Microarchitectural Attacks in the Cloud Thomas Eisenbarth - - PowerPoint PPT Presentation

Microarchitectural Attacks in the Cloud

Thomas Eisenbarth 07.11.2017

Workshop on Cryptography for the Internet of Things and Cloud Ruhr-Universität Bochum

Outline

• Cloud and Cryptography
• Co-Location in the Cloud
• Cache Attacks in the Cloud
• Extracting Information across VM Boundaries
• Stopping Microarchitectural Attacks

2 Microachitectural Attacks in the Cloud - Thomas Eisenbarth

Cloud Computing

• Computation outsourced to cloud servers
• CSPs: many users on shared, homogeneous platforms
• Users rent VMs, share same computer
• What can go wrong?

Microachitectural Attacks in the Cloud - Thomas Eisenbarth 3

Crypto in the Cloud

• Crypto Libraries designed for Server-World

– Attacks only via intended interfaces – Side Channels are minor concern – Fine-grain timing over network is difficult – If attacker monitors your CPU, bad crypto implementation is not your main problem

• CSP: your VM shares hardware with 10 others

– No worries, your data is secure

Microachitectural Attacks in the Cloud - Thomas Eisenbarth 4

Microarchitectural Attacks?

Modern CPUs microarchitecture: “Make the common case fast”

• Branch Prediction
• Speculative & Out of

Order Execution

• Multicore + Multi-

processor System & Support

• Several layers of Caches

5 Microachitectural Attacks in the Cloud - Thomas Eisenbarth

Threats in IaaS clouds

• IaaS clouds imply hardware sharing across co-

located VMs  cost savings

• Hypervisor/VMM ensures logic isolation between

VMs.

• Software designed for single-user server world

➢Hardware leakages are still poorly protected, malicious VMs can still cause lots of damage.

Hardware VMM

Guest OS #1 Guest OS #2

VM VM

Spy Victim

Microachitectural Attacks in the Cloud - Thomas Eisenbarth 6

Microarchitectural Attacks: Threat in IaaS clouds?

• Cache contention can reveal information about

the victims process (Cross core & cross CPU)

• DRAM accesses can be blocked & timed
• Row hammer adjacent lines in DRAM can cause

bit flips that can break isolation across VMs

• Attackers have shown to recover cryptographic

keys, passwords..

Guest OS #1 Guest OS #2

VM VM

Spy Victim

Shared L3 CACHE

Guest OS #1 Guest OS #2

VM VM

Spy Victim

DRAM

1 0 1 0 1 1 1 1 0 0 1 0 0 1 1 1 1 1 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 1 1 1 1 0 Microachitectural Attacks in the Cloud - Thomas Eisenbarth 7

Co-location in the Cloud

First Step: Co-Location

First success in 2009 on AWS [RTS09]:

• 1. Launch many instances on cloud
• 2. Check if any are co-located
• How to detect Co-location?

– Logical Side Channels: Ping time, IP address of instance or hypervisor? – Arch. Side Channels: Disk Load?

9

* In Sept 2008

[RTSS09] Ristenpart, T., Tromer, E., Shacham, H., and Savage, S. Hey, You, Get off of My Cloud: Exploring Information Leakage in Third- party Compute Clouds. ACM CCS '09

Co-Location Now?

AWS EC2:

– Ping is constant time – HDDs replaced with SSDs – Dom0 IPs hidden – Logical side channels are closed

➢New Co-location detection needed

– Cache Covert Channel – Software Profiling in LLC – Memory Bus Locking

10

Architectural Side Channels difficult to prevent

[XWW15] XU, Z., WANG, H., AND WU, Z. A measurement study on co-residence threat inside the cloud. USENIX Security 15 [VZRS15] VARADARAJAN, ZHANG, RISTENPART, AND SWIFT: A placement vulnerability study in multi-tenant public clouds. USENIX Security 15 [IGES16] Inci, Gulmezoglu, Eisenbarth, Sunar: Co-location Detection on the Cloud COSADE 16

Line n Line n+1

Memory Bus Locking

• Atomic Instructions: ensure memory

coherency and synchronization

– CMPXCHG, FADDL, XADDL etc.

• Atomic instruction on a cache line

– The cache line is locked

• For data spanning multiple cache lines,

locking single cache line not sufficient

• Latest Intel CPUs flush the memory
• perations

– From pipelines of all cores and CPUs – Works in multi-socket systems

• Results in a significant performance

penalty to other applications

11

data data

Microachitectural Attacks in the Cloud - Thomas Eisenbarth

Investigating Logical Channels in Azure

Azure IaaS: 2nd largest IaaS, fastest growing Cloud?

