LVI Hijacking Transient Execution with Load Value Injection Daniel - - PowerPoint PPT Presentation

LVI

Hijacking Transient Execution with Load Value Injection

Daniel Gruss, Daniel Moghimi, Jo Van Bulck Hardwear.io Virtual Con, April 30, 2020

1 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

National Geographic

Processor security: Hardware isolation mechanisms

VM OS App App Hypervisor (VMM) VM OS

Enclave

App

3 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

CPU Cache

printf("%d", i); printf("%d", i);

4 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

CPU Cache

printf("%d", i);

Cache miss

printf("%d", i);

4 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

CPU Cache

printf("%d", i);

Cache miss

R e q u e s t

printf("%d", i);

4 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

CPU Cache

printf("%d", i);

Cache miss

R e q u e s t

R e s p

• n

s e

i

printf("%d", i);

4 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

CPU Cache

printf("%d", i);

Cache miss

R e q u e s t

R e s p

• n

s e

i

printf("%d", i);

Cache hit

4 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

CPU Cache

printf("%d", i);

Cache miss

R e q u e s t

R e s p

• n

s e

i

printf("%d", i);

Cache hit No DRAM access, much faster DRAM access, slow

4 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Flush+Reload

Shared Memory

ATT ACKER VICTIM

flush access access

5 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Flush+Reload

Shared Memory

ATT ACKER

Shared Memory

cached c a c h e d

VICTIM

flush access access

5 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Flush+Reload

Shared Memory

ATT ACKER

Shared Memory

VICTIM

flush access access

5 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Flush+Reload

Shared Memory

ATT ACKER VICTIM

flush access access

5 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Flush+Reload

Shared Memory

ATT ACKER VICTIM

flush access access

5 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Flush+Reload

Shared Memory

ATT ACKER

Shared Memory

VICTIM

flush access access

5 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Flush+Reload

Shared Memory

ATT ACKER

Shared Memory

VICTIM

flush access access

5 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Flush+Reload

Shared Memory

ATT ACKER

Shared Memory

VICTIM

flush access access

f a s t i f v i c t i m a c c e s s e d d a t a , s l

• w
• t

h e r w i s e

5 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Memory Access Latency

50 100 150 200 250 300 350 400 101 104 107 Latency [Cycles] Number of Accesses Cache Hits

6 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Memory Access Latency

50 100 150 200 250 300 350 400 101 104 107 Latency [Cycles] Number of Accesses Cache Hits Cache Misses

6 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

We can communicate across protection walls using microarchitectural side-channels!

Leaky processors: Jumping over protection walls with side-channels

VM OS App App Hypervisor (VMM) VM OS

Enclave

App

9 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Side-channel attacks are known for decades already – what’s new?

1990 1994 1998 2002 2006 2010 2014 2018 3000 4000 2000 1000

DO WE JUST SUCK AT... COMPUTERS?

• YUP. ESPECIALLY SHARED ONES.

10 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Side-channel attacks are known for decades already – what’s new?

1990 1994 1998 2002 2006 2010 2014 2018 3000 4000 2000 1000

DO WE JUST SUCK AT... COMPUTERS?

• YUP. ESPECIALLY SHARED ONES.

10 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Pipeline Bubble

F movb $20, %al add %rax, %rcx sub %rdx, %rsi jne target: add %rax, %rax target: D F Fetch Decode Execute Commit 11 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Pipeline Bubble

F movb $20, %al add %rax, %rcx sub %rdx, %rsi jne target: add %rax, %rax target: D X F D F Fetch Decode Execute Commit 11 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Pipeline Bubble

F movb $20, %al add %rax, %rcx sub %rdx, %rsi jne target: add %rax, %rax target: D X C F D X F D F Fetch Decode Execute Commit 11 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Pipeline Bubble

F movb $20, %al add %rax, %rcx sub %rdx, %rsi jne target: add %rax, %rax target: D X C F D X C F D X F D Fetch Decode Execute Commit 11 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Pipeline Bubble

F movb $20, %al add %rax, %rcx sub %rdx, %rsi jne target: add %rax, %rax target: D X C F D X C F D X C F D X Fetch Decode Execute Commit 11 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Pipeline Bubble

F movb $20, %al add %rax, %rcx sub %rdx, %rsi jne target: add %rax, %rax target: D X C F D X C F D X C F D X Fetch Decode Execute Commit F 11 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Branch Prediction and Side Channel

cmp %rax, %rbx jne <target>

0x100123:

