microarchitectural cryptanalysis
play

Microarchitectural Cryptanalysis Daniel Moghimi Worcester - PowerPoint PPT Presentation

Feb 04, 2023 •284 likes •1.68k views

Revisiting Isolated and Trusted Execution via Microarchitectural Cryptanalysis Daniel Moghimi Worcester Polytechnic Institute Committee Members: Prof. Donald R. Brown (Department Head) Prof. Thomas Eisenbarth (Co-advisor) Prof.

  1. MemJam – Attacking So-Called Constant Time AES • Scatter-gather implementation of AES • Intel SGX Software Development Kit (SDK) and IPP Cryptography Library • 256 S-Box – 4 Cache Line • Cache independent access pattern 64 Bytes A LINE 2 4 Cache Lines B LINE 2 C LINE 2 D LINE 2 A B D C B S-Box Lookup 35

  2. MemJam – Attacking So-Called Constant Time AES 64 Bytes LINE 2 4 Cache Lines 36

  3. AES Key Recovery 37

  4. US 7,603,527 B2 RESOLVING FALSE DEPENDENCIES OF SPECULATIVE LOAD INSTRUCTIONS “an operation X may determine whether the lower portion of the virtual address of a speculative load instruction matches the lower portion of virtual addresses of older store operations” Loosnet Check …. “in an embodiment, the load instruction may have its input data forwarded from the store operation from which the load instruction depends at operation” Store Forwarding SPOILER Attack “If there is a hit at operation X and a miss at operation Y , … the physical addresses of the load and the store may be compared at an operation Z” “In one embodiment, if there is a hit at operation X and the physical Dependency Resolution address of the load or the store operations is not valid, the physical address check at operation Z may be considered as a hit” “In some embodiments, the physical address check at operation Z may use a partial physical address , e.g., base on data stored in the SAB. This makes the checking at operation Z conservative. Accordingly, in some embodiments, a match may occur on a partial address and block …” Finenet Check 38

  5. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem 64 pages L1 Store Buffer DATA PFN [8:0] VFN Offset DTLB DATA PFN [8:0] VFN Offset … …. … … DATA PFN [8:0] VFN Offset Load Buffer DATA PFN [8:0] VFN Offset DATA PFN VFN Offset DATA PFN [8:0] VFN Offset DATA PFN VFN Offset DATA PFN [8:0] VFN Offset … …. … … Offset DATA PFN [8:0] VFN Offset DATA PFN VFN 39

  6. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem 64 pages L1 Store Buffer 0 x 4 0 0 F E 1 0 C 0 DATA PFN [8:0] VFN 0C0 0 x 4 0 0 F E 2 0 C 0 Stores DTLB DATA PFN [8:0] VFN 0C0 … … … …. … … 0 x 4 0 1 0 2 0 0 C 0 DATA PFN [8:0] VFN 0C0 Load Buffer DATA PFN [8:0] VFN 0C0 DATA PFN VFN Offset DATA PFN [8:0] VFN 0C0 0 x 4 F 1 2 3 4 0 C 0 DATA PFN VFN 0C0 Load DATA PFN [8:0] VFN 0C0 … …. … … Offset DATA PFN [8:0] VFN 0C0 DATA PFN VFN 40

  7. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem L1 Store Buffer 0 x 4 0 0 F E 2 0 C 0 DATA PFN [8:0] VFN 0C0 0 x 4 0 0 F E 3 0 C 0 Stores DTLB DATA PFN [8:0] VFN 0C0 … … … …. … … 0 x 4 0 1 0 2 1 0 C 0 DATA PFN [8:0] VFN 0C0 Load Buffer DATA PFN [8:0] VFN 0C0 DATA PFN VFN Offset DATA PFN [8:0] VFN 0C0 0 x 4 F 1 2 3 4 0 C 0 DATA PFN VFN 0C0 Load DATA PFN [8:0] VFN 0C0 … …. … … Offset DATA PFN [8:0] VFN 0C0 DATA PFN VFN 41

  8. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem L1 Store Buffer 0 x 4 0 0 F E 3 0 C 0 DATA PFN [8:0] VFN 0C0 0 x 4 0 0 F E 4 0 C 0 Stores DTLB DATA PFN [8:0] VFN 0C0 … … … …. … … 0 x 4 0 1 0 2 2 0 C 0 DATA PFN [8:0] VFN 0C0 Load Buffer DATA PFN [8:0] VFN 0C0 DATA PFN VFN Offset DATA PFN [8:0] VFN 0C0 0 x 4 F 1 2 3 4 0 C 0 DATA PFN VFN 0C0 Load DATA PFN [8:0] VFN 0C0 … …. … … Offset DATA PFN [8:0] VFN 0C0 DATA PFN VFN 42

