exploiting out of order execution
play

Exploiting Out-of-Order-Execution Processor Side Channels to Enable - PowerPoint PPT Presentation

Aug 24, 2023 •31 likes •491 views

Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia DAntoine REcon 2015 The Cloud 06/19/2015 Exploiting Out-of-Order-Execution 2/46 Cloud Computing (IaaS) Virtual instances Hypervisors

  1. Exploiting Out-of-Order-Execution Processor Side Channels to Enable Cross VM Code Execution Sophia D’Antoine REcon 2015

  2. The Cloud 06/19/2015 Exploiting Out-of-Order-Execution 2/46

  3. Cloud Computing (IaaS) • Virtual instances • Hypervisors Dynamic allocation => Reduces cost 06/19/2015 Exploiting Out-of-Order-Execution 3/46

  4. Everyone’s Happy 06/19/2015 Exploiting Out-of-Order-Execution 4/46

  5. Problems with the Cloud Security issues with cloud computing • Sensitive data stored remotely • Vulnerable host • Untrusted host • Co-located with foreign VM’s 06/19/2015 Exploiting Out-of-Order-Execution 5/46

  6. Physical co-location leads to side channel vulnerabilities. wat 06/19/2015 Exploiting Out-of-Order-Execution 6/46

  7. Cloud Hardware 06/19/2015 Exploiting Out-of-Order-Execution 7/46

  8. Universal Vulnerabilities 1) Translation between physical and virtual hardware based on need 2) Allocation causes contention 3) Private VM activities not opaque to aaco-residents 06/19/2015 Exploiting Out-of-Order-Execution 8/46

  9. Overview 1. Introduction 2. Cloud exploitation techniques 3. Targeting the processor 4. Importance of memory models 5. Design of an Out-of-Order-Execution channel 6. Demo 7. Conclusion 06/19/2015 Exploiting Out-of-Order-Execution 9/46

  10. Side Channel Attack “In cryptography, a side- Cloud Computing channel attack is any attack • Hardware side based on information gained channel from the physical • Cross virtual implementation of a machine cryptosystem” • Information gained through recordable changes in the system 06/19/2015 Exploiting Out-of-Order-Execution 10/46

  11. Classification S/R Model • Hardware agnostic • Two methods of interacting – Transmit – Receive transmit: receive: force record artifacts artifacts Hardware 06/19/2015 Exploiting Out-of-Order-Execution 11/46

  12. Possible Exploits • Receive (exfiltrate) 1. crypto key theft 2. process monitoring 3. environment keying 4. broadcast signal • Transmit (infiltrate) 1. DoS 2. co-residency • Transmit & Receive (network) 1. communication (C&C) 06/19/2015 Exploiting Out-of-Order-Execution 12/46

  13. Communication Virtual VM1 VM2 Client Master VM Allocations S R S R S R Shared Communication Medium Hardware 06/19/2015 Exploiting Out-of-Order-Execution 13/46

  14. Cache Side Channel Example [3] Flush+Reload targets the L3 Cache Tier • Receiving Mechanism (Adversary) – Flushes & queries • Transmitting Mechanism (Victim) – Accesses same L3 line • Leaked GnuPG Private Key sophia.re/cache.pdf 06/19/2015 Exploiting Out-of-Order-Execution 14/46

  15. Pipeline vs Cache Channel Benefits: • Quiet, covert channel • Not affected by cache misses, etc. • Channel & noise amplifies in a crowded cloud environment 06/19/2015 Exploiting Out-of-Order-Execution 15/46

  16. Overview 1. Introduction 2. Cloud exploitation techniques 3. Targeting the pipeline 4. Importance of memory models 5. Design of an Out-of-Order-Execution channel 6. Demo 7. Conclusion 06/19/2015 Exploiting Out-of-Order-Execution 16/46

  17. The Attack Vector Side Channels which Exploit Hardware Vulnerabilities Inherent to Modern Cloud Computing Systems Requirements: • Shared hardware • Dynamically allocated hardware resources • Co-Location with adversarial VMs or infected VMs 06/19/2015 Exploiting Out-of-Order-Execution 17/46

