Microarchitectural Attacks in the Cloud Thomas Eisenbarth 07.11.2017 Workshop on Cryptography for the Internet of Things and Cloud Ruhr-Universität Bochum
Outline • Cloud and Cryptography • Co-Location in the Cloud • Cache Attacks in the Cloud • Extracting Information across VM Boundaries • Stopping Microarchitectural Attacks Microachitectural Attacks in the Cloud - 2 Thomas Eisenbarth
Cloud Computing • Computation outsourced to cloud servers • CSPs: many users on shared, homogeneous platforms • Users rent VMs, share same computer • What can go wrong? Microachitectural Attacks in the Cloud - 3 Thomas Eisenbarth
Crypto in the Cloud • Crypto Libraries designed for Server-World – Attacks only via intended interfaces – Side Channels are minor concern – Fine-grain timing over network is difficult – If attacker monitors your CPU, bad crypto implementation is not your main problem • CSP: your VM shares hardware with 10 others – No worries, your data is secure Microachitectural Attacks in the Cloud - 4 Thomas Eisenbarth
Microarchitectural Attacks? Modern CPUs microarchitecture: “Make the common case fast” • Branch Prediction • Speculative & Out of Order Execution • Multicore + Multi- processor System & Support • Several layers of Caches Microachitectural Attacks in the Cloud - 5 Thomas Eisenbarth
Threats in IaaS clouds • IaaS clouds imply hardware sharing across co- located VMs cost savings • Hypervisor/VMM ensures logic isolation between VMs. • Software designed for single-user server world ➢ Hardware leakages are still poorly protected, malicious VMs can still cause lots of damage. Guest OS #2 Spy Guest OS #1 Victim VM VM VMM Hardware Microachitectural Attacks in the Cloud - 6 Thomas Eisenbarth
Microarchitectural Attacks: Threat in IaaS clouds? • Cache contention can reveal information about the victims process (Cross core & cross CPU) • DRAM accesses can be blocked & timed • Row hammer adjacent lines in DRAM can cause bit flips that can break isolation across VMs • Attackers have shown to recover cryptographic keys, passwords.. Guest OS #2 Spy Victim Guest OS #2 Guest OS #1 Spy Guest OS #1 Victim VM VM VM VM 1 0 1 0 1 1 1 1 0 0 1 0 0 1 1 1 1 1 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 1 1 1 1 0 DRAM Shared L3 CACHE Microachitectural Attacks in the Cloud - 7 Thomas Eisenbarth
Co-location in the Cloud
First Step: Co-Location First success in 2009 on AWS [RTS09]: 1. Launch many instances on cloud * In Sept 2008 2. Check if any are co-located • How to detect Co-location? – Logical Side Channels: Ping time, IP address of instance or hypervisor? – Arch. Side Channels: Disk Load? [RTSS09] Ristenpart, T., Tromer, E., Shacham, H., and Savage, S. Hey, You, Get off of My Cloud: Exploring Information Leakage in Third- 9 party Compute Clouds. ACM CCS '09
Co-Location Now? AWS EC2: – Ping is constant time – HDDs replaced with SSDs – Dom0 IPs hidden – Logical side channels are closed ➢ New Co-location detection needed – Cache Covert Channel Architectural Side Channels – Software Profiling in LLC difficult to prevent – Memory Bus Locking [XWW15] XU, Z., WANG, H., AND WU, Z. A measurement study on co-residence threat inside the cloud . USENIX Security 15 [VZRS15] VARADARAJAN, ZHANG, RISTENPART, AND SWIFT: A placement vulnerability study in multi-tenant public clouds . USENIX Security 15 10 [IGES16] Inci, Gulmezoglu, Eisenbarth, Sunar: Co-location Detection on the Cloud COSADE 16
Memory Bus Locking • Atomic Instructions: ensure memory Line n data coherency and synchronization – CMPXCHG, FADDL, XADDL etc. data Line n+1 • Atomic instruction on a cache line – The cache line is locked • For data spanning multiple cache lines, locking single cache line not sufficient • Latest Intel CPUs flush the memory operations – From pipelines of all cores and CPUs – Works in multi-socket systems • Results in a significant performance penalty to other applications Microachitectural Attacks in the Cloud - 11 Thomas Eisenbarth
Investigating Logical Channels in Azure Azure IaaS: 2nd largest IaaS, fastest growing Cloud? • Strategy: Use bus locking (µArch channel) as ground truth to identify logical channels cheaper, faster, stealthy • Experiment setup: – 4 different accounts: East US2 region – 20 single/dual VMs per account – 0.75GB RAM; Ubuntu 14.04 – Azure command line interface ➢ 120 co-located pairs ➢ Private IPs: 60 machines per subnet ➢ All co-located machines in same /16 subnet Microachitectural Attacks in the Cloud - 12 Thomas Eisenbarth