  9. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem L1 Store Buffer 0 x 4 0 0 F E 4 0 C 0 DATA PFN [8:0] VFN 0C0 Physical Addresses 0 x 4 0 0 F E 5 0 C 0 DTLB DATA PFN [8:0] VFN 0C0 … … 0 x 6 5 F 3 2 X X 0 C 0 … …. … … 0 x 4 0 1 0 2 3 0 C 0 DATA PFN [8:0] VFN 0C0 Load Buffer 0 x 3 2 A C 2 X X 0 C 0 DATA PFN [8:0] VFN 0C0 DATA PFN VFN Offset DATA PFN [8:0] VFN 0C0 0 x 4 F 1 2 3 4 0 C 0 DATA PFN VFN 0C0 DATA PFN [8:0] VFN 0C0 … …. … … Offset DATA PFN [8:0] VFN 0C0 DATA PFN VFN 43

  10. Spoiler: Finding Undocumented Aliasing … Virtual Pages Memory Subsystem L1 Store Buffer DATA PFN [8:0] VFN 0C0 DTLB DATA PFN [8:0] VFN 0C0 … …. … … DATA PFN [8:0] VFN 0C0 Load Buffer DATA PFN [8:0] VFN 0C0 DATA PFN VFN Offset DATA PFN [8:0] VFN 0C0 DATA PFN VFN 0C0 DATA PFN [8:0] VFN 0C0 … …. … … Offset DATA PFN [8:0] VFN 0C0 DATA PFN VFN 44

  11. Spoiler: Finding Undocumented Aliasing … Virtual Pages 45

  12. Spoiler: Learning on Physical Address Bits Least 12 bits (Virtual Address = Physical Address) Rest of the bits (Virtual != Physical) MemJam L1 Cache Attacks L2/L3 Cache Attacks 46

  13. Spoiler: Learning on Physical Address Bits Least 12 bits (Virtual Address = Physical Address) VFN MemJam L1 Cache Attacks PFN MemJam 47 L2/L3 Cache Attacks

  14. Spoiler: Learning on Physical Address Bits Least 12 bits (Virtual Address = Physical Address) VFN MemJam L1 Cache Attacks Pime+Probe on Cache, Eviction Sets, Rowhammer PFN MemJam 48 L2/L3 Cache Attacks

  15. Spoiler: Learning on Physical Address Bits Least 12 bits (Virtual Address = Physical Address) VFN MemJam L1 Cache Attacks Pime+Probe on Cache, Eviction Sets, Rowhammer PFN Spoiler MemJam 49 L2/L3 Cache Attacks

  16. 2. Data Leakage via Automated Synthesis 50

  17. Transient Execution Attacks • Date leakage as oppose to access pattern leakage • Spectre • Due to the CPU’s branch Predictor. • Meltdown • Due the speculative behavior of the CPU’s memory subsystem • Data leakage wo/ any assumption about the victim software 51

  18. Meltdown 52

  19. Meltdown Attack Steps Step 1: Step 2: ‘ P ’ = 0x50 Step 3: 256 different CPU Cache Line 53

  20. Microarchitecture Data Sampling (MDS) • Meltdown is fixed but we could steal leak data on the fixed CPU. whatever APP APP OS Hypervisor 54

  21. Microarchitecture Data Sampling (MDS) • Meltdown is fixed but we could steal leak data on the fixed CPU. whatever • Threat Model: Local adversary • Exploiting other threads (simultaneous multithreading) APP APP OS SMT Hypervisor • Exploiting previous process context Context Context Context Victim Attacker Victim Attacker Switch Switch Switch Process Process Process Process 55

  22. CPU Memory Subsystem – Leaky Buffers Memory Subsystem MSBDS Store Buffer DATA PFN [8:0] VFN Offset (Fallout) DATA PFN [8:0] VFN Offset … …. … … DATA PFN [8:0] VFN Offset L1 Fill Buffer MLPDS Load Buffer DATA PFN VFN Offset DATA PFN VFN Offset DTLB … …. … … VFN Offset DATA PFN MFBDS (ZombieLoad) L2 L3 DRAM L1TF 56

