microarchitectural attacks
play

Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad - PowerPoint PPT Presentation

Jun 28, 2023 •420 likes •950 views

Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi OUTLINE Summary of Recent Contributions: Microarchiture MemJam Intel SGX

  1. Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad “Daniel” Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi

  2. OUTLINE ▪ Summary of Recent Contributions: ▪ Microarchiture → MemJam ▪ Intel SGX → CacheZoom ▪ Intel EPID → CacheQuote ▪ Speculation → Spoiler ▪ Mitigation → MicroWalk ▪ Shared FPGA-CPU Hardware Security ▪ Proposal ▪ Lab Equipment/Setup ▪ Ongoing Work 2

  3. Microarchitecture (Memory) 3

  4. μ Arch Attacks: Data Dependency add %ebx, %eax 1 sub %eax, %edx 2 xor %ecx, %ecx 3 add %eax, %edi 4 sub %ecx, %edi 5 4

  5. μ Arch Attacks: Pipelined Memory Exec add %ebx, %eax 1 IF ID sub %eax, %edx 2 IF xor %ecx, %ecx 3 add %eax, %edi 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 5

  6. μ Arch Attacks: Pipelined Memory Exec add %ebx, %eax 1 IF ID EX sub %eax, %edx 2 IF ID xor %ecx, %ecx IF 3 add %eax, %edi 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 6

  7. μ Arch Attacks: Pipelined Memory Exec add %ebx, %eax 1 WB IF ID EX sub %eax, %edx 2 IF ID EX xor %ecx, %ecx IF ID 3 add %eax, %edi IF 4 sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 7

  8. μ Arch Attacks: Pipelined Memory Exec add %ebx, %eax 1 WB IF ID EX sub %eax, %edx 2 IF ID EX EX WB xor %ecx, %ecx IF ID 3 EX WB add %eax, %edi WB EX IF ID 4 EX WB IF ID sub %ecx, %edi 5 Instruction Fetch IF Instruction Decode ID Execute EX Write Back WB 8

  9. μ Arch Attacks: 4K Aliasing False Dependency Memory loads/stores are executed out of order and speculatively ▪ The dependency is verified after the execution! ▪ mov %eax, (%ebx) Execute Execute Store Load Store mov (%ecx), %edx Load Dependent? Yes 4K Aliasing: Addresses that are 4K apart are assumed dependent ▪ Re-execute the load and corresponding instructions due to false dependency ▪ Virtual-to-physical address translation → Memory disambiguation ▪ 9

  10. μ Arch Attacks – Hyperthreading 4K Aliasing Core HT – Thread A HT – Thread B Load 0xFECD1 Load 0xFECD2 Execute & Time Load 0xFECD3 Load 0xFECD4 Load 0xFECD5 Load 0xFECD6 Load 0xFECD7 Load 0xFECD8 10

  11. μ Arch Attacks – Hyperthreading 4K Aliasing Core HT – Thread A HT – Thread B Store 0x12ABCDEF Load 0xFECD1 Store 0x12ABCDEF Load 0xFECD2 Execute & Time Store 0x12ABCDEF Load 0xFECD3 Store 0x12ABCDEF Load 0xFECD4 Store 0x12ABCDEF Load 0xFECD5 Store 0x12ABCDEF Load 0xFECD6 Store 0x12ABCDEF Load 0xFECD7 Store 0x12ABCDEF Load 0xFECD8 Store 0x12ABCDEF Store 0x12ABCDEF 11

  12. μ Arch Attacks – Hyperthreading 4K Aliasing Core HT – Thread A HT – Thread B Store 0x12ABC200 Load 0xFECD1 Store 0x12ABC200 Load 0xFECD2 Execute & Time Store 0x12ABC200 Load 0xFECD3 Store 0x12ABC200 Load 0xFECD4 Store 0x12ABC200 Load 0xFECD5 Store 0x12ABC200 Load 0xFECD6 Store 0x12ABC200 Load 0xFECD7 Store 0x12ABC200 Load 0xFECD8 Store 0x12ABC200 Store 0x12ABC200 12