NetCold: deriving the identity of co-resident VMs [IIES16] Co-resident VMs reside in same subnets + share MAC vID • NetCold : retrieve identities of co-resident servers 1. Checking the internal IP address and the MAC ID Co-residency 2. Connect Internal IP to Identity – If internal port open: retrieve service (e.g. HTTP) directly – If internal port closed: scan external IP specifying the MAC address If the VM is co-resident and MAC address matches response; else no response [IIES16] Inci, Irazoqui, Eisenbarth, Sunar: Efficient, Adversarial Neighbor Discovery using Logical 13 Channels on Microsoft Azure ACSAC 2016
Co-location is Feasible • Co-residence inherent to resource sharing • CSPs cannot prevent it, but can hinder detection • Logical Side Channels: – cheap, fast, stealthy, but preventable by ISP • Arch. Side Channels: – difficult to prevent remain open – harder to exploit Microachitectural Attacks in the Cloud - 14 Thomas Eisenbarth
Cache Attacks
Cache as Cross-VM Side Channel • Adversary and victim share full access to cache • Cross Core: Last Level Cache (L3 Cache) accesses • Cache Access cannot be virtualized (70x slowdown) Microachitectural Attacks in the Cloud - 16 Thomas Eisenbarth
How to track victim’s data? Deduplication • Keeps only one copy of duplicate data in RAM – K ernel S ame page M erging in Linux and KVM – T ransparent P age S haring in VMware VMM – Solutions for Xen available as well Is now an opt-in feature for VMMs! (Default for OSs) Source: • When Target VM accesses page – page copied to cache: copy in shared LLC – Subsequent Spy VM access also faster! Spy can detect Target VMs accesses to known pages Microachitectural Attacks in the Cloud - 17 Thomas Eisenbarth
Flush+Reload Attack: Concept Steps: 1. Flush desired memory lines 2. Wait for some time 3. Reload memory lines and measure reload time. Victim Spy Private L1/L2 CACHE Slow reload time Fast reload time Shared L3 CACHE Clean detection if monitored memory line was accessed Memory 18
How to get crypto keys? Detect key-dependent cache accesses: • RSA/ElGamal: 250 Decryption First Secret Second Secret Exponent (dp) Start Exponent (dq) 200 – Sliding window exponentiation 150 Reload time 100 – Occurrence of multiplicands in 50 0 cache reveals key bits 0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 11000 timeslot • AES: – T-table implementation: Xors and table lookups – Detect t-table access in last round (table entry corresponding to 𝑑 𝑗 is always in LLC) [YF14] Y Yarom, KE Falkner Flush+ Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack, USENIX Security 2014 Microachitectural Attacks in the Cloud - 19 Thomas Eisenbarth [IIES14] Irazoqui, G., Inci, M. S., Eisenbarth, T., & Sunar, B. Wait a minute! A fast, Cross-VM attack on AES . RAID 2014
Are Cross-VM Cache Attacks Realistic? Cross-VM Flush+Reload Attacks work if • Server has a shared level of cache • Attacker and the victim are physically co- located • VMM implements memory deduplication • Memory Deduplication can enable Cross-VM cache attacks – http://kb.vmware.com/kb/2080735 Microachitectural Attacks in the Cloud - 20 Thomas Eisenbarth
Cross-VM Cache Attacks
Cache Attacks? • Cache Attacks are old [Hu92] • Popular Method: Prime+Probe [OST06]: 1. Flush Prime memory lines fill monitored cache set with dummy data: eviction set 2. Wait for some time 3. Reload Probe memory lines read eviction set data and time read • Problems: – Usually only applied on L1-cache (64kb) not cross-core – L3-Cache is too large(25MB!) and not controllable? Solution : Huge Pages give control of L3$ to spy Microachitectural Attacks in the Cloud - [Hu92] Hu, W.-M. (Digital Equipment Corp., Littleton, MA, USA) Lattice scheduling and covert channels. IEEE Oakland 92 22 Thomas Eisenbarth [OST06] DA Osvik, A Shamir, E Tromer Cache attacks and countermeasures: the case of AES . CT-RSA 2006
Are Cross-VM Cache Attacks Realistic? Cross-VM Cache Attacks on crypto such as El Gamal [LY+15] or AES [IES15] work if • Server has a shared level of cache • Attacker and the victim are physically co- located • VMM implements memory deduplication [LY+15] Liu, F., Yarom, Y., Ge, Q., Heiser, G., & Lee, R. B. (2015). Last-Level Cache Side-Channel Attacks are Practical . (S&P 2015). Microachitectural Attacks in the Cloud - [IES15] Irazoqui, G., Eisenbarth, T., & Sunar, B. S$A: A shared cache attack that works across cores and defies VM sandboxing — and 23 Thomas Eisenbarth Its application to AES . 36th IEEE Symposium on Security and Privacy (S&P 2015)
Recommend
More recommend