  23. Microarchitecture Data Sampling (MDS) • Meltdown is fixed but we could steal leak data on the fixed CPU. whatever • Threat Model: Local adversary • Exploiting other threads (simultaneous multithreading) APP APP SMT OS • Exploiting previous process context Hypervisor Context Context Context Victim Attacker Victim Attacker Switch Switch Switch Process Process Process Process • Which part of the CPU leak the data?! • Store Buffer (Fallout) • Line Fill Buffer (ZombieLoad) 57

  24. Challenges with MDS Testing? • Reproducing attacks is not reliable. • No public tool to find new variants or to verify hardware patches. • Impossible to quantify the impact of leakage. Y Y Y Y Memory TL Perm Presen Canonical Accessed Access B . t Set A PMH Y #GP #PF Bit Y Y Y Y TSX False Cache Aligned Cached Failure Store Dep. Aligned Vector Split #RTM Hazard Cache Miss #GP Virtual Address Recovery Handler Cache VFN Offset PTE R Physical Page Number P US … A … … W 58

  25. Transynther (Fuzzing-based Random MDS Testing) Step 1: Step 2: ‘ P ’ = 0x50 Step 3: 256 different CPU Cache Line 59

  26. Transynther (Fuzzing-based Random MDS Testing) TLB Canonical Cache Aligned Cached Aligned Vector Perm. Step 1: False Store Dep. Present Accessed TSX Failure Step 2: ‘ P ’ = 0x50 Step 3: 256 different CPU Cache Line 60

  27. Transynther (Fuzzing-based Random MDS Testing) Step 0: Stores Hyper Stores Same Loads Same Thread: Loads Hyper thread Thread: Thread: 0x61626364 Buffer Thread: 0x41424344 0x51525354 0x71727374 Grooming TLB Canonical Cache Aligned Cached Aligned Vector Step 1: Perm. False Store Dep. Present Accessed TSX Failure Step 2: ‘ P ’ = 0x50 Step 3: 256 different CPU Cache Line 61

  28. Transynther (Fuzzing-based Random MDS Testing) Step 0: Stores Hyper Stores Same Loads Same Thread: Loads Hyper thread Thread: Thread: 0x61626364 Buffer Thread: 0x41424344 0x51525354 0x71727374 Grooming TLB Canonical Cache Aligned Cached Aligned Vector Step 1: Perm. False Store Dep. Present Accessed TSX Failure Step 2: ‘ P ’ = 0x50 Step 3: 256 different CPU Cache Line 62

  29. Transynther (Fuzzing-based MDS Testing) 63

  30. Transynther (Fuzzing-based MDS Testing) 64

  31. Transynther (Fuzzing-based MDS Testing) 65

  32. 66

  33. Medusa Attack • Medusa only leaks the write combining data. • Implicit WC, i.e., ‘rep mov’, ‘rep sto ’, can be leaked. • Memory Copy Routines • File IO • Served by a Write Combining Buffer (or just the Fill Buffer). • Three variants • Based on different ways of massaging the microarchitecture 67

  34. OpenSSL RSA Key Recovery • OpenSSL Base64 Decoder uses inline Memcpy(-oS) • Triggered during the RSA Key Decoding from the PEM format: -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDmTvQjjtGtnIqMwmmaLW+YjbYTsNR8PGKXr78iYwrMV5Ye4VGy BwS6qLD4s/EzCzGIDwkWCVx+gVHvh2wGW15Ddof0gVAtAMkR6gRABy4TkK+6YFSK AyjmHvKCfFHvc9loeFGDyjmwFFkfdwzppXnH1Wwt0OlnyCU1GbQ1w7AHuwIDAQAB AoGBAMyDri7pQ29NBIfMmGQuFtw8c0R3EamlIdQbX7qUguFEoe2YHqjdrKho5oZj nDu8o+Zzm5jzBSzdf7oZ4qaeekv0fO+ZSz6CKYLbuzG2IXUB8nHJ7NuH3lacfivD V4Cfg0yFnTK+MDG/xTVqywrCTsslkTCYC/XZOXU5Xt5z32FZAkEA/nLWQhMC4YPM 0LqMtgKzfgQdJ7vbr43WVVNpC/dN/ibUASI/3YwY0uUtqSjilIghIY7pRohrPJ6W ntSJw0UAhQJBAOe2b9cfiOTFKXxyU4j315VkulFfTyL6GwXi/7mvpcDCixDLNRyk uRigmdKjtIUrAX0pwjgXa6niqJ691jExez8CQQCcMZZAvTbZhHSn9LwHxqS0SIY1 K+ZxX5ogirFDPS5NQzyE7adSsntSioh6/LQKBX6BAR9FwtxBPACtwz5F9geZAkA8 a3z0SlvG04aC1cjkgUPsx6wxxbl79F2RhmSKRbvh7JiYk3RQ+L7vJgmWPGu5AcLM oVPsjmbbkKfJZNTyVOW/AkABepEi++ZQQW0FXJWZ3nM+2CNcXYCtTgi4bGkvnZPp /1pAy9rjeVJYhb8acTRnt+dU+uZ74CTtfuzUTZLOIuVe -----END RSA PRIVATE KEY----- 68