  13. μ Arch Attacks – Hyperthreading 4K Aliasing Core HT – Thread A HT – Thread B Store 0x12ABC Load 0xFECD1 Store 0x12ABC Load 0xFECD2 Execute & Time Store 0x12ABC Load 0xFECD3 Store 0x12ABC Load 0xFECD4 Store 0x12ABC Load 0xFECD5 Store 0x12ABC Load 0xFECD6 Store 0x12ABC Load 0xFECD7 Store 0x12ABC Load 0xFECD8 Store 0x12ABC Store 0x12ABC 13

  14. MemJam 14

  15. MemJam – Intra Cache Line Resolution Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) 15

  16. MemJam – Intra Cache Line Resolution Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks 16

  17. MemJam – Intra Cache Line Resolution Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks L2/LLC Cache Attacks 17

  18. MemJam – Intra Cache Line Resolution Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) L1 Cache Attacks L2/LLC Cache Attacks Conflicted intra-cache line Leakage (4-byte granularity) ▪ Higher time correlates → Memory accesses with the same bit 3 to 12 ▪ 4 bits of intra-cache level leakage ▪ 18

  19. MemJam Attack CPU Core Core HT HT HT HT Execute load compute load Execute Again load compute load Higher time if there compute are more number of load 4K conflicts load Encryption 19 Service

  20. Constant time AES – Safe2Encrypt_RIJ128 Scatter-gather implementation of AES ▪ 256 S-Box – 4 Cache Line ▪ Cache independent access pattern ▪ Implemented and distributed as part of Intel products ▪ Intel SGX Linux Software Development Kit (SDK) ▪ Intel IPP Cryptography Library ▪ 64 Bytes A LINE 2 4 Cache Lines B LINE 2 C LINE 2 D LINE 2 B D A C B S-Box Lookup 20 Local Buffer

  21. MemJam Attack on Safe2Encrypt_RIJ128 64 Bytes LINE 2 4 Cache Lines 21 Local Buffer

  22. MemJam Attack on Safe2Encrypt_RIJ128 64 Bytes LINE 2 4 Cache Lines 22 Local Buffer

  23. Intel SGX 23

  24. INTEL SOFTWARE GUARD EXTENSION (SGX) ▪ Trusted Execution Environment (TEE) ▪ Enclave: Hardware protected user-level software module ▪ Loaded by the user program ▪ Mapped by the Operating System ▪ Authenticated and Encrypted by CPU ▪ Memory accesses are protected by the hardware 24

  25. MemJam Attack on SGX 25

  26. CacheZoom: Controlled Cache Attack ON SGX 1. Isolation of the target & victim cache 2. Stabilize the processor frequency 3. Perform the attack on small exec steps by interrupting the victim 4. Measure and filter the remaining noise 26

  27. CacheZoom: Interrupted Cache Attack PC L1D Cache 0 1 2 3 4 Step 1: Attacker prime all the L1D sets 5 6 7 8 … 56 57 58 59 60 61 62 63 27

  28. CacheZoom: Interrupted Cache Attack PC L1D Cache 0 1 2 3 4 Step 1: Attacker prime all the L1D sets 5 Step 2: Victim executes some codes 6 7 8 … 56 57 58 59 60 61 62 63 28

  29. CacheZoom: Interrupted Cache Attack L1D Cache 0 PC 1 2 3 4 Step 1: Attacker prime all the L1D sets 5 Step 2: Victim executes some codes 6 7 8 … 56 57 58 59 60 61 62 63 29

  30. CacheZoom: Interrupted Cache Attack L1D Cache 0 PC 1 2 3 4 Step 1: Attacker prime all the L1D sets 5 Step 2: Victim executes some codes 6 7 8 … Step 3: Attacker interrupts the execution pipeline 56 57 58 59 60 61 62 63 30

