Subsystem – Store Forwarding
19 Front End 19
Allocation Queue
stor $$, (add_A) stor ##, (add_B) load (add_C), CX add CX, BX
Scheduler
Store Load Load ALU ALU
EUs ROB
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End DRAM L3 L2
- addr_c == addr_a?
- addr_c == addr_b?
SLIDE 20
20
SLIDE 21
21
SLIDE 22
- 1. Pepperoni
- 2. Chicken
- 3. Pepperoni
Tom Alex Professor
SLIDE 23
- 1. Pepperoni
- 2. Chicken
- 3. Pepperoni
Cut and Precook Cut Tomato Grind Chees Tom Alex Professor Cook Deliver
SLIDE 24
- 1. Pepperoni
- 2. Chicken
- 3. Pepperoni
Cut and Precook Cut Tomato Grind Chees Tom Alex Professor Cook Deliver
SLIDE 25
- 1. Pepperoni
- 2. Chicken
- 3. Pepperoni
SLIDE 26
- 1. Pepperoni
- 2. Chicken
- 3. Pepperoni
Cut Cut Grind Precook and mix
SLIDE 27
- 1. Pepperoni
- 2. Chicken
- 3. Pepperoni
Cut Cut Grind Precook and mix
SLIDE 28
- 1. Pepperoni
- 2. Chicken
- 3. Pepperoni
Cut Cut Grind Precook and mix Precook and mix Cook and deliver Cook and deliver
SLIDE 29
Speculative Cut
Busy
Speculative Cut
- 1. Pepperoni
- 2. Chicken
- 3. Pepperoni
- 4. ???
SLIDE 30
Speculative Cut Speculative Cut
- 1. Pepperoni
- 2. Chicken
- 3. Pepperoni
- 4. Chicken
Precook and mix
SLIDE 31
Speculative Cut Speculative Cut
- 1. Pepperoni
- 2. Chicken
- 3. Pepperoni
- 4. Chicken
Precook and mix Precook and mix
SLIDE 32
MemJam
32
SLIDE 33
MemJam Attack
- Memory loads/stores are executed out of order and speculatively.
33
SLIDE 34
MemJam Attack
- Memory loads/stores are executed out of order and speculatively.
- Address translation can be expensive.
34
SLIDE 35
MemJam Attack
- Memory loads/stores are executed out of order and speculatively.
- Address translation can be expensive.
- 4K Aliasing: Addresses that are 4K apart are assumed dependent.
35
SLIDE 36
CPU Memory Subsystem – Store Forwarding
36 Front End 36
Allocation Queue
stor $$, (add_A) stor ##, (add_B) load (add_C), CX add CX, BX
Scheduler
Store Load Load ALU ALU
EUs ROB
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End DRAM L3 L2
- addr_c[0:12] == addr_a[12:0]?
SLIDE 37
CPU Memory Subsystem – Store Forwarding
37 Front End 37
Allocation Queue
stor $$, (add_A) stor ##, (add_B) load (add_C), CX add CX, BX
Scheduler
Store Load Load ALU ALU
EUs ROB
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End DRAM L3 L2 Verify?
SLIDE 38
MemJam Attack
- Memory loads/stores are executed out of order and speculatively.
- Address translation can be expensive.
- 4K Aliasing: Addresses that are 4K apart are assumed dependent.
- The dependency is verified after the execution!
- Re-execute the load block due to false dependency.