  35. OpenSSL RSA Key Recovery • OpenSSL Base64 Decoder uses inline Memcpy(-oS) • Triggered during the RSA Key Decoding from the PEM format: -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQDmTvQjjtGtnIqMwmmaLW+YjbYTsNR8PGKXr78iYwrMV5Ye4VGy BwS6qLD4s/EzCzGIDwkWCVx+gVHvh2wGW15Ddof0gVAtAMkR6gRABy4TkK+6YFSK AyjmHvKCfFHvc9loeFGDyjmwFFkfdwzppXnH1Wwt0OlnyCU1GbQ1w7AHuwIDAQAB AoGBAMyDri7pQ29NBIfMmGQuFtw8c0R3EamlIdQbX7qUguFEoe2YHqjdrKho5oZj nDu8o+Zzm5jzBSzdf7oZ4qaeekv0fO+ZSz6CKYLbuzG2IXUB8nHJ7NuH3lacfivD V4Cfg0yFnTK+MDG/xTVqywrCTsslkTCYC/XZOXU5Xt5z32FZAkEA/nLWQhMC4YPM 0LqMtgKzfgQdJ7vbr43WVVNpC/dN/ibUASI/3YwY0uUtqSjilIghIY7pRohrPJ6W ntSJw0UAhQJBAOe2b9cfiOTFKXxyU4j315VkulFfTyL6GwXi/7mvpcDCixDLNRyk uRigmdKjtIUrAX0pwjgXa6niqJ691jExez8CQQCcMZZAvTbZhHSn9LwHxqS0SIY1 K+ZxX5ogirFDPS5NQzyE7adSsntSioh6/LQKBX6BAR9FwtxBPACtwz5F9geZAkA8 a3z0SlvG04aC1cjkgUPsx6wxxbl79F2RhmSKRbvh7JiYk3RQ+L7vJgmWPGu5AcLM oVPsjmbbkKfJZNTyVOW/AkABepEi++ZQQW0FXJWZ3nM+2CNcXYCtTgi4bGkvnZPp /1pAy9rjeVJYhb8acTRnt+dU+uZ74CTtfuzUTZLOIuVe -----END RSA PRIVATE KEY----- 69

  36. OpenSSL RSA Key Recovery • OpenSSL Base64 Decoder uses inline Memcpy(-oS) • Triggered during the RSA Key Decoding from the PEM format: N (Modulus) d (Private Key) P Q d mod (p-1) d mod (q-1) Q^(-1) mod p 70

  37. OpenSSL RSA Key Recovery - Coppersmith • Knowledge of at least Τ 1 3 of P+Q • Create a 𝑜 dimensional hidden number problem where 𝑜 is relative to the number of recovered chunks • Feed it to the lattice-based algorithm to find the short vector P Q 71

  38. OpenSSL RSA Key Recovery – Coppersmith Attack • Knowledge of at least Τ 1 3 of P+Q. • Creating a 𝑜 dimensional hidden number problem where 𝑜 is relative to the number of recovered chunks. • Feeding it to the lattice-based algorithm to find the short vector. P Q Coppersmith P 72

  39. Store Buffer Leakage on Ice Lake • MSBDS (Fallout) on Ice Lake • November 2019: Intel sent us an Ice Lake Machine • March 2019: Tested Transyther on the Ice Lake CPU • Mar 27, 2020: Reported MSBDS Leakage on Ice Lake • May 5, 2020: Intel Completed triage • MDS mitigations are not deployed properly • Chicken bits were not enabled for all mitigations. • OEMs shipped with old/wrong microcode. • Embargoed till July • July 13, 2020: MDS advisory and list of affected CPUs were updated. 73