12 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Branch Prediction and Side Channel

PHT cmp %rax, %rbx jne <target>

0x100123:

12 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Branch Prediction and Side Channel

PHT BTB cmp %rax, %rbx jne <target>

0x100123:

12 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Branch Prediction and Side Channel

PHT BTB cmp %rax, %rbx jne <target> jne <target2>

0x100123: 0xff00123:

12 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Branch Prediction and Side Channel

PHT BTB cmp %rax, %rbx jne <target> jne <target2>

0x100123: 0xff00123:

12 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Branch Prediction and Side Channel

PHT BTB cmp %rax, %rbx jne <target> jne <target2>

0x100123: 0xff00123:

12 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Branch Prediction and Side Channel

PHT BTB cmp %rax, %rbx jne <target> jne <target2>

0x100123: 0xff00123:

12 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

RSA

M = C

d mod n

13 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

RSA

M = C

d mod n 1 1 0 0 1 1 0 . . . Result = C

13 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

RSA

M = C

d mod n 1 1 0 0 1 1 0 . . . Result = Result × Result × C square multiply

13 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

RSA

M = C

d mod n 1 1 0 0 1 1 0 . . . Result = Result × Result square

13 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

RSA

M = C

d mod n 1 1 0 0 1 1 0 . . . Result = Result × Result square

13 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

RSA

M = C

d mod n 1 1 0 0 1 1 0 . . . Result = Result × Result × C square multiply

13 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

RSA

M = C

d mod n 1 1 0 0 1 1 0 . . . Result = Result × Result × C square multiply

13 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

RSA

M = C

d mod n 1 1 0 0 1 1 0 . . . Result = Result × Result square

13 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

? ? ?

Spectre-PHT (v1)

LUT

index = 0; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

index = 0; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT Speculate

index = 0; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

Index ’t’

Execute

index = 0; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

index = 1; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

index = 1; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

Index ’e’

Speculate

index = 1; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

Index ’e’

index = 1; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

index = 2; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

index = 2; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

Index ’x’

Speculate

index = 2; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

Index ’x’

index = 2; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

index = 3; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

index = 3; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

Index ’t’

Speculate

index = 3; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

Index ’t’

index = 3; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

index = 4; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

index = 4; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

Index ’K’

Speculate

index = 4; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

Index ’K’

Execute

index = 4; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

index = 5; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

index = 5; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

Index ’E’

Speculate

index = 5; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

Index ’E’

Execute

index = 5; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

index = 6; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

index = 6; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

Index ’Y’

Speculate

index = 6; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Spectre-PHT (v1)

LUT

Index ’Y’

Execute

index = 6; if (index < 4) char* data = ”textKEY”;

LUT[data[index] * 4096] then else

Prediction

15 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

? ?

Meltdown: Transiently encoding unauthorized memory

Unauthorized access 16 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Meltdown: Transiently encoding unauthorized memory

Unauthorized access Transient out-of-order window

• racle array

secret idx

16 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Meltdown: Transiently encoding unauthorized memory

Unauthorized access Transient out-of-order window Exception (discard architectural state) 16 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Meltdown: Transiently encoding unauthorized memory

Unauthorized access Transient out-of-order window

• racle array

cache hit

Exception handler 16 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Meltdown variants: Microarchitectural buffers

Execution Engine

Reorder buffer

µOP µOP µOP µOP µOP µOP µOP µOP

Scheduler Execution Units ALU, AES, ... ALU, FMA, ... ALU, Vect, ... ALU, Branch Load data Load data Store data AGU

µOP µOP µOP µOP µOP µOP µOP µOP

CDB

Memory Subsystem

Load Buffer Store Buffer L1 Data Cache DTLB LFB STLB L2 Cache L3 Cache DRAM

Frontend

Allocation Queue

µOP µOP µOP µOP MUX µOP µOP µOP µOP µOPs

4-Way Decode Instruction Queue Instruction Fetch & PreDecode µOP Cache Branch Predictor L1 Instruction Cache ITLB