38
SLIDE 39
MemJam – 4K Aliasing across Sibling Threads
39 Core Thread A Thread B Load 0xFECD1 Load 0xFECD2 Load 0xFECD3 Load 0xFECD4 Load 0xFECD5 Load 0xFECD6 Load 0xFECD7 Load 0xFECD8 Execute & Time
SLIDE 40
MemJam – 4K Aliasing across Sibling Threads
40 Core Thread A Thread B Load 0xFECD1 Load 0xFECD2 Load 0xFECD3 Load 0xFECD4 Load 0xFECD5 Load 0xFECD6 Load 0xFECD7 Load 0xFECD8 Execute & Time Store 0x12ABCDEF Store 0x12ABCDEF Store 0x12ABCDEF Store 0x12ABCDEF Store 0x12ABCDEF Store 0x12ABCDEF Store 0x12ABCDEF Store 0x12ABCDEF Store 0x12ABCDEF Store 0x12ABCDEF
SLIDE 41
MemJam – 4K Aliasing across Sibling Threads
41 Core Thread A Thread B Load 0xFECD1 Load 0xFECD2 Load 0xFECD3 Load 0xFECD4 Load 0xFECD5 Load 0xFECD6 Load 0xFECD7 Load 0xFECD8 Execute & Time Store 0x12ABC200 Store 0x12ABC200 Store 0x12ABC200 Store 0x12ABC200 Store 0x12ABC200 Store 0x12ABC200 Store 0x12ABC200 Store 0x12ABC200 Store 0x12ABC200 Store 0x12ABC200
SLIDE 42
MemJam – 4K Aliasing across Sibling Threads
42 Core Thread A Thread B Load 0xFECD1 Load 0xFECD2 Load 0xFECD3 Load 0xFECD4 Load 0xFECD5 Load 0xFECD6 Load 0xFECD7 Load 0xFECD8 Execute & Time Store 0x12ABC Store 0x12ABC Store 0x12ABC Store 0x12ABC Store 0x12ABC Store 0x12ABC Store 0x12ABC Store 0x12ABC Store 0x12ABC Store 0x12ABC
SLIDE 43
MemJam – Intra Cache Line Resolution
43 Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical)
SLIDE 44
MemJam – Intra Cache Line Resolution
44 Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks
SLIDE 45
MemJam – Intra Cache Line Resolution
45 Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks L2/L3 Cache Attacks
SLIDE 46
MemJam – Intra Cache Line Resolution
46 Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks L2/L3 Cache Attacks
MemJam
- Conflicted intra-cache line Leakage (4-byte granularity)
- Higher time → Memory accesses with the same bit 3 - 12
- 4 bits of intra-cache level leakage
SLIDE 47
MemJam – Attacking So-Called Constant Time AES
- Scatter-gather implementation of AES
- Intel SGX Software Development Kit (SDK) and IPP Cryptography Library
- 256 S-Box – 4 Cache Line
- Cache independent access pattern
47 LINE 2 A LINE 2 B LINE 2 C LINE 2 D 64 Bytes 4 Cache Lines S-Box Lookup A B C D B
SLIDE 48
MemJam – Attacking So-Called Constant Time AES
LINE 2 64 Bytes 4 Cache Lines
SLIDE 49
MemJam – AES Key Recovery
SLIDE 50
Are there other Address Aliasing?
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
L1
DTLB
Memory Subsystem
VFN PFN [8:0] VFN PFN [8:0] Offset Offset DATA DATA VFN PFN [8:0] VFN PFN [8:0] Offset Offset DATA DATA
Store Buffer
SLIDE 51
Spoiler: Finding Undocumented Aliasing
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
L1
DTLB
Memory Subsystem
VFN PFN [8:0] VFN PFN [8:0] Offset Offset DATA DATA VFN PFN [8:0] VFN PFN [8:0] Offset Offset DATA DATA
Store Buffer
…
Virtual Pages
SLIDE 52
Spoiler: Finding Undocumented Aliasing
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
L1
DTLB
Memory Subsystem