  40. 74

  41. 3. Hardware- based Trusted Computing 75

  42. What are other threat models? • We can not trust: • cloud providers. • software developers. • OEMs and computer manufacturers. Multiuser, multitask, several security domains • Trusted Computing • Others can compute on the data without giving them the data. • Example Applications: • Privacy-Preserving machine learning • Digital right management (DRM) • Anonymous blockchain transactions 76

  43. Trusted Execution Environment (TEE) – Intel SGX • Intel Software Guard eXtensions (SGX) App App App App App App OS OS Trusted Hypervisor Hypervisor Hardware Hardware Traditional Security Model 77

  44. System-level Threat to Trusted Execution Environments (T2) • Intel Software Guard eXtensions (SGX) • Enclave: A hardware protected user- level software module • Mapped by the operating system • Loaded by the user program App App App App • Authenticated and encrypted by CPU OS • It must protect secrets against blocked system-level adversary Hypervisor blocked Hardware Hardware New Attacker Model: Attacker gets full control over the OS 78

  45. CacheZoom and CacheQuote 79

  46. Intel SGX Attack Taxonomy • Intel’s Responsibility SGX Attacks • Microcode Patches / Hardware mitigation • TCB Recovery Intel Software Dev • Hyperthreading is out Hardware Responsibility • Remote Attestation Warning Foreshadow [1] Plundervolt [2] ZombieLoad [1] Van Bulck et al. "Foreshadow: Extracting the keys to the intel SGX kingdom with transient out-of-order execution." USENIX Security 2018. [2] Murdock et al. "Plundervolt: Software-based fault injection attacks against Intel SGX." IEEE S&P 2020. 80

  47. Intel SGX Attack Taxonomy • Intel’s Responsibility SGX Attacks • Microcode Patches / Hardware mitigation • TCB Recovery Intel Software Dev • Hyperthreading is out Hardware Responsibility • Remote Attestation Warning • µarch Side Channel Foreshadow [1] µarch Side • Constant-time Coding Channel Plundervolt [2] • Flushing and Isolating buffers ZombieLoad Cache [3][4][5] • Probabilistic Branch Predictors [6][7] Interrupt Latency [8] [1] Van Bulck et al. "Foreshadow: Extracting the keys to the intel SGX kingdom with transient out-of-order execution." USENIX Security 2018. [6] Evtyushkin, Dmitry, et al. "Branchscope: A new side-channel attack on directional branch predictor." ACM SIGPLAN 2018. [2] Murdock et al. "Plundervolt: Software-based fault injection attacks against Intel SGX." IEEE S&P 2020. [7] Lee, Sangho, et al. "Inferring fine-grained control flow inside {SGX} enclaves with branch shadowing." USENIX Security 2017. [3] Moghimi et al. "Cachezoom: How SGX amplifies the power of cache attacks." CHES 2017. [8] Van Bulck et al. "Nemesis: Studying microarchitectural timing leaks in rudimentary CPU interrupt logic." ACM CCS 2018. 81 [4] Brasser et al. "Software grand exposure:{SGX} cache attacks are practical." USENIX WOOT 2017. [5] Schwarz et al. "Malware guard extension: Using SGX to conceal cache attacks." DIMVA 2017.

  48. Intel SGX Attack Taxonomy • Intel’s Responsibility SGX Attacks • Microcode Patches / Hardware mitigation • TCB Recovery Intel Software Dev • Hyperthreading is out Hardware Responsibility • Remote Attestation Warning • µarch Side Channel Foreshadow [1] Deterministic µarch Side • Constant-time Coding Channel – Ctrl Channel Plundervolt [2] • Flushing and Isolating buffers ZombieLoad Cache [3][4][5] Page Fault [9] • Probabilistic Branch Predictors A/D Bit [10] [6][7] • Deterministic Attacks Interrupt Latency [8] • Page Fault, A/D Bit, etc. (4kB Granularity) [1] Van Bulck et al. "Foreshadow: Extracting the keys to the intel SGX kingdom with transient out-of-order execution." USENIX Security 2018. [6] Evtyushkin, Dmitry, et al. "Branchscope: A new side-channel attack on directional branch predictor." ACM SIGPLAN 2018. [2] Murdock et al. "Plundervolt: Software-based fault injection attacks against Intel SGX." IEEE S&P 2020. [7] Lee, Sangho, et al. "Inferring fine-grained control flow inside {SGX} enclaves with branch shadowing." USENIX Security 2017. [3] Moghimi et al. "Cachezoom: How SGX amplifies the power of cache attacks." CHES 2017. [8] Van Bulck et al. "Nemesis: Studying microarchitectural timing leaks in rudimentary CPU interrupt logic." ACM CCS 2018. 82 [4] Brasser et al. "Software grand exposure:{SGX} cache attacks are practical." USENIX WOOT 2017. [9] Xu et al. "Controlled-channel attacks: Deterministic side channels for untrusted operating systems." IEEE S&P 2015. [5] Schwarz et al. "Malware guard extension: Using SGX to conceal cache attacks." DIMVA 2017. [10] Wang, Wenhao, et al. "Leaky cauldron on the dark land: Understanding memory side-channel hazards in SGX." ACM CCS 2017.