  18. Pipeline Side Channel We chose to target the processor as the hardware medium. => CPU’s pipeline => System artifacts queried dynamically • Instruction order • Results from instruction sets 06/19/2015 Exploiting Out-of-Order-Execution 18/46

  19. Out-of-Order-Execution 06/19/2015 Exploiting Out-of-Order-Execution 19/46

  20. Processor Pipeline Contention VM VM VM VM Process01 Process02 Process03 Process04 SMT Pipeline Core01 Core02 Optimizes Executing Shared Instructions Processor Hardware From Foreign Applications 06/19/2015 Exploiting Out-of-Order-Execution 20/46

  21. RECEIVER 06/19/2015 Exploiting Out-of-Order-Execution 21/46

  22. Record Out of Order Execution [6] 06/19/2015 Exploiting Out-of-Order-Execution 22/46

  23. Record Out of Order Execution THREAD 1 THREAD 2 => Synched store [X], 1 store [Y], 1 r1 = r2 = 1 load r1, [Y] load r2, [X] => Asynched store [X], 1 r1 = 0 r2 = 1 load r1, [Y] store [Y], 1 load r2, [X] => Out of load r1, [Y] load r2, [X] r1 = r2 = 0 Order store [X], 1 store [Y], 1 Execution 06/19/2015 Exploiting Out-of-Order-Execution 23/46

  24. Record Out of Order Execution int X,Y,count_OoOE; ….initialize semaphores Sema1 & Sema2… pthread_t thread1, thread2; pthread_create(&threadN, NULL, threadNFunc, NULL); for (int iterations = 1; ; iterations++) X,Y = 0; Averages matter sem_post(beginSema1 & beginSema2); sem_wait(endSema1 & endSema2); if (r1 == 0 && r2 == 0) count_OoOE ++; 06/19/2015 Exploiting Out-of-Order-Execution 24/46

  25. TRANSMITTER 06/19/2015 Exploiting Out-of-Order-Execution 25/46

  26. Force Out of Order Execution Mfence: ● x86 instruction full memory barrier prevents memory reordering of any kind ● order of 100 cycles per operation ● … mov dword ptr [_spin1], 0 … mfence … mov dword ptr [_spin2], 0 … mfence 06/19/2015 Exploiting Out-of-Order-Execution 26/46

  27. Force Out of Order Execution THE PIPELINE ….. ….. NOP Store [X], 1 mfence Load r1, [X] NOP Exploiting Out-of-Order-Execution 27/46

  28. Overview 1. Introduction 2. Cloud exploitation techniques 3. Targeting the processor 4. Importance of memory models 5. Design of an Out-of-Order-Execution channel 6. Demo 7. Conclusion 06/19/2015 Exploiting Out-of-Order-Execution 28/46

  29. Types of Memory Reordering Memory Reordering Processor Compilation (Run) Time Time GCC OoOE Execution Multithreaded MultiCored Programs (MultiExecution Processors) Computers 06/19/2015 Exploiting Out-of-Order-Execution 29/46 Categorize Out of Order Execution

  30. Types of Memory Reordering Dynamic side channel artifacts Processor (Run) Time OoOE Execution MultiCored (MultiExecution Processors) Computers 06/19/2015 Exploiting Out-of-Order-Execution 30/46 Categorize Out of Order Execution

  31. [7] 06/19/2015 Exploiting Out-of-Order-Execution 31/46

  32. Types of Memory Reordering [4, 5] - Instruction A visible to all processes before B occurs - #StoreLoad most expensive operation 06/19/2015 Exploiting Out-of-Order-Execution 32/46 Categorize Out of Order Execution

  33. Force Out of Order Execution Memory Barrier ● ‘Lock-free programming’ on SMT multiprocessors ● #StoreLoad unique prevents r1=r2=0 ● x86: mfence ( effects the pipeline ) 06/19/2015 Exploiting Out-of-Order-Execution 33/46

  34. • Out-of-Order-Execution • 06/19/2015 Exploiting Out-of-Order-Execution 34/46

  35. Overview 1. Introduction 2. Cloud exploitation techniques 3. Targeting the processor 4. Importance of memory models 5. Design of an Out of Order Execution channel 6. Demo 7. Conclusion 06/19/2015 Exploiting Out-of-Order-Execution 35/46