VFN PFN [8:0] VFN PFN [8:0] Offset Offset DATA DATA VFN PFN [8:0] VFN PFN [8:0] Offset Offset DATA DATA
Store Buffer
…
Virtual Pages 64 pages
SLIDE 53
Spoiler: Finding Undocumented Aliasing
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. 0C0 0C0 0C0 … DATA DATA DATA …
L1
DTLB
Memory Subsystem
VFN PFN [8:0] VFN PFN [8:0] 0C0 0C0 DATA DATA VFN PFN [8:0] VFN PFN [8:0] 0C0 0C0 DATA DATA
Store Buffer
…
Virtual Pages 64 pages
0 C 0 0 x 4 0 0 F E 2 0 C 0 0 x 4 0 0 F E 1 … … 0 C 0 0 x 4 0 1020 Stores
SLIDE 54
Spoiler: Finding Undocumented Aliasing
VFN PFN VFN PFN VFN PFN … …. Offset 0C0 Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. 0C0 0C0 0C0 … DATA DATA DATA …
L1
DTLB
Memory Subsystem
VFN PFN [8:0] VFN PFN [8:0] 0C0 0C0 DATA DATA VFN PFN [8:0] VFN PFN [8:0] 0C0 0C0 DATA DATA
Store Buffer
…
Virtual Pages 64 pages
Stores 0 C 0 0 x 4 0 0 F E 2 0 C 0 0 x 4 0 0 F E 1 … … 0 C 0 0 x 4 0 1 0 2 0 0 C 0 0 x 4 F 1 2 3 4 Load
SLIDE 55
Spoiler: Finding Undocumented Aliasing
Stores 0 C 0 0 x 4 0 0 F E 3 0 C 0 0 x 4 0 0 F E 2 … … 0 C 0 0 x 4 0 1 0 2 1 0 C 0 0 x 4 F 1 2 3 4 Load
…
Virtual Pages
VFN PFN VFN PFN VFN PFN … …. Offset 0C0 Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. 0C0 0C0 0C0 … DATA DATA DATA …
L1
DTLB
Memory Subsystem
VFN PFN [8:0] VFN PFN [8:0] 0C0 0C0 DATA DATA VFN PFN [8:0] VFN PFN [8:0] 0C0 0C0 DATA DATA
Store Buffer
SLIDE 56
Spoiler: Finding Undocumented Aliasing
Stores 0 C 0 0 x 4 0 0 F E 4 0 C 0 0 x 4 0 0 F E 3 … … 0 C 0 0 x 4 0 1 0 2 2 0 C 0 0 x 4 F 1 2 3 4 Load
…
Virtual Pages
VFN PFN VFN PFN VFN PFN … …. Offset 0C0 Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. 0C0 0C0 0C0 … DATA DATA DATA …
L1
DTLB
Memory Subsystem
VFN PFN [8:0] VFN PFN [8:0] 0C0 0C0 DATA DATA VFN PFN [8:0] VFN PFN [8:0] 0C0 0C0 DATA DATA
Store Buffer
SLIDE 57
Spoiler: Finding Undocumented Aliasing
0 C 0 0 x 4 0 0 F E 5 0 C 0 0 x 4 0 0 F E 4 … … 0 C 0 0 x 4 0 1 0 2 3 0 C 0 0 x 4 F 1 2 3 4
…
Virtual Pages
VFN PFN VFN PFN VFN PFN … …. Offset 0C0 Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. 0C0 0C0 0C0 … DATA DATA DATA …
L1
DTLB
Memory Subsystem
VFN PFN [8:0] VFN PFN [8:0] 0C0 0C0 DATA DATA VFN PFN [8:0] VFN PFN [8:0] 0C0 0C0 DATA DATA
Store Buffer
SLIDE 58
Spoiler: Finding Undocumented Aliasings
0 C 0 0 x 4 0 0 F E 5 0 C 0 0 x 4 0 0 F E 4 … … 0 C 0 0 x 4 0 1 0 2 3 0 C 0 0 x 4 F 1 2 3 4
…
Virtual Pages
VFN PFN VFN PFN VFN PFN … …. Offset 0C0 Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. 0C0 0C0 0C0 … DATA DATA DATA …
L1
DTLB
Memory Subsystem
VFN PFN [8:0] VFN PFN [8:0] 0C0 0C0 DATA DATA VFN PFN [8:0] VFN PFN [8:0] 0C0 0C0 DATA DATA
Store Buffer
0 C 0 0 x 6 5 F 3 2 X X 0 C 0 0 x 3 2 A C 2 X X
Physical Addresses
SLIDE 59
Spoiler: Finding Undocumented Aliasing
…
Virtual Pages
VFN PFN VFN PFN VFN PFN … …. Offset 0C0 Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. 0C0 0C0 0C0 … DATA DATA DATA …
L1
DTLB
Memory Subsystem
VFN PFN [8:0] VFN PFN [8:0] 0C0 0C0 DATA DATA VFN PFN [8:0] VFN PFN [8:0] 0C0 0C0 DATA DATA
Store Buffer
SLIDE 60