  49. Can deterministic attacks do better? 83

  50. CopyCat Attack • Malicious OS controls the interrupt handler NOP ADD X XOR OR MUL DIV ADD MUL NOP NOP Enclave Time Execution Thread Starts 84

  51. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions IRQ Range 0 1 NOP ADD X XOR OR MUL DIV ADD MUL NOP NOP 𝑢 1 𝑢 2 Time 85

  52. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions IRQ Range 0 1 NOP ADD X XOR OR MUL DIV ADD MUL NOP NOP 𝑢 1 𝑢 2 Time 86

  53. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions IRQ Range 0 1 NOP ADD X XOR OR MUL DIV ADD MUL NOP NOP 𝑢 1 𝑢 2 Time 87

  54. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions IRQ Range 0 1 NOP ADD X XOR OR MUL DIV ADD MUL NOP NOP 𝑢 1 𝑢 2 Time 88

  55. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions I got 15 IRQs. How many zeros? 89

  56. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions • Filtering Zeros out: Clear the A bit before, Check the A bit after I got 15 IRQs. How many Code Page Virtual Address zeros? 0x000401 Page PMH Walk DTLB Physical Page R U P … A … … W S Number Physical Page R U A P … … … W S Number Physical Page R U P … A … … W S Number The A Bit is only set when an instruction is retired 90

  57. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions • Filtering Zeros out: Clear the A bit before, Check the A bit after • Deterministic Instruction Counting 91

  58. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions • Filtering Zeros out: Clear the A bit before, Check the A bit after • Deterministic Instruction Counting • Counting from start to end is not useful. • A Secondary oracle • Page table attack as a deterministic secondary oracle Target Code Page CALL ADD D X XOR R MUL PUS USH H ADD MUL MOV OV NOP Time 92

  59. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions • Filtering Zeros out: Clear the A bit before, Check the A bit after • Deterministic Instruction Counting • Counting from start to end is not useful. • A Secondary oracle • Page table attack as a deterministic secondary oracle Stack Target 4 Steps Page Code Page CALL ADD D X XOR R MUL PUS USH H ADD MUL MOV OV NOP Time 93

  60. CopyCat Attack • Malicious OS controls the interrupt handler • A threshold to execute 1 or 0 instructions • Filtering Zeros out: Clear the A bit before, Check the A bit after • Deterministic Instruction Counting • Counting from start to end is not useful. • A Secondary oracle • Page table attack as a deterministic secondary oracle Stack Target Data 4 Steps 3 Steps Page Code Page Page CALL ADD D X XOR R MUL PUS USH H ADD MUL MOV OV NOP Time 94

  61. CopyCat Attack • Previous controlled-channel attacks leak page access patterns. • CopyCat additionally leaks number of executed instructions per each page. Page A Page A Page D Page D 4 4 Page B Page B 6 Additional Data Page C Page C 8 CopyCat Traditional Attack Page-table Attacks 95

  62. CopyCat – Leaking Branches Stack S if(c == 0) { test %eax, %eax Code P1 r = add(r, d); je label Code P2 } mov %edx, %esi Compile Stack S else { label: Code P1 r = add(r, s); call add Code P2 } mov %eax, -0xc(%rbp) C Code 96

  63. Binary Extended Euclidean Algorithm (BEEA) • Previous attacks only leak some of the branches w/ some noise. 97

  64. Binary Extended Euclidean Algorithm (BEEA) • Previous attacks only leak some of the branches w/ some noise. • CopyCat synchronously leaks all the branches wo/ any noise. 98