  31. CacheZoom: Interrupted Cache Attack L1D Cache 0 PC 1 2 3 4 Step 1: Attacker prime all the L1D sets 5 Step 2: Victim executes some codes 6 7 8 … Step 3: Attacker interrupts the execution pipeline 56 Step 4: Attacker probes the access times 57 58 → Go to step 1 59 60 61 62 63 31

  32. CacheZoom: Interrupted Cache Attack L1D Cache 0 1 2 3 4 Step 1: Attacker prime all the L1D sets PC 5 Step 2: Victim executes some codes 6 7 8 … Step 3: Attacker interrupts the execution pipeline 56 Step 4: Attacker probes the access times 57 58 → Go to step 1 59 60 61 62 63 32

  33. CacheZoom: Interrupted Cache Attack L1D Cache 0 1 2 3 4 Step 1: Attacker prime all the L1D sets PC 5 Step 2: Victim executes some codes 6 7 8 … Step 3: Attacker interrupts the execution pipeline 56 Step 4: Attacker probes the access times 57 58 → Go to step 1 59 60 61 62 63 33

  34. CacheZoom: Interrupted Cache Attack 34

  35. CacheQuote 35

  36. CacheQuote Attack Quoting Enclave: ▪ EPID Signature scheme built-in enclave by Intel ▪ Attest the integrity of user-provided enclave ▪ ▪ EPID Implementation (is)was not constant-time 36

  37. CacheQuote Attack Loop iteration leaks Leading Zero Bits ▪ CacheZoom to accurately measure ▪ Feed the short vectors to a lattice and ▪ 37

  38. Memory Speculation 38

  39. Speculative Memory Accesses 39

  40. Spoiler on Spoiler Attack 40

  41. MicroWalk : Finding μ Arch Sources in Binaries Detecting Leakages based on Binary Instrumentation ▪ and Mutual Information Analysis 41

  42. Accelerators in the Cloud 42

  43. Side-channel Threats Shared FPGA-CPU Platforms FPGAs on the cloud can boost applications ▪ Optimized Application-specific Hardware Configuration ▪ e.g Real-time Artificial Intelligence ▪ New Attack Surface: ▪ Accelerator Function Units (AFUs) placed on the FPGA can be used to interact with the CPU ▪ or other AFUs for malicious purpose. AFU to AFU Attack ▪ AFU to HPS Attack ▪ AFU to CPU Attack ▪ CPU to AFU Attack ▪ Across VMS ? ▪ 43

  44. Shared FPGA-CPU Platforms 44

  45. Attack Vectors Rowhammer DMA/IOMMU Cache Attacks ▪ ▪ ▪ Trojan Bitstreams FPGA-centric Attacks Cold Boot ▪ ▪ ▪ 45

  46. What is interesting about FPGA-CPU in the Cloud? Infancy, Attack/Defense Playground (Intel SGX in 2015) ▪ Customizable Hardware → More Devastating Attacks ▪ E.g. Design your own timers, Direct access to memory interface, etc. ▪ Complex Threat Model ▪ 46

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi Outline Data Dependency SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks

663 views • 28 slides
Microarchitectural Attacks in the Cloud Thomas Eisenbarth 07.11.2017 Workshop on Cryptography

Microarchitectural Attacks in the Cloud Thomas Eisenbarth 07.11.2017 Workshop on Cryptography

Microarchitectural Attacks in the Cloud Thomas Eisenbarth 07.11.2017 Workshop on Cryptography for the Internet of Things and Cloud Ruhr-Universitt Bochum Outline Cloud and Cryptography Co-Location in the Cloud Cache Attacks in the

2.23k views • 37 slides
MicroScope: Enabling Microarchitectural Replay Attacks Dimitrios Skarlatos, Mengjia Yan, Bhargava

MicroScope: Enabling Microarchitectural Replay Attacks Dimitrios Skarlatos, Mengjia Yan, Bhargava

MicroScope: Enabling Microarchitectural Replay Attacks Dimitrios Skarlatos, Mengjia Yan, Bhargava Gopireddy, Read Sprabery, Josep Torrellas, and Christopher W. Fletcher Presented by Mengjia Yan MIT 6.888 Fall 2020 Why this paper? We have read