Spoiler: Finding Undocumented Aliasing
…
Virtual Pages
60
SLIDE 61
Spoiler: Learning on Physical Address Bits
61 Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks L2/L3 Cache Attacks
MemJam
SLIDE 62
Spoiler: Learning on Physical Address Bits
62 Least 12 bits (Virtual Address = Physical Address) VFN L1 Cache Attacks L2/L3 Cache Attacks
MemJam
PFN
MemJam
SLIDE 63
Spoiler: Learning on Physical Address Bits
63 Least 12 bits (Virtual Address = Physical Address) VFN L1 Cache Attacks L2/L3 Cache Attacks
MemJam
PFN
MemJam
Pime+Probe on Cache, Eviction Sets, Rowhammer
SLIDE 64
Spoiler: Learning on Physical Address Bits
64 Least 12 bits (Virtual Address = Physical Address) VFN L1 Cache Attacks L2/L3 Cache Attacks
MemJam
PFN
MemJam
Pime+Probe on Cache, Eviction Sets, Rowhammer
Spoiler
SLIDE 65
Spoiler – JavaScript Eviction Sets
65
SLIDE 66
Spoiler - Rowhammer
66
- Row Buffer Conflict
- Single-sided Rowhammer
SLIDE 67
Spoiler - Rowhammer
67
- Detecting Contiguous Memory
- Double-sided Rowhammer
SLIDE 68
2018: Meltdown Attack?
68
SLIDE 69
2018: Meltdown Attack?
69
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space 256 different CPU Cache Line CPU Registers
SLIDE 70
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space
Oracle
256 different CPU Cache Line CPU Registers
SLIDE 71
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space
Oracle
256 different CPU Cache Line CPU Registers
Fault
SLIDE 72
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space
Oracle
256 different CPU Cache Line CPU Registers
P
Fault
SLIDE 73
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space
Oracle
256 different CPU Cache Line CPU Registers
P
Fault
SLIDE 74
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space
Oracle
256 different CPU Cache Line CPU Registers
SLIDE 75
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space
Oracle
256 different CPU Cache Line CPU Registers F+R
SLIDE 76
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space
Oracle
256 different CPU Cache Line CPU Registers F+R
SLIDE 77
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space
Oracle
256 different CPU Cache Line CPU Registers F+R
SLIDE 78
2018: Meltdown Attack?
P A S S W O R D
Virtual Address Space
User Space Kernel Space
Oracle
256 different CPU Cache Line CPU Registers
‘P’ = 0x50
SLIDE 79
Microarchitecture Data Sampling (MDS)
- Meltdown is fixed but you can still leak on the fix hardware.
- Which part of the CPU leak the data?!
- Why does it leak?
79
SLIDE 80
CPU Memory Subsystem – Challenges?
80 Front End 80
Allocation Queue
stor $$, (add_A) stor ##, (add_B) load (add_C), CX add CX, BX
Scheduler
Store Load Load ALU ALU
EUs ROB
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End DRAM L3 L2
SLIDE 81
81
Memory Access
Canonical #GP
Offset VFN
Virtual Address
SLIDE 82
82
Memory Access
Canonical #GP TLB
PTE
PMH P
RW US A …
Physical Page Number
… … Offset VFN
Virtual Address Y
SLIDE 83
83
Memory Access
Canonical #GP TLB
Y
PMH P
RW US A …
Physical Page Number
… …
Perm.