  65. CopyCat on WolfSSL - Cryptanalysis • Single-trace attack during RSA key generation: 𝑟 𝑗𝑜𝑤 = 𝑟 −1 𝑛𝑝𝑒 𝑞 • We know that p. q = N , and N is public 99

  66. CopyCat on WolfSSL - Cryptanalysis • Single-trace attack during RSA key generation: 𝑟 𝑗𝑜𝑤 = 𝑟 −1 𝑛𝑝𝑒 𝑞 • We know that p. q = N , and N is public • Branch and prune algorithm with the help of the recovered trace p = . . . X q = . . . X p = . . . 0 p = . . . 0 p = . . . 1 p = . . . 1 q = . . . 0 q = . . . 1 q = . . . 0 q = . . . 1 100

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck Frank Piessens Raoul Strackx imec-DistriNet, KU Leuven ACM CCS, October 2018 Microarchitectural side-channels and where to find them CPU cache

709 views • 47 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May,

Statistics in Cryptanalysis Subhabrata Samajder Indian Statistical Institute, Kolkata 24 th May, 2017 0/35 Cryptanalysis of Affine Cipher Outline Cryptanalysis of Affine Cipher 1 Hypothesis Testing 2 Linear Cryptanalysis 3 0/35

1.52k views • 110 slides
Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and

Differential cryptanalysis Linear cryptanalysis Differential and Linear Cryptanalysis Lars R. Knudsen June 2014 L.R. Knudsen Differential and Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES,

910 views • 53 slides
The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas

Introduction Previous cryptanalysis techniques The Super-Sbox cryptanalysis Results The Super-Sbox Cryptanalysis Improved Attacks for AES-like Permutations Henri Gilbert and Thomas Peyrin Orange Labs and Ingenico FSE 2010 - Seoul - Korea

1.38k views • 19 slides
Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD

Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD

Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi OUTLINE Summary of Recent Contributions: Microarchiture MemJam Intel SGX

950 views • 52 slides
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship

Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference of the corresponding two outputs. - the difference M Z of two strings of bits Z and Z

556 views • 10 slides
Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi Outline Data Dependency SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks

663 views • 28 slides
Microarchitectural Analysis and Optimization Techniques Gunther Huebler Collaborators: Vincent

Microarchitectural Analysis and Optimization Techniques Gunther Huebler Collaborators: Vincent

Microarchitectural Analysis and Optimization Techniques Gunther Huebler Collaborators: Vincent Larson, John Dennis All the Work Presented Has Been Implemented in CLUBB (Cloud Layers Unified By Binormals) CLUBB is a model that solves a set of

431 views • 21 slides
Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU

Rotational Cryptanalysis in the Presence of Constants Tomer Ashur Yunwen Liu ESAT/COSIC, KU Leuven, and imec, Belgium FSE, March 2017 1 Table of Contents ARX & Rotational Cryptanalysis Rotational cryptanalysis with constants Experiment

1.12k views • 72 slides
Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below

Differential Cryptanalysis The first method which reduced the complexity of attacking DES below (half of) exhaustive search. Differential Cryptanalysis Note : In all the following discussion we ignore the existence of the initial and the final

330 views • 8 slides
Microarchitectural Mechanisms to Exploit Value Structure in SIMT Architectures Ji Kim,

Microarchitectural Mechanisms to Exploit Value Structure in SIMT Architectures Ji Kim,

Microarchitectural Mechanisms to Exploit Value Structure in SIMT Architectures Ji Kim, Christopher Torng, Shreesha Srinath, Derek Lockhart, and Christopher Batten Cornell University Cornell University IEEE/ACM International Symposium on

633 views • 31 slides
Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . .

Description of LAC Differentials and Characteristics Forgery attack Cryptanalysis of LAC G. Leurent (Inria) Cryptanalysis of LAC DIAC 2014 1 / 9 . . . . . . . . Gatan Leurent Inria, France DIAC 2014 2 / 9 Description of LAC DIAC

1.04k views • 36 slides
PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A.

PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A.

PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A. Manerkar , Daniel Lustig*, Margaret Martonosi, and Aarti Gupta Princeton University *NVIDIA MICRO-51 http:/ ://check.cs.p .princeton.edu/ Memory

1.36k views • 80 slides
TUNING SLIDE Fast and Accurate Microarchitectural Simulation with ZSim Daniel Sanchez, Nathan

TUNING SLIDE Fast and Accurate Microarchitectural Simulation with ZSim Daniel Sanchez, Nathan

TUNING SLIDE Fast and Accurate Microarchitectural Simulation with ZSim Daniel Sanchez, Nathan Beckmann, Anurag Mukkara, Po-An Tsai MIT CSAIL MICRO-48 Tutorial December 5, 2015 Welcome! Agenda 4 8:30 9:10 Intro and Overview 9:10

1.53k views • 124 slides
EE-559 Deep learning 1b. PyTorch Tensors Fran cois Fleuret https://fleuret.org/dlc/

EE-559 Deep learning 1b. PyTorch Tensors Fran cois Fleuret https://fleuret.org/dlc/

EE-559 Deep learning 1b. PyTorch Tensors Fran cois Fleuret https://fleuret.org/dlc/ [version of: June 14, 2018] COLE POLYTECHNIQUE FDRALE DE LAUSANNE PyTorchs tensors Fran cois Fleuret EE-559 Deep learning / 1b.

1.33k views • 98 slides
CSC444: Midterm Review Carlos Scheidegger D3: DATA-DRIVEN DOCUMENTS The essential idea D3

CSC444: Midterm Review Carlos Scheidegger D3: DATA-DRIVEN DOCUMENTS The essential idea D3

CSC444: Midterm Review Carlos Scheidegger D3: DATA-DRIVEN DOCUMENTS The essential idea D3 creates a two-way association between elements of your dataset and entries in the DOM D3 operates on selections methods apply to all elements

1.05k views • 73 slides
Early searches for supersymmetry at the LHC in the all-hadronic channel Tom Whyntie Imperial

Early searches for supersymmetry at the LHC in the all-hadronic channel Tom Whyntie Imperial

Early searches for supersymmetry at the LHC in the all-hadronic channel Tom Whyntie Imperial College London / CMS experiment Introduction How do we look for supersymmetry at the LHC? What are the challenges of the all-hadronic channel? How

569 views • 12 slides
BGV MC Digitization Progress since BGV #27 Plamen Hopchev CERN BE-BI-BL BGV meeting #29 12 Mar

BGV MC Digitization Progress since BGV #27 Plamen Hopchev CERN BE-BI-BL BGV meeting #29 12 Mar

BGV MC Digitization Progress since BGV #27 Plamen Hopchev CERN BE-BI-BL BGV meeting #29 12 Mar 2014 1 / 8 Summary Event Model Classes The needed classes are ready: SciFiChannelID SciFiLiteCluster SciFiCluster Exact same bit assignment

924 views • 8 slides
Phylogenetics: Parsimony and Likelihood COMP 571 - Spring 2015 Luay Nakhleh, Rice University

Phylogenetics: Parsimony and Likelihood COMP 571 - Spring 2015 Luay Nakhleh, Rice University

Phylogenetics: Parsimony and Likelihood COMP 571 - Spring 2015 Luay Nakhleh, Rice University The Problem Input: Multiple alignment of a set S of sequences Output: Tree T leaf-labeled with S Assumptions Characters are mutually

1.49k views • 84 slides
Compiling Techniques Lecture 4: Automatic Lexer Generation (EaC 2.4) Christophe Dubach 27

Compiling Techniques Lecture 4: Automatic Lexer Generation (EaC 2.4) Christophe Dubach 27

Finite State Automata for Regular Expression From Regular Expression to Generated Lexer Final Remarks Compiling Techniques Lecture 4: Automatic Lexer Generation (EaC 2.4) Christophe Dubach 27 September 2016 Christophe Dubach Compiling

530 views • 21 slides
Reconstructing ancestral sequences through a combined bioinformatics and molecular modelling

Reconstructing ancestral sequences through a combined bioinformatics and molecular modelling

Reconstructing ancestral sequences through a combined bioinformatics and molecular modelling approach Subha Kalyaanamoorthy | OCE Post-Doctoral Fellow 07 November 2013 CSIRO ECOSYSTEM SCIENCES Ancestral Sequence Reconstruction A rearward

617 views • 17 slides
Design Patterns & Refactoring Flyweight Oliver Haase HTWG Konstanz Oliver Haase (HTWG

Design Patterns & Refactoring Flyweight Oliver Haase HTWG Konstanz Oliver Haase (HTWG

Design Patterns & Refactoring Flyweight Oliver Haase HTWG Konstanz Oliver Haase (HTWG Konstanz) Design Patterns & Refactoring 1 / 12 Description Classification : Object-based structural pattern Purpose : Use small-grained objects

488 views • 12 slides

More recommend