965 views • 42 slides
Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

SpectreGuard: An Efficient Data-centric Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University of Kansas 1 Speculative Execution Attacks Attacks exploiting microarchitectural side-effects of

499 views • 21 slides
Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi @danielmgmi https://moghimi.org Security Researcher PhD Candidate @ WPI Microarchitectural Attacks Side Channels Breaking Crypto

1.2k views • 71 slides
Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck Frank Piessens Raoul Strackx imec-DistriNet, KU Leuven ACM CCS, October 2018 Microarchitectural side-channels and where to find them CPU cache

709 views • 47 slides
Protean General Purpose Guard (PGPG): Detecting and Mitigating Cache-based Microarchitectural

Protean General Purpose Guard (PGPG): Detecting and Mitigating Cache-based Microarchitectural

Protean General Purpose Guard (PGPG): Detecting and Mitigating Cache-based Microarchitectural Attacks Using Protean Code Jeremy Erickson Akshitha Sriraman Sai Gouravajhala jericks@umich.edu akshitha@umich.edu sairohit@umich.edu EECS 583:

331 views • 12 slides
Microarchitectural Analysis and Optimization Techniques Gunther Huebler Collaborators: Vincent

Microarchitectural Analysis and Optimization Techniques Gunther Huebler Collaborators: Vincent

Microarchitectural Analysis and Optimization Techniques Gunther Huebler Collaborators: Vincent Larson, John Dennis All the Work Presented Has Been Implemented in CLUBB (Cloud Layers Unified By Binormals) CLUBB is a model that solves a set of

431 views • 21 slides
Microarchitectural Mechanisms to Exploit Value Structure in SIMT Architectures Ji Kim,

Microarchitectural Mechanisms to Exploit Value Structure in SIMT Architectures Ji Kim,

Microarchitectural Mechanisms to Exploit Value Structure in SIMT Architectures Ji Kim, Christopher Torng, Shreesha Srinath, Derek Lockhart, and Christopher Batten Cornell University Cornell University IEEE/ACM International Symposium on

633 views • 31 slides
PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A.

PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A.

PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A. Manerkar , Daniel Lustig*, Margaret Martonosi, and Aarti Gupta Princeton University *NVIDIA MICRO-51 http:/ ://check.cs.p .princeton.edu/ Memory

1.36k views • 80 slides
Microarchitectural Cryptanalysis Daniel Moghimi Worcester Polytechnic Institute Committee

Microarchitectural Cryptanalysis Daniel Moghimi Worcester Polytechnic Institute Committee

Revisiting Isolated and Trusted Execution via Microarchitectural Cryptanalysis Daniel Moghimi Worcester Polytechnic Institute Committee Members: Prof. Donald R. Brown (Department Head) Prof. Thomas Eisenbarth (Co-advisor) Prof.

1.68k views • 138 slides
TUNING SLIDE Fast and Accurate Microarchitectural Simulation with ZSim Daniel Sanchez, Nathan

TUNING SLIDE Fast and Accurate Microarchitectural Simulation with ZSim Daniel Sanchez, Nathan

TUNING SLIDE Fast and Accurate Microarchitectural Simulation with ZSim Daniel Sanchez, Nathan Beckmann, Anurag Mukkara, Po-An Tsai MIT CSAIL MICRO-48 Tutorial December 5, 2015 Welcome! Agenda 4 8:30 9:10 Intro and Overview 9:10

1.53k views • 124 slides
Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth

Prevention of Microarchitectural Covert Channels on an Open-Source 64-bit RISC-V Core Fourth Workshop on Computer Architecture Research with RISC-V (CARRV 2020) May 29 th , 2020 Nils Wistoff Moritz Schneider Frank K. Grkaynak Luca Benini

750 views • 58 slides
Exploiting Microarchitectural Flaws in the Heart of the Memory Subsystem Daniel Moghimi,