Y PTE
Offset VFN
Virtual Address
SLIDE 84
84
Memory Access
Canonical #GP TLB
Y
PMH
P RW US A …
Physical Page Number
… …
Perm.
Y
Present
Y
#PF
PTE
Offset VFN
Virtual Address
SLIDE 85
85
Memory Access
Canonical #GP TLB
Y
PMH
P RW US A …
Physical Page Number
… …
Perm.
Y
Present
Y
#PF Accessed
Y
Set A Bit
PTE
Offset VFN
Virtual Address
SLIDE 86
86
Memory Access
Canonical #GP TLB
Y
PMH
P RW US A …
Physical Page Number
… …
Perm.
Y
Present
Y
#PF Accessed
Y
Set A Bit Aligned Vector
Y PTE
Offset VFN
Virtual Address
#GP
SLIDE 87
87
Memory Access
Canonical #GP TLB
Y
PMH
P RW US A …
Physical Page Number
… …
Perm.
Y
Present
Y
#PF Accessed
Y
Set A Bit Aligned Vector
Y PTE
Offset VFN
Virtual Address
#GP Cache Aligned Split Cache
Y
SLIDE 88
88
Memory Access
Canonical #GP TLB
Y
PMH
P RW US A …
Physical Page Number
… …
Perm.
Y
Present
Y
#PF Accessed
Y
Set A Bit Aligned Vector
Y PTE
Offset VFN
Virtual Address
#GP Cache Aligned Split Cache
Y
Cached
Y
Cache Miss Handler
SLIDE 89
89
Memory Access
Canonical #GP TLB
Y
PMH
P RW US A …
Physical Page Number
… …
Perm.
Y
Present
Y
#PF Accessed
Y
Set A Bit Aligned Vector
Y PTE
Offset VFN
Virtual Address
#GP Cache Aligned Split Cache
Y
Cached
Y
Cache Miss Handler False Store Dep.
Y
Hazard Recovery
SLIDE 90
90
Memory Access
Canonical #GP TLB
Y
PMH
P RW US A …
Physical Page Number
… …
Perm.
Y
Present
Y
#PF Accessed
Y
Set A Bit Aligned Vector
Y PTE
Offset VFN
Virtual Address
#GP Cache Aligned Split Cache
Y
Cached
Y
Cache Miss Handler False Store Dep.
Y
Hazard Recovery TSX Failure
Y #RTM
SLIDE 91
Fault VS. Assist Dilemma
- Microcode Assists: The CPU executes an internal event handler to
service complex instructions/operations
- Fault (#GP
, #PF , #RTM): An assist that run a software-based callback
SLIDE 92
CPU Memory Subsystem – Hazard Recovery
92 Front End 92
Allocation Queue stor $$, (addr_B) load (addr_A), AX Scheduler
Store Load Load ALU ALU
EUs ROB
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End DRAM L3 L2
SLIDE 93
CPU Memory Subsystem – Hazard Recovery
93 Front End 93
Allocation Queue stor $$, (addr_B) load (addr_A), AX Scheduler
Store Load Load ALU ALU
EUs ROB
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End DRAM L3 L2
SLIDE 94
CPU Memory Subsystem – Hazard Recovery
94 Front End 94
Allocation Queue stor $$, (addr_B) load (addr_A), AX Scheduler
Store Load Load ALU ALU
EUs ROB
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End DRAM L3 L2
SLIDE 95
CPU Memory Subsystem – Hazard Recovery
95 Front End 95
Allocation Queue stor $$, (addr_B) load (addr_A), AX Scheduler
Store Load Load ALU ALU
EUs ROB
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
Memory Subsystem Back End DRAM L3 L2
SLIDE 96
MDS Attacks (ZombieLoad, RIDL, Fallout, …)
- The CPU must flush the pipeline before executing an assist.
- Upon an Exception/Fault/Assist on a Load, Intel CPUs:
- Execute the load until the last stage.
- Flush the pipeline at the retirement stage (Cheap Recovery Logic).
- Continue the load with some data to reach the retirement stage.