17 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

The transient-execution zoo

https://transient.fail

Transient cause Spectre-type Meltdown-type Spectre-PHT Spectre-BTB Spectre-RSB Spectre-STL Meltdown-NM-REG Meltdown-PF Meltdown-BR Meltdown-GP Meltdown-MCA Cross-address-space Same-address-space Cross-address-space Same-address-space Cross-address-space Same-address-space Meltdown-US Meltdown-P Meltdown-RW Meltdown-PK-L1 Meltdown-SM-SB Meltdown-MPX Meltdown-BND Meltdown-CPL-REG Meltdown-NC-SB Meltdown-AD Meltdown-AVX-LP PHT-CA-IP PHT-CA-OP PHT-SA-IP PHT-SA-OP BTB-CA-IP BTB-CA-OP BTB-SA-IP BTB-SA-OP RSB-CA-IP RSB-CA-OP RSB-SA-IP RSB-SA-OP Meltdown-US-L1 Meltdown-US-LFB Meltdown-US-SB Meltdown-P-L1 Meltdown-P-LFB Meltdown-P-SB Meltdown-P-LP Meltdown-AD-LFB Meltdown-AD-SB

18 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

?

LVI: The basic idea

20 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

LVI: The basic idea

20 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

LVI: The basic idea

20 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

LVI: The basic idea

20 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

LVI: The basic idea

20 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

LVI: The basic idea

20 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Enclaves to the rescue!

Mem HDD OS kernel CPU App App TPM Hypervisor Enclave app

Intel SGX promise: hardware-level isolation and attestation

21 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Intel Sofware Guard Extensions (SGX)

Application Trusted part Call Gate Untrusted part

Create Enclave Call Trusted Fnc. . . . Trusted Fnc. Return

Operating System

22 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Intel SGX: A look under the hood

paging unit SGX checks

logical address physical address

• SGX machinery protects against direct address remapping attacks

23 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Intel SGX: A look under the hood

paging unit SGX checks

page fault (#PF) logical address physical address

• SGX machinery protects against direct address remapping attacks
• ...but untrusted address translation may fault during enclaved execution (!)

23 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Intel SGX: A look under the hood

paging unit SGX checks

page fault (#PF) logical address physical address

We can arbitrarily provoke page faults for trusted enclave loads!

23 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

A toy example

1 void

c a l l v i c t i m ( s i z e t untrusted arg )

2 { 3

* arg copy = untrusted arg ;

4

array [ **trusted ptr * 4096];

5 }

24 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

A Toy Example: Recovering arbitrary secrets

20 40 60 80 100 120 140 160 180 200 220 240 200 400 600 Page Access time [cycles]

25 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Real-world LVI ROP gadget in SGX-SDK

1 ; %rbx :

user−controlled argument ptr ( outside enclave )

2 sgx my sum bridge : 3

. . .

4

c a l l my sum ; compute 0x10(%rbx ) + 0x8(%rbx )

5

mov %rax ,(% rbx ) ; P1 : store sum to user address

6

xor %eax,%eax

7

pop %rbx

8

ret ; P2 : load from trusted stack

9

26 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Real-world LVI ROP gadget in SGX-SDK

1 ; %rbx :

user−controlled argument ptr ( outside enclave )

2 sgx my sum bridge : 3

. . .

4

c a l l my sum ; compute 0x10(%rbx ) + 0x8(%rbx )

5

mov %rax ,(% rbx ) ; P1 : store sum to user address

6

xor %eax,%eax

7

pop %rbx

8

ret ; P2 : load from trusted stack

9

We can setup a fake transient stack in the store buffer!

26 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Real-world LVI-ROP gadget in Quoting Enclave

1

intel avx rep memcpy : ; l i b i r c 2 . 4 / e f i 2 / l i b i r c . a

2

. . . ; P1 : store to user address

3

vmovups % xmm0,−0x10(%rdi ,%rcx , 1 )

4

. . .

5

pop %r12 ; P2 : load from trusted stack

6

ret

7

27 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

JO: explain briefly

Worse: “Inverse Foreshadow” can remap the L1D cache!

P3 gadget address

virtual page offset

RAX Page table entry stack User page

1

Enclave code P2_gadget: pop %rax retq P3 address L1D cache P3_gadget: movb (%rax), %al mov (%rdi,%al), %rcx %rdi

LVI 3 4

P1_gadget: mov (%rdi), %r12 mov -8(%rdi), %r13

2

RAX

29 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

LVI-NULL: Why 0x00 is not a safe value

• Recent Intel CPUs forward 0x00 dummy values for faulting loads

30 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

LVI-NULL: Why 0x00 is not a safe value

NULL

2 1

trusted enclave load attacker-controlled page

• Recent Intel CPUs forward 0x00 dummy values for faulting loads
• ...but NULL is a valid virtual memory address, under attacker control