• Strategy:

Use bus locking (µArch channel) as ground truth to identify logical channelscheaper, faster, stealthy

• Experiment setup:

– 4 different accounts: East US2 region – 20 single/dual VMs per account – 0.75GB RAM; Ubuntu 14.04 – Azure command line interface

➢ 120 co-located pairs

➢Private IPs: 60 machines per subnet ➢All co-located machines in same /16 subnet

Microachitectural Attacks in the Cloud - Thomas Eisenbarth 12

NetCold: deriving the identity

• f co-resident VMs [IIES16]

Co-resident VMs reside in same subnets + share MAC vID

• NetCold: retrieve identities of co-resident servers
• 1. Checking the internal IP address and the MAC ID

Co-residency

• 2. Connect Internal IP to Identity

– If internal port open: retrieve service (e.g. HTTP) directly – If internal port closed: scan external IP specifying the MAC address If the VM is co-resident and MAC address matches  response; else no response

13

[IIES16] Inci, Irazoqui, Eisenbarth, Sunar: Efficient, Adversarial Neighbor Discovery using Logical Channels on Microsoft Azure ACSAC 2016

Co-location is Feasible

• Co-residence inherent to resource sharing
• CSPs cannot prevent it, but can hinder

detection

• Logical Side Channels:

– cheap, fast, stealthy, but preventable by ISP

• Arch. Side Channels:

– difficult to prevent  remain open – harder to exploit

Microachitectural Attacks in the Cloud - Thomas Eisenbarth 14

Cache Attacks

Cache as Cross-VM Side Channel

• Adversary and victim share full access to cache
• Cross Core: Last Level Cache (L3 Cache) accesses
• Cache Access cannot be virtualized

(70x slowdown)

16 Microachitectural Attacks in the Cloud - Thomas Eisenbarth

• Keeps only one copy of duplicate data in RAM

– Kernel Same page Merging in Linux and KVM – Transparent Page Sharing in VMware VMM – Solutions for Xen available as well  Is now an opt-in feature for VMMs! (Default for OSs)

• When Target VM accesses page

– page copied to cache: copy in shared LLC – Subsequent Spy VM access also faster!  Spy can detect Target VMs accesses to known pages

How to track victim’s data? Deduplication

17

Source:

Microachitectural Attacks in the Cloud - Thomas Eisenbarth

18

Private L1/L2 CACHE Shared L3 CACHE Memory Victim Spy

Fast reload time Slow reload time

Clean detection if monitored memory line was accessed

Flush+Reload Attack: Concept

Steps:

• 1. Flush desired memory lines
• 2. Wait for some time
• 3. Reload memory lines and measure reload time.

How to get crypto keys?

Detect key-dependent cache accesses:

• RSA/ElGamal:

– Sliding window exponentiation – Occurrence of multiplicands in cache reveals key bits

• AES:

– T-table implementation: Xors and table lookups – Detect t-table access in last round (table entry corresponding to 𝑑𝑗is always in LLC)

19 [YF14] Y Yarom, KE Falkner Flush+ Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack, USENIX Security 2014 [IIES14] Irazoqui, G., Inci, M. S., Eisenbarth, T., & Sunar, B. Wait a minute! A fast, Cross-VM attack on AES. RAID 2014 Microachitectural Attacks in the Cloud - Thomas Eisenbarth

Are Cross-VM Cache Attacks Realistic?

Cross-VM Flush+Reload Attacks work if

• Server has a shared level of cache
• Attacker and the victim are physically co-

located

• VMM implements memory deduplication
• Memory Deduplication can enable Cross-VM

cache attacks

– http://kb.vmware.com/kb/2080735

20 Microachitectural Attacks in the Cloud - Thomas Eisenbarth

Cross-VM Cache Attacks

Cache Attacks?

• Cache Attacks are old [Hu92]
• Popular Method: Prime+Probe [OST06]:

1. Flush Prime memory lines

fill monitored cache set with dummy data: eviction set

• 2. Wait for some time

3. Reload Probe memory lines

read eviction set data and time read

• Problems:

– Usually only applied on L1-cache (64kb)  not cross-core – L3-Cache is too large(25MB!) and not controllable? Solution: Huge Pages give control of L3$ to spy

22 [Hu92] Hu, W.-M. (Digital Equipment Corp., Littleton, MA, USA) Lattice scheduling and covert channels. IEEE Oakland 92 [OST06] DA Osvik, A Shamir, E Tromer Cache attacks and countermeasures: the case of AES. CT-RSA 2006 Microachitectural Attacks in the Cloud - Thomas Eisenbarth

Are Cross-VM Cache Attacks Realistic?

Cross-VM Cache Attacks on crypto such as El Gamal [LY+15] or AES [IES15] work if

• Server has a shared level of cache
• Attacker and the victim are physically co-

located

• VMM implements memory deduplication

23 [LY+15] Liu, F., Yarom, Y., Ge, Q., Heiser, G., & Lee, R. B. (2015). Last-Level Cache Side-Channel Attacks are Practical. (S&P 2015). [IES15] Irazoqui, G., Eisenbarth, T., & Sunar, B. S$A: A shared cache attack that works across cores and defies VM sandboxing—and Its application to AES. 36th IEEE Symposium on Security and Privacy (S&P 2015) Microachitectural Attacks in the Cloud - Thomas Eisenbarth

Test Setup

• AWS EC2 m2.medium instances:

– Intel Xeon E5 2670 v2 CPU @2.5 GHz – 10 cores share 25 MB of L3 cache – Modified (Hardened) Xen VMM – Up to 10 co-located instances (VMs)

24

• 4 accounts w/ 20 instances

(no within-acc colocation)

• Up to 6 co-located pairs
• Cache access patterns can be used to identify

relevant targets

Microachitectural Attacks in the Cloud - Thomas Eisenbarth

First successful Cache-Attack in Amazon IaaS Cloud

• Full RSA key recovery on EC2:

– Co-location via LLC channel

• Other possible attacks:

– AES key extraction with ciphertext – Code-Detection: e.g. crypto libraries

• Major Crypto Libraries

(openSSL/Libgcrypt) are widely patched

• Most users in cloud use outdated libraries

– Targets of opportunity instead of targeted attacks?

• How to protect non-cryptographic Code?

25 Microachitectural Attacks in the Cloud - Thomas Eisenbarth

Targeted Co-Location Necessary?

Case study: EC2 South America East region

• About 340.000 responding hosts
• About 10% listening on TLS port 443
• 55% use outdated TLS crypto libraries!

Alternate Approach: Bulk Key Recovery

• Launch many instances and monitor for keys
• Cause additional traffic to vulnerable hosts

Recover many keys at once

26 Microachitectural Attacks in the Cloud - Thomas Eisenbarth

Non-Crypto Attacks

Non-Crypto Attacks: Application Detection

• Can applications be detected through Cache?
• Complex leakage: Use Machine Learning

Scenario:

• Applications: 40 test apps from Phoronics Test

Suite

• Asynchronous Leakage: 10.000 samples,

combined with FFT

• Extraction using Support Vector Machines (SVM)
• Native L1 vs. Native LLC vs. EC2 Cloud LLC

29

[GES17] B. Gulmezoglu and T. Eisenbarth and B. Sunar: Cache-Based Application Detection in the Cloud Using Machine Learning AsiaCCS 2017

Application Detection: Results

Native L1

• 10.000 points

➢Up to 97.95% SR

30

LLC: Native vs. AWS

• Single set monitored

➢77.65% SR in Native ➢60.22% in EC2 Cloud

Microachitectural Attacks in the Cloud - Thomas Eisenbarth

Web Site Detection

• Can spy processes monitor your browsing behavior in

private browsing?

• Monitors performance counters in Linux

– 10k to 50k events on 3 counters – Convolutional Neural Networks and SVMs perform best

• Alexa to 30 web sites:

31

Up to 86% on Google Chrome (private mode) Up to 71% on Tor Browser

Microachitectural Attacks in the Cloud - Thomas Eisenbarth

Detecting Whistleblowing Sites

• Alexa top 30 + Ten whistleblowing sites on Tor browser
• Classification rate still 68% average
• Can be pushed by successive guesses

[GZES17] B.Gulmezoglu and A. Zankl and T. Eisenbarth. and B. Sunar PerfWeb: How to Violate Web Privacy with Hardware Performance Events ESORICS 2017

32

Preventing Cache Attacks

Cache Attack Prevention

Requirements:

• Access to Shared Resource
• High resolution timer

Simple Mitigations:

• Disable Caches
• Disable Deduplication
• Dedicated Core
• Dedicated Machine
• Disable high-res timers, flush instruction etc.

34

 up to 70x execution time prevents many attacks  protects L1 & L2 caches  for security-critical apps Attacker can build replacements

Microachitectural Attacks in the Cloud - Thomas Eisenbarth

Cache Attack Prevention

Idea: Don’t share cache

• Partition cache for VMs or critical processes
• VM gets small private subset of cache

➢Performance degradation from small cache Examples:

• STEALTHMEM [KPM12]:

– software-only approach

• CATalyst [LGY+16]:

– uses Intel’s Cache Allocation Technology (CAT)

35 [KPM12] KIM, PEINADO, MAINAR-RUIZ: STEALTHMEM: system-level protection against cache-based side channel attacks in the cloud. USENIX Security 12 [LGY+16] LIU, GE, YAROM, et al.: Catalyst: Defeating last-level cache side channel attacks in cloud computing IEEE HPCA 2016 Microachitectural Attacks in the Cloud - Thomas Eisenbarth

Cache Attack Prevention

Write unexploitable Code

• Constant execution time
• Secret-independent execution flow
• Secret-independent memory accesses

36 Microachitectural Attacks in the Cloud - Thomas Eisenbarth

Conclusions

• Microarchitectural attacks on Cloud remain

possible

– SGX is not going to change that

• Co-location detection cannot be prevented

– CSPs can hinder – Dedicated server for security-critical tasks

• Use constant-time crypto libraries

– Design philosophy better than patchwork of fixes

Microachitectural Attacks in the Cloud - Thomas Eisenbarth 37

38

Thank You!

vernam.wpi.edu its.uni-luebeck.de thomas.eisenbarth@uni-luebeck.de

Microachitectural Attacks in the Cloud - Thomas Eisenbarth