Meltdown & Spectre Attacks Overview An analogy CPU cache and - - PowerPoint PPT Presentation

meltdown spectre attacks overview
SMART_READER_LITE
LIVE PREVIEW

Meltdown & Spectre Attacks Overview An analogy CPU cache and - - PowerPoint PPT Presentation

Jun 10, 2023 428 likes •740 views

Meltdown & Spectre Attacks Overview An analogy CPU cache and use it as side channel Meltdown attack Spectre attack Microsoft Interview Question Stealing A Secret Secret: 7 Guard with Memory Eraser Restricted Room CPU

slide-1
SLIDE 1

Meltdown & Spectre Attacks

slide-2
SLIDE 2

Overview

  • An analogy
  • CPU cache and use it as side channel
  • Meltdown attack
  • Spectre attack
slide-3
SLIDE 3

Microsoft Interview Question

slide-4
SLIDE 4

Stealing A Secret

Secret: 7

Guard with Memory Eraser

Restricted Room

slide-5
SLIDE 5

CPU Cache

slide-6
SLIDE 6

From Lights to CPU Cache

Question

You just learned a secret number 7, and you want to keep it. However, your memory will be erased and whatever you do will be rolled back (except the CPU cache). How do you recall the secret after your memory about this secret number is erased?

slide-7
SLIDE 7

Using CPU Cache to Remember Secret

slide-8
SLIDE 8

The FLUSH+RELOAD Technique

FLUSH: Flush the CPU Cache RELOAD: Check which one is in the cache Access memory location at S

Secret S

slide-9
SLIDE 9

FLUSH+RELOAD: The FLUSH Step

Flush the CPU Cache

slide-10
SLIDE 10

FLUSH+RELOAD: The RELOAD Step

slide-11
SLIDE 11

The Meltdown Attack

slide-12
SLIDE 12

The Security Room and Guard

slide-13
SLIDE 13

Staying Alive: Exception Handling in C

slide-14
SLIDE 14

Out-Of-Order Execution

slide-15
SLIDE 15

Out-of-Order Execution

How do I prove that the out-of-order execution has happened?

slide-16
SLIDE 16

Out-of-Order Execution Experiment

Evidence of out-of-order execution

slide-17
SLIDE 17

Meltdown Attack: A Naïve Approach

slide-18
SLIDE 18

Improvement: Get Secret Cached

Why does this help?

slide-19
SLIDE 19

Improve the Attack Using Assembly Code

Execution Results

slide-20
SLIDE 20

Improve the Attack Using Statistic Approach

slide-21
SLIDE 21

Countermeasures

  • Fundamental problem is in the CPU hardware
  • Expensive to fix
  • Develop workaround in operating system
  • KASLR (Kernel Address Space Layout Randomization)
  • Does not map any kernel memory in the user space, except for some parts

required by the x86 architecture (e.g., interrupt handlers)

  • User-level programs cannot directly use kernel memory addresses, as such

addresses cannot be resolved

slide-22
SLIDE 22

The Spectre Attack

slide-23
SLIDE 23

Will It Be Executed?

Will Line 3 be executed if x > size ?

slide-24
SLIDE 24

Out-Of-Order Execution

slide-25
SLIDE 25

Let’s Find a Proof

FLUSH Flush the CPU Cache RELOAD Check which one is in the cache Invoke victim(97)

size is 10

Not always working though

Training Train CPU to go to the true branch

Evidence

slide-26
SLIDE 26

Target of the Attack

This protection pattern is widely used in software sandbox (such as those implemented inside browsers)

slide-27
SLIDE 27

The Spectre Attack

spectreAttack(int larger_x)

slide-28
SLIDE 28

Attack Result

Why is 0 in the cache?

Success

slide-29
SLIDE 29

Spectre Variant and Mitigation

  • Since it was discovered in 2017, several Spectre variants have been

found

  • Affecting Intel, ARM, and ARM
  • The problem is in hardware
  • Unlike Meltdown, there is no easy software workaround
slide-30
SLIDE 30

Summary

  • Stealing secrets using side channels
  • Meltdown attack
  • Spectre attack
  • A form of race condition vulnerability
  • Vulnerabilities are inside hardware
  • AMD, Intel, and ARM are affected