  36. Lab Model Scheduler Xen hypervisor ● Popular commercial IaaS platforms Xeon Processors Shared multi-core/ multi-processor hardware ● 8 logical CPU’s/ 4 cores ● 6 virtual machines (VM’s) ● Parallel Processing/ Simultaneous Multi-Threading On (SMT) 06/19/2015 Exploiting Out-of-Order-Execution 36/46

  37. Virtual Machines • 6 Windows 7 VM’s VM1 VM2 VM3 VM4 VM5 VM6 P1 P2 P3 P4 CPU1 CPU1 06/19/2015 Exploiting Out-of-Order-Execution 37/46

  38. Virtual Machine S/R 06/19/2015 Exploiting Out-of-Order-Execution 38/46

  39. Overview 1. Introduction 2. Cloud exploitation techniques 3. Targeting the processor 4. Importance of memory models 5. Design of an Out-of-Order-Execution channel 6. Demo 7. Conclusion 06/19/2015 Exploiting Out-of-Order-Execution 39/46

  40. Demo Links sophia.re/sender.py sophia.re/receiver.py 06/19/2015 Exploiting Out-of-Order-Execution 40/46

  41. Overview 1. Introduction 2. Cloud exploitation techniques 3. Targeting the processor 4. Importance of memory models 5. Design of an Out-of-Order-Execution channel 6. Demo 7. Conclusion 06/19/2015 Exploiting Out-of-Order-Execution 41/46

  42. Potential Channel Mitigation Protected Resource Ownership ● Isolating VM’s ● Turn off hyperthreading ● Blacklisting resources for concurrent threads ● Downside: cloud benefits 06/19/2015 Exploiting Out-of-Order-Execution 42/46

  43. In Conclusion... Contribution: We demonstrate a novel Out of Order Execution side channel. • Dynamic querying/ forcing method • Application to cloud computing • Mitigation techniques 06/19/2015 Exploiting Out-of-Order-Execution 43/46

  44. Acknowledgements - Jeremy Blackthorne - RPISEC - Trail of Bits 06/19/2015 Exploiting Out-of-Order-Execution 44/46

  45. Any Questions? IRC: quend (#rpisec, #pwning) email: sophia@trailofbits.com thesis link: sophia.re/thesis.pdf 06/19/2015 Exploiting Out-of-Order-Execution 45/46

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Bad Neighbor Out-of-Order Execution and Its Applications Sophia dAntoine November 7th,

The Bad Neighbor Out-of-Order Execution and Its Applications Sophia dAntoine November 7th,

The Bad Neighbor Out-of-Order Execution and Its Applications Sophia dAntoine November 7th, 2017 1 whoami Masters in CS from RPI - Exploiting Intels CPU pipelines Work at Trail of Bits - Senior Security Researcher - Program

1.83k views • 126 slides
Order Is A Lie Are you sure you know how your code runs ? Order in code is not respected by

Order Is A Lie Are you sure you know how your code runs ? Order in code is not respected by

Order Is A Lie Are you sure you know how your code runs ? Order in code is not respected by Compilers Processors ( out-of-order execution) SMP Cache Management Understanding execution order in a multithreaded context is out of reach

600 views • 48 slides
Precise Exceptions and Out-of-Order Execution Samira Khan Multi-Cycle Execution Not all

Precise Exceptions and Out-of-Order Execution Samira Khan Multi-Cycle Execution Not all

Precise Exceptions and Out-of-Order Execution Samira Khan Multi-Cycle Execution Not all instructions take the same amount of time for execution Idea: Have multiple different functional units that take different number of cycles

749 views • 39 slides
Out-of-Order Execution Several implementations out-of-order completion CDC 6600 with

Out-of-Order Execution Several implementations out-of-order completion CDC 6600 with

Out-of-Order Execution Several implementations out-of-order completion CDC 6600 with scoreboarding IBM 360/91 with Tomasulo s algorithm & reservation stations out-of-order completion leads to: imprecise interrupts

356 views • 22 slides
Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments Aravind Machiry , Eric

Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments Aravind Machiry , Eric

Boomerang: Exploiting the Semantic Gap in Trusted Execution Environments Aravind Machiry , Eric Gustafson, Chad Spensky, Chris Salls, Nick Stephens, Ruoyu Wang, Antonio Bianchi, Yung Ryn Choe, Christopher Kruegel, and Giovanni Vigna Sandia

