Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis • Daniel Moghimi • Moritz Lipp • Berk Sunar • Michael Schwarz
2018: Meltdown Attack? 2
2018: Meltdown Attack? Virtual Address Space User Space CPU Registers Kernel Space P A S S W O R D 0xf…81a0123 256 different CPU Cache Line 3
2018: Meltdown Attack? Virtual Address Space Oracle User Space CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line 4
2018: Meltdown Attack? (Step 1) Virtual Address Space Oracle User Space CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line 5
2018: Meltdown Attack? (Step 1) Virtual Address Space Oracle User Space P CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line 6
2018: Meltdown Attack? (Step 2) Virtual Address Space Oracle User Space P CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line 7
2018: Meltdown Attack? (Step 2) Virtual Address Space Fault Fault Oracle User Space CPU Registers Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line 8
2018: Meltdown Attack? (Step 3) Virtual Address Space Oracle User Space CPU Registers F+R Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line 9
2018: Meltdown Attack? (Step 3) Virtual Address Space Oracle User Space CPU Registers F+R Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line 10
2018: Meltdown Attack? (Step 3) Virtual Address Space Oracle User Space CPU Registers F+R Kernel Space 0xf…81a0123 P A S S W O R D 256 different CPU Cache Line 11
2018: Meltdown Attack? (Step 3) Virtual Address Space Oracle User Space CPU Registers Kernel Space ‘ P ’ = 0x50 P A S S W O R D 256 different CPU Cache Line 12
Microarchitecture Data Sampling (MDS) • Meltdown is fixed but you can still leak on the fix hardware. whatever • Which part of the CPU leak the data?! • Why does it leak? 13
CPU Memory Subsystem – Leaky Buffers Memory Subsystem Store Buffer MSBDS DATA PFN [8:0] VFN Offset DATA PFN [8:0] VFN Offset … …. … … DATA PFN [8:0] VFN Offset L1 Fill Buffer MLPDS Load Buffer DATA PFN VFN Offset DATA PFN VFN Offset DTLB … …. … … VFN Offset DATA PFN MFBDS L2 L3 L1TF DRAM 14 14 14
Memory Canonical Access #GP Virtual Address VFN Offset 15
Y Y Memory Canonical TLB Perm. Access PMH #GP Virtual Address VFN Offset PTE P Physical Page Number RW US … A … … 16
Y Y Y Memory Canonical TLB Perm. Present Access PMH #GP #PF Virtual Address VFN Offset PTE Physical Page Number P RW US … A … … 17
Y Y Y Y Memory Accessed Canonical TLB Perm. Present Access Set A PMH #GP #PF Bit Virtual Address VFN Offset PTE Physical Page Number P RW US … A … … 18
Y Y Y Y Memory Accessed Canonical TLB Perm. Present Access Set A PMH Y #GP #PF Bit Aligned Vector #GP Virtual Address VFN Offset PTE Physical Page Number P RW US … A … … 19
Y Y Y Y Memory Accessed Canonical TLB Perm. Present Access Set A PMH Y #GP #PF Bit Y Y Y Y TSX False Cache Aligned Cached Failure Store Dep. Aligned Vector #RTM Hazard Cache Miss Split #GP Recovery Handler Cache Virtual Address VFN Offset PTE Physical Page Number P RW US … A … … 20
Challenges with MDS Testing? • Reproducing attacks is not reliable. It may depend on: • massaging the pipeline with other instructions • CPU configuration (generation, frequency, microcode patch and etc) 21
Challenges with MDS Testing? • Reproducing attacks is not reliable. It may depend on: • massaging the pipeline with other instructions • CPU configuration (generation, frequency, microcode patch and etc) • No public tool to find new variants or to verify hardware patches: • Too many things to test (Addressing mode, cache state, assists, and faults) • Previous POCs may not work after MC update, but what does it mean? 22
Challenges with MDS Testing? • Reproducing attacks is not reliable. It may depend on: • massaging the pipeline with other instructions • CPU configuration (generation, frequency, microcode patch and etc) • No public tool to find new variants or to verify hardware patches: • Too many things to test (Addressing mode, cache state, assists, and faults) • Previous POCs may not work after MC update, but what does it mean? • Impossible to quantify the impact of leakage: • We should care about leakage rate and what data is leaked. • My POC is faster than your POC!! 23