Exploiting Microarchitectural Flaws in the Heart of the Memory Subsystem Daniel Moghimi,

Exploiting Microarchitectural Flaws in the Heart of the Memory Subsystem Daniel Moghimi, Worcester Polytechnic University Feb 20, 2020 Columbia University Spoiler!! 2 CPU Memory Subsystem Allocation Queue Front End CPU Memory Subsystem

1.59k views • 127 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis Daniel Moghimi

Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis Daniel Moghimi

Medusa: Microarchitectural Data Leakage via Automated Attack Synthesis Daniel Moghimi Moritz Lipp Berk Sunar Michael Schwarz 2018: Meltdown Attack? 2 2018: Meltdown Attack? Virtual Address Space User Space CPU Registers

1.14k views • 63 slides
Retirement in a Life Cycle Model With Home Production Richard Rogerson Johanna Wallenius

Retirement in a Life Cycle Model With Home Production Richard Rogerson Johanna Wallenius

Retirement in a Life Cycle Model With Home Production Richard Rogerson Johanna Wallenius November 2009 1 Background / Motivation This paper constitutes a first step toward understanding retirement in the context of optimal life cycle labor

740 views • 27 slides
A Coactive Learning View of Online Structured Prediction in SMT Artem Sokolov , Stefan Riezler

A Coactive Learning View of Online Structured Prediction in SMT Artem Sokolov , Stefan Riezler

A Coactive Learning View of Online Structured Prediction in SMT Artem Sokolov , Stefan Riezler , Shay B. Cohen Heidelberg University, University of Edinburgh Motivation Online learning protocol 1 observe input structure x t 2

439 views • 17 slides
Training-Time Optimization of a Budgeted Booster Yi Huang *Brian Powers Lev Reyzin University

Training-Time Optimization of a Budgeted Booster Yi Huang *Brian Powers Lev Reyzin University

Training-Time Optimization of a Budgeted Booster Yi Huang *Brian Powers Lev Reyzin University of Illinois at Chicago { yhuang,bpower6,lreyzin } @math.uic.edu July 30, 2015 Motivation: Making Predictions with a Budget We must classify a test

418 views • 19 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
On the Generalization Ability of Online Learning Algorithms for Pairwise Loss Functions

On the Generalization Ability of Online Learning Algorithms for Pairwise Loss Functions

On the Generalization Ability of Online Learning Algorithms for Pairwise Loss Functions Purushottam Kar , Bharath Sriperumbudur , Prateek Jain and Harish Karnick Indian Institute of Technology Kanpur Center for Mathematical

885 views • 46 slides
Meta-transfer Learning for Few-shot Learning Yaoyao Liu Tianjin University and NUS School of

Meta-transfer Learning for Few-shot Learning Yaoyao Liu Tianjin University and NUS School of

NUS-Tsinghua-Southampton Centre for Extreme Search Meta-transfer Learning for Few-shot Learning Yaoyao Liu Tianjin University and NUS School of Computing OUTLINE Research Background Methods Meta-transfer Learning Hard-task

455 views • 33 slides
A Unified Framework for Delay-Sensitive Communications Fangwen Fu fwfu@ee.ucla.edu Advisor:

A Unified Framework for Delay-Sensitive Communications Fangwen Fu fwfu@ee.ucla.edu Advisor:

A Unified Framework for Delay-Sensitive Communications Fangwen Fu fwfu@ee.ucla.edu Advisor: Prof. Mihaela van der Schaar Motivation C C o o n n

602 views • 45 slides
Robust Predictions in Dynamic Screening Daniel Garrett, Alessandro Pavan, Juuso Toikka March 2018

Robust Predictions in Dynamic Screening Daniel Garrett, Alessandro Pavan, Juuso Toikka March 2018

Introduction Model Wedges Allocations Continuum Simple Mechanisms Conclusions Robust Predictions in Dynamic Screening Daniel Garrett, Alessandro Pavan, Juuso Toikka March 2018 Introduction Model Wedges Allocations Continuum Simple

810 views • 76 slides

More recommend