1.1k views • 51 slides
Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul

Spectre Attacks: Exploiting Speculative Execution IEEE Security & Privacy (May 20, 2019) Paul Kocher 1 , Jann Horn 2 , Anders Fogh 3 , Daniel Genkin 4 , Daniel Gruss 5 , Werner Haas 6 , Mike Hamburg 7 , Mortiz Lipp 5 , Stefan Mangard 5 ,

410 views • 13 slides
Support Vector Regression with a Priori Knowledge Used in Order Execution Strategies Based on

Support Vector Regression with a Priori Knowledge Used in Order Execution Strategies Based on

Agenda Order Execution Support Vector Machines Support Vector Regression with a Priori Knowledge Used in Order Execution Strategies Based on VWAP Marcin Orchel AGH University of Science and Technology in Poland Supervisor: prof. Witold

303 views • 11 slides
Implementing out-of-order execution processors IBM 360/91 High performance substrate CSE240A:

Implementing out-of-order execution processors IBM 360/91 High performance substrate CSE240A:

Implementing out-of-order execution processors IBM 360/91 High performance substrate CSE240A: Neha Chachra and Bryan S. Kim Feb. 11, 2010 1 Historical perspective Pipeline RISC Superscalar Out-of-order VLIW SMT 1960 1970 1980 1990

1.01k views • 45 slides
Precise Exceptions and Idea: Have multiple different functional units that take Out-of-Order

Precise Exceptions and Idea: Have multiple different functional units that take Out-of-Order

3/16/17 Multi-Cycle Execution Not all instructions take the same amount of time for execution Precise Exceptions and Idea: Have multiple different functional units that take Out-of-Order Execution different number of cycles

329 views • 10 slides
Exploiting Order Independence for Scalable and Expressive Packet Classification Author: Kirill

Exploiting Order Independence for Scalable and Expressive Packet Classification Author: Kirill

Exploiting Order Independence for Scalable and Expressive Packet Classification Author: Kirill Kogan, Sergey I. Nikolenko, Ori Rottenstreich, William Culhane, and Patrick Eugster Presenter: Qing Lyu 2017/04/12 IEEE/ACM TRANSACTIONS ON

787 views • 64 slides
Exploiting Phase Inter-Dependencies for Faster Iterative Compiler Optimization Phase Order

Exploiting Phase Inter-Dependencies for Faster Iterative Compiler Optimization Phase Order

Exploiting Phase Inter-Dependencies for Faster Iterative Compiler Optimization Phase Order Searches Exploiting Phase Inter-Dependencies for Faster Iterative Compiler Optimization Phase Order Searches Michael R. Jantz Prasad A. Kulkarni

442 views • 26 slides
1 The problem Address the problem of stopping determined attackers from exploiting our

1 The problem Address the problem of stopping determined attackers from exploiting our

1 The problem Address the problem of stopping determined attackers from exploiting our software Interest in Control Flow Integrity(CFI) Data execution prevention (DEP), stack smashing protection (SSP), address space layout

673 views • 34 slides
Exploiting the Commutativity Lattice Donald Nguyen, Dimitrios Milind Kulkarni Prountzos, Xin

Exploiting the Commutativity Lattice Donald Nguyen, Dimitrios Milind Kulkarni Prountzos, Xin

Exploiting the Commutativity Lattice Donald Nguyen, Dimitrios Milind Kulkarni Prountzos, Xin Sui and Keshav Pingali Wednesday, July 20, 2011 Exploiting semantics in transactional execution Set S: X Y Z 2 Wednesday, July 20, 2011

1.04k views • 67 slides
Order Cancellations, Fees, and Execution Quality in U.S. Equity Options Todd Griffith University

Order Cancellations, Fees, and Execution Quality in U.S. Equity Options Todd Griffith University

Order Cancellations, Fees, and Execution Quality in U.S. Equity Options Todd Griffith University of Mississippi Dissertation: Essay 1 Abstract Excessive limit order cancellation activity in equity options markets has forced exchange officials

955 views • 58 slides
Caches Out-of-order execution Data flow model Samira Khan Superscalar processor March