Transynther 24
Transynther (Fuzzing-based Random MDS Testing) Step 1: Step 2: ‘ P ’ = 0x50 Step 3: 256 different CPU Cache Line 25
Transynther (Fuzzing-based Random MDS Testing) TLB Canonical Cache Aligned Cached Aligned Vector Perm. Step 1: False Store Dep. Present Accessed TSX Failure Step 2: ‘ P ’ = 0x50 Step 3: 256 different CPU Cache Line 26
Transynther (Fuzzing-based Random MDS Testing) Step 0: Stores Hyper Stores Same Loads Same Thread: Loads Hyper thread Thread: Thread: 0x61626364 Buffer Thread: 0x41424344 0x51525354 0x71727374 Grooming TLB Canonical Cache Aligned Cached Aligned Vector Step 1: Perm. False Store Dep. Present Accessed TSX Failure Step 2: ‘ P ’ = 0x50 Step 3: 256 different CPU Cache Line 27
Transynther (Fuzzing-based Random MDS Testing) Step 0: Stores Hyper Stores Same Loads Same Thread: Loads Hyper thread Thread: Thread: 0x61626364 Buffer Thread: 0x41424344 0x51525354 0x71727374 Grooming TLB Canonical Cache Aligned Cached Aligned Vector Step 1: Perm. False Store Dep. Present Accessed TSX Failure Step 2: ‘ P ’ = 0x50 Step 3: 256 different CPU Cache Line 28
Transynther (Fuzzing-based MDS Testing) 29
Transynther (Fuzzing-based MDS Testing) 30
Transynther (Fuzzing-based MDS Testing) 31
32
33
MDS Attacks - Insights • Almost any exception/assist can leak from any buffer • The CPU must flush the pipeline before executing an assist. • Upon an Exception/Fault/Assist on a Load, Intel CPUs: • Execute the load until the last stage. • Flush the pipeline at the retirement stage (Cheap Recovery Logic). • Continue the load with some data to reach the retirement stage. • Which data? (Fill buffer, Store Buffer, Load Buffer) • Which one will be leaked first? (First come first serve) 34
35
Medusa Attack • Medusa only leaks the Write Combining Data • Implicit WC, i.e., ‘rep mov’, ‘rep sto ’, can be leaked. • Memory Copy Routines • File IO • Served by a Write Combining Buffer (or just the the Fill Buffer). • Advantages: • Prefiltered data • Less Noise • More targeted 36
Medusa Attack – V1 Cache Indexing Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte An invalid (Non-canon) address: Faulty 0x5550000000000008-20 Load 37
Medusa Attack – V1 Cache Indexing Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte An invalid (Non-canon) address: Faulty 0x5550000000000008-20 Load 38
Medusa Attack – V1 Cache Indexing Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte An invalid (Non-canon) address: Faulty 0x5550000000000008-20 Load 39
Medusa Attack – V1 Cache Indexing Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte Common Data Bus?! 40
Medusa Attack – V2 Unaligned S2L Forwarding Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte Faulty Load 41
Medusa Attack – V2 Unaligned S2L Forwarding Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte Faulty Load YMMx REPMOV on the Hyper thread: ABCDEFGH IJKLMNOP QRSTUVWX YZ… 42
Medusa Attack – V2 Unaligned S2L Forwarding Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte Store Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte Faulty Load YMMx REPMOV on the Hyper thread: ABCDEFGH IJKLMNOP QRSTUVWX YZ… 43
Medusa Attack – V2 Unaligned S2L Forwarding Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte Store Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte Faulty Load YMMx REPMOV on the Hyper thread: ABCDEFGH IJKLMNOP Q RSTUVWX YZ… 44
Medusa Attack – V2 Unaligned S2L Forwarding Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte Store Cache Line Index 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte 8-byte Faulty Load YMMx REPMOV on the Hyper thread: ABCDEFGH IJKLMNOP QR STUVWX YZ… 45
Medusa Attack – V3 Shadow REP MOV • A REP MOV that fault on the load leaks: • the data from the legitimate store address • but also the data from the REP MOV running on the hyper thread HT 1: REP MOV HT 1: REP MOV Valid Store, Faulty Load Valid Store, Faulty Load AAAAAAAAAAAAAAAA ABCDEFGHIJKLMNOP AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA 46
Recommend
More recommend