30 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

LVI-NULL: Why 0x00 is not a safe value

&trusted_func_pt &trusted_func %rax &P3_gadget NULL %rbx=NULL P2_gadget: mov (%rax), %rbx call (%rbx)

2 1

• Recent Intel CPUs forward 0x00 dummy values for faulting loads
• ...but NULL is a valid virtual memory address, under attacker control
• ...hijack function pointer-to-pointer

30 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Real-World LVI-NULL gadget

1 asm oret :

; ( linux−sgx/sdk/ t r t s / linux / t r t s p i c . S #L454 )

2

. . .

3

mov 0x58(%rsp ) ,%rbp ; %rbp < − NULL

4

. . .

5

mov %rbp,%rsp ; %rsp < − NULL

6

pop %rbp ; %rbp < − *( NULL )

7

ret ; %rip < − *( NULL+8)

8

31 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

LVI-NULL fault injection to reduce AES rounds

4 2

movdqu (%rdx), %xmm0 movdqu (%rcx), %xmm4 add $0x10, %rdx pxor %xmm4, %xmm0 movdqu 0x10(%rcx), %xmm4 aesdec %xmm4, %xmm0 movdqu 0x20(%rcx), %xmm4 aesdec %xmm4, %xmm0 ... movdqu 0xa0(%rcx), %xmm4 aesdeclast %xmm4, %xmm0 movdqu %xmm0, -0x10(%r8,%rdx,1) access oracle[output[byte_index] * 4096];

Load RK0 Load RK1 Load RK2 Output I n p u t Load RK10

Repeated 9 times

Single Step Architectural Execution 1 Change Page Permission 2 Transient Execution 3 Recover Faulty Output 4

32 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Mitigation Sequences

Instruction Possible Emulation Clobber ret pop %reg; lfence; jmp *%reg ✓ ret not (%rsp); not (%rsp); lfence; ret ✗ jmp (mem) mov (mem),%reg; lfence; jmp *%reg ✓ call (mem) mov (mem),%reg; lfence; call *%reg ✓

34 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Performance Overheads (Our Mitigation)

aes-128 cbc rsa 4096 (sign) rsa 4096 (verify) ecdh nistp256 ecdsa nistp256 (sign) ecdsa nistp256 (verify) ghash sha256 sha512

500 1,000 1,500

978.13 782.29 703.36 568.87 492.88 543.81 650.53 247.1 430.15 15.39 1.62 0.91 12.42 2.74 85.2 5.59 5.02

Overhead [%]

• wn-full
• wn-ret

35 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Performance Overheads (Intel’s Mitigation)

aes-128 cbc rsa 4096 (sign) rsa 4096 (verify) ecdh nistp256 ecdsa nistp256 (sign) ecdsa nistp256 (verify) ghash sha256 sha512

500 1,000 1,500 2,000 2,500

1868.15 1372.27 1287.05 758.61 715.22 757.21 820.94 379.25 352.51 98.94 1365.48 1214.73 712.75 638.22 699.04 439.01 326.5 298.89 15.45 0.6 2.8 0.76 16.48 3.91 82.56 8.25 5.44

Overhead [%]

gcc-lfence clang-full clang-ret

36 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Performance Overheads (Intel’s Mitigation)

600.perlbench 602.gcc 605.mcf 620.omnetpp 623.xalancbmk 625.x264 631.deepsjeng 641.leela 657.xz

500 1,000 1,500

1081.26 281.6 830.13 367.15 592 661.3 673.83 502.24 380.4 404.58 264.31 261.05 215.82 188.78 67.09 189.71 230.39 84.11 80.16 207.55 86.23 75.06 23.99 30.81 82.66 76.9 2.52

Overhead [%]

gcc-lfence clang-full clang-ret

37 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

Take Aways

https://lviattack.eu/

⇒ New emerging and powerful class of transient-execution attacks ⇒ Importance of fundamental side-channel research ⇒ Security cross-cuts the system stack: hardware, hypervisor, kernel, compiler, application

38 Daniel Gruss, Daniel Moghimi, Jo Van Bulck

LVI

Hijacking Transient Execution with Load Value Injection

Daniel Gruss, Daniel Moghimi, Jo Van Bulck Hardwear.io Virtual Con, April 30, 2020

39 Daniel Gruss, Daniel Moghimi, Jo Van Bulck