Caches Out-of-order execution Data flow model Samira Khan Superscalar processor March

3/21/17 Agenda Logistics Review from last lecture Caches Out-of-order execution Data flow model Samira Khan Superscalar processor March 21, 2017 Caches Final Exam AN AN IN-OR ORDER PIPELINE Integer add Combined

310 views • 13 slides
Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo

Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo

Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution Jo Van Bulck 1 Marina Minkin 2 Ofir Weisse 3 Daniel Genkin 3 Baris Kasikci 3 Frank Piessens 1 Mark Silberstein 2 Thomas F. Wenisch 3 Yuval Yarom 4 Raoul

601 views • 56 slides
CEE 697K ENVIRONMENTAL REACTION KINETICS Lecture #1 Introduction: Basics Brezonik, pp.1-31

CEE 697K ENVIRONMENTAL REACTION KINETICS Lecture #1 Introduction: Basics Brezonik, pp.1-31

Updated: 3 September 2013 CEE697K Lecture #1 1 Print version CEE 697K ENVIRONMENTAL REACTION KINETICS Lecture #1 Introduction: Basics Brezonik, pp.1-31 Introduction David A. Reckhow Kinetics 2 Examples Fe +2 oxidation by O 2

732 views • 35 slides
Multidimensional Necklaces: Enumeration, Generation, Ranking and Unranking Duncan Adamson ,

Multidimensional Necklaces: Enumeration, Generation, Ranking and Unranking Duncan Adamson ,

Multidimensional Necklaces: Enumeration, Generation, Ranking and Unranking Duncan Adamson , Argyrios Deligkas, Vladimir V. Gusev and Igor Potapov University of Liverpool, Department of Computer Science April 8, 2020 Background Necklaces

656 views • 26 slides
Rank and Range Marco Chiarandini Department of Mathematics & Computer Science University of

Rank and Range Marco Chiarandini Department of Mathematics & Computer Science University of

DM559 Linear and Integer Programming Lecture 6 Rank and Range Marco Chiarandini Department of Mathematics & Computer Science University of Southern Denmark Numerical Issues in Python Rank Outline Range 1. Numerical Issues in Python

332 views • 20 slides
Why is wrong to evaluate researchers in CS through journals and what can we do about it ?

Why is wrong to evaluate researchers in CS through journals and what can we do about it ?

Why is wrong to evaluate researchers in CS through journals and what can we do about it ? Microsoft Academic Search might help might help Ricardo Jimenez-Peris, Marta Patio-Martinez Universidad Politecnica de Madrid Current Practices for

383 views • 13 slides
The Basics What is memory management? Programs contain Objects Data Occupy memory

The Basics What is memory management? Programs contain Objects Data Occupy memory

The Basics What is memory management? Programs contain Objects Data Occupy memory Runtime system must allocate and reclaim memory for program in an efficient manner Why is this important? Why is this hard? Why is

319 views • 20 slides
Page Frame Reclaiming Don Porter CSE 506 Last time We saw how you go from a file or

Page Frame Reclaiming Don Porter CSE 506 Last time We saw how you go from a file or

Page Frame Reclaiming Don Porter CSE 506 Last time We saw how you go from a file or process to the constituent memory pages making it up Where in memory is page 2 of file foo? Or, where is address 0x1000 in process

399 views • 26 slides
Efficient and Reliable Lock-Free Memory Introduction The Problem Reclamation

Efficient and Reliable Lock-Free Memory Introduction The Problem Reclamation

Outline Efficient and Reliable Lock-Free Memory Introduction The Problem Reclamation Lock-free synchronization Based on Reference Counting Our solution Anders Gidenstam, Marina Papatriantafilou, Idea Hkan Sundell and

81 views • 6 slides
What is RCU, Fundamentally By: Paul E. McKenney Jonathan Walpole Presenter: Jim Santmyer

What is RCU, Fundamentally By: Paul E. McKenney Jonathan Walpole Presenter: Jim Santmyer

What is RCU, Fundamentally By: Paul E. McKenney Jonathan Walpole Presenter: Jim Santmyer Agenda Definition RCU RCU Publish Subscribe Memory Reclamation Example walk thru, Deletion and Replacement Conclusion RCU Definition

456 views • 32 slides

More recommend