- Which data?
96
SLIDE 97
CPU Memory Subsystem – Leaky Buffers
97 97
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
DRAM L3 L2 Memory Subsystem
ZombieLoad Fallout
SLIDE 98
CPU Memory Subsystem – Leaky Buffers
98 98
VFN PFN VFN PFN VFN PFN … …. Offset Offset Offset … DATA DATA DATA …
Load Buffer
VFN PFN [8:0] VFN PFN [8:0] VFN PFN [8:0] … …. Offset Offset Offset … DATA DATA DATA …
Store Buffer
L1
Fill Buffer DTLB
DRAM L3 L2 Memory Subsystem
ZombieLoad Fallout
SLIDE 99
MDS Attacks (ZombieLoad, RIDL, Fallout, …)
- The CPU must flush the pipeline before executing an assist.
- Upon an Exception/Fault/Assist on a Load, Intel CPUs:
- Execute the load until the last stage.
- Flush the pipeline at the retirement stage (Cheap Recovery Logic).
- Continue the load with some data to reach the retirement stage.
- Which data? (Fill buffer, Store Buffer, Load Buffer)
- Which one will be leaked first?
99
SLIDE 100
ZombieLoad Attack
100
L1D Cache
DRAM L3 L2
Core
SLIDE 101
ZombieLoad Attack
101
LFB
L1D Cache
DRAM L2 L3
Core
SLIDE 102
ZombieLoad Attack
102
LFB
L1D Cache
…
DRAM L3 L2
Core
SLIDE 103
ZombieLoad Attack
103
DRAM LFB
L1D Cache
…
L3 L2
Core Cache Line
SLIDE 104
ZombieLoad Attack
104
DRAM LFB
L1D Cache
…
L3
Cache Line
L2
Core
SLIDE 105
ZombieLoad Attack
105 x x x x
DRAM LFB
L1D Cache
x x x …
L3
Cache Line
L2
Core
SLIDE 106
ZombieLoad Attack
106 x x x x
DRAM LFB (10 entries)
L1D Cache
x x x x x …
L3
Cache Line
L2
Core De-allocate
SLIDE 107
ZombieLoad Attack
107 x x x x
DRAM LFB (10 entries)
L1D Cache
x x x x x …
L3
Cache Line P
RW
US
A …
Physical Page Number
… …
Cache Line
L2
Core
SLIDE 108
ZombieLoad Attack
108 x x x x
DRAM LFB (10 entries)
L1D Cache
x x x x x …
L3
Cache Line P
RW
US
A …
Physical Page Number
… …
L2
Core
SLIDE 109
ZombieLoad Attack
109 x x x x
DRAM LFB (10 entries)
L1D Cache
x x x x x …
L3
Cache Line P
RW
US
A …
Physical Page Number
… …
L2
Core
SLIDE 110
ZombieLoad Attack
110 x x x x
DRAM LFB (10 entries)
L1D Cache
x x x x x …
L3
Cache Line P
RW
US
A …
Physical Page Number
… …
x x x x
L2
Core
SLIDE 111
ZombieLoad Attack
111 x x x x
DRAM LFB (10 entries)
L1D Cache
x x x x x …
L3
Cache Line P
RW
US
A
…
Physical Page Number
… …
x x x x
Variant 1: #GP Variant 3: MC
L2
Core
Variant 2: #RTM
SLIDE 112
Meltdown-style Attacks
112
SLIDE 113
Data Sampling – Domino Attack
- We may leak bytes of data from other unimportant fill buffer
entries
- Leak domino bytes to perform error correction
113
1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1
…
T arget Secret
0xd3 0x10 0x4f 0x37 0x0e 0xb0
SLIDE 114
Data Sampling – Domino Attack
- We may leak bytes of data from other unimportant fill buffer
entries
- Leak domino bytes to perform error correction
114
1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1
…
T arget Secret
0xd3 0x10 0x4f 0x37 0x0e 0xb0 0x7f 0x84
SLIDE 115
Data Sampling – Domino Attack
- We may leak bytes of data from other unimportant fill buffer
entries
- Leak domino bytes to perform error correction
115
1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1
…
T arget Secret
0xd3 0x10 0x4f 0x37 0x0e 0xb0 0x7f 0x84 0xd3 0x37 0x7f
SLIDE 116
116
SLIDE 117
ZombieLoad - Recovering Intel SGX Sealing Key
- Intel SGX allow developers to have hardware support for TEE
- Malicious OS is part of the threat model
- We can read register values of a trusted enclave with help of a
malicious OS
117
sgx-step
SLIDE 118
ZombieLoad - Recovering Intel SGX Sealing Key
- Intel SGX allow developers to have hardware support for TEE
- Malicious OS is part of the threat model
- We can read register values of a trusted enclave with help of a
malicious OS
118
sgx-step
SLIDE 119
ZombieLoad - Recovering Intel SGX Sealing Key
- Intel SGX allow developers to have hardware support for TEE
- Malicious OS is part of the threat model
- We can read register values of a trusted enclave with help of a
malicious OS
119
sgx-step
SLIDE 120
ZombieLoad - Recovering Intel SGX Sealing Key
- Intel SGX allow developers to have hardware support for TEE
- Malicious OS is part of the threat model
- We can read register values of a trusted enclave with help of a
malicious OS
120
sgx-step
SLIDE 121
ZombieLoad - Recovering Intel SGX Sealing Key
- Intel SGX allow developers to have hardware support for TEE
- Malicious OS is part of the threat model
- We can read register values of a trusted enclave with help of a
malicious OS
121 z-step Mark Non- Executabl e
SLIDE 122
ZombieLoad - Recovering Intel SGX Sealing Key
- Intel SGX allow developers to have hardware support for TEE
- Malicious OS is part of the threat model
- We can read register values of a trusted enclave with help of a
malicious OS
122 z-step Mark Non- Executabl e Try to Execute Exception
SLIDE 123
ZombieLoad - Recovering Intel SGX Sealing Key
- Intel SGX allow developers to have hardware support for TEE
- Malicious OS is part of the threat model
- We can read register values of a trusted enclave with help of a
malicious OS
123 z-step Mark Non- Executabl e Try to Execute Exception Handle Exception
SLIDE 124
ZombieLoad - Recovering Intel SGX Sealing Key
- Intel SGX allow developers to have hardware support for TEE
- Malicious OS is part of the threat model
- We can read register values of a trusted enclave with help of a
malicious OS
- Repeated Context Switch in the transient domain w/ the same
register values
124
SLIDE 125
Transynther and Medusa
- A Tool based on Fuzzing-techniques to Generate Data Leakage Code
- Microarchitectural Grooming to Find new MDS Variants/Subvariants
- Medusa, A New Variant that only Leaks Write Combining Stores
- Medusa
- Write Combining fills up the entire Data Bus.
- We leak only the Upper-half of the Data Bus to recover pre-filtered data.
- Implicit WC, i.e., ‘rep mov’, ‘rep stos’, can be leaked.
125
SLIDE 126
Mitigation
- Spoiler and MemJam
- Hardware: No plan to fix, No hardware mitigation!
- Software: Constant-time implementation (Secret Obliviousness)
- MDS
- Hardware:
- Everything is vulnerable before IceLake CPU
- Disable Hyperthreading to reduce the impact
- Software: Special Microcode Sequence
126
SLIDE 127
Questions?!
127
Publications
- MemJam: A False Dependency
Attack against Constant-Time Crypto Implementations (IACR CT-RSA 2018, IJPP 2019)
- SPOILER: Speculative Load Hazards Boost Rowhammer and Cache
Attacks (Usenix Security 2019).
- ZombieLoad: Cross-Privilege-Boundary Data Sampling. (ACM CCS 2019)
- Fallout: Leaking Data on Meltdown-resistant CPU. (ACM CCS 2019)
- Medusa (will appear at Usenix Security 2020)