nemesis studying microarchitectural timing leaks in
play

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU - PowerPoint PPT Presentation

Jan 17, 2023 •225 likes •709 views

Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck Frank Piessens Raoul Strackx imec-DistriNet, KU Leuven ACM CCS, October 2018 Microarchitectural side-channels and where to find them CPU cache

  1. Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic Jo Van Bulck Frank Piessens Raoul Strackx imec-DistriNet, KU Leuven ACM CCS, October 2018

  3. Microarchitectural side-channels and where to find them CPU cache Branch prediction Address translation 1 / 14

  4. Microarchitectural side-channels and where to find them CPU cache Branch prediction Address translation 1 / 14

  5. Microarchitectural side-channels and where to find them Intel response [Int18] This is not a bug or a flaw . . . [side-channels] can’t be eliminated 1 / 14

  6. Microarchitectural side-channels and where to find them Intel response [Int18] This is not a bug or a flaw . . . [side-channels] can’t be eliminated ⇒ Systematically study microarchitectural leakage 1 / 14

  7. Nemesis: Studying rudimentary CPU interrupt logic Overview ⇒ Interrupts leak instruction execution times ⇒ Determine control flow in enclave programs 2 / 14

  8. Nemesis: Studying rudimentary CPU interrupt logic Overview ⇒ Interrupts leak instruction execution times ⇒ Determine control flow in enclave programs Research contributions ⇒ (First) remote µ -arch attack on embedded CPUs ⇒ Understanding CPU pipeline leakage (˜Meltdown) 2 / 14

  9. Back to basics: Fetch decode execute Fetch instruction Decode Execute 3 / 14

  10. Back to basics: Fetch decode execute Fetch instruction Decode Execute Interrupt 3 / 14

  11. Back to basics: Fetch decode execute Interrupts delayed till instruction retirement Fetch instruction Decode Execute Interrupt 3 / 14

  12. Wait a cycle: Interrupt latency as a side-channel CLK CMD NOP IRQ logic ISR IRQ CMD ADD IRQ logic ISR IRQ 4 / 14

  13. Wait a cycle: Interrupt latency as a side-channel CLK CMD NOP IRQ logic ISR IRQ CMD ADD IRQ logic ISR IRQ 4 / 14

  14. Enclaved execution adversary model App App Enclave app OS kernel Hypervisor TPM CPU Mem HDD Trusted Untrusted Intel SGX promise: hardware-level isolation and attestation 5 / 14

  15. Enclaved execution adversary model App App Enclave app OS kernel Hypervisor TPM CPU Mem HDD Trusted Untrusted Untrusted OS → new class of powerful side-channels 5 / 14

  16. Sancus: Open source trusted computing for the IoT Embedded enclaved execution: ISA extensions for isolation & attestation Save + clear CPU state on enclave interrupt Noorman et al. “Sancus 2.0: A Low-Cost Security Architecture for IoT devices”, TOPS 2017 [NVBM + 17] https://github.com/sancus-pma and https://distrinet.cs.kuleuven.be/software/sancus/ 6 / 14

  17. Sancus: Open source trusted computing for the IoT Embedded enclaved execution: ISA extensions for isolation & attestation Save + clear CPU state on enclave interrupt Extremely low-end processor (openMSP430): Area: ≤ 2 kLUTs Deterministic execution: no pipeline/cache/MMU/. . . No known microarchitectural side-channels (!) Noorman et al. “Sancus 2.0: A Low-Cost Security Architecture for IoT devices”, TOPS 2017 [NVBM + 17] https://github.com/sancus-pma and https://distrinet.cs.kuleuven.be/software/sancus/ 6 / 14

  18. Secure input-output with Sancus enclaves Driver enclave: Exclusive access to memory-mapped I/O device Van Bulck et al. “VulCAN: Vehicular component authentication and software isolation”, ACSAC 2017 [VBMP17] 7 / 14

  19. Secure input-output with Sancus enclaves Driver enclave: 16-bit vector indicates which keys are down PIN code enclave 0100000000000000 traverse bits 7 / 14

  20. Secure input-output with Sancus enclaves Attacker: Interrupt conditional control flow to infer secret PIN PIN code enclave 0100000000000000 traverse bits IRQ Key 'B' was pressed! 7 / 14

  21. Sancus IRQ timing attack: Inferring key strokes 4 IRQ latency 1 Instruction (interrupt number) Enclave x-ray: Start-to-end trace enclaved execution 8 / 14

  22. Sancus IRQ timing attack: Inferring key strokes 4 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 IRQ latency 1 Instruction (interrupt number) Enclave x-ray: Keymap bit traversal (ground truth) 8 / 14

  23. Sancus IRQ timing attack: Inferring key strokes 4 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 IRQ latency 1 4 0 (no press) 1 (key pressed) 0 (no press) IRQ latency (cycles) 3 2 1 Instruction (interrupt number) 8 / 14

  24. Interrupting and resuming Intel SGX enclaves Challenge: x86 execution time prediction (timer) � 9 / 14

  25. Interrupting and resuming Intel SGX enclaves SGX-Step: user space APIC timer + IRQ handling � SGX-Step user space Van Bulck et al. “SGX-Step: A practical attack framework for precise enclave execution control”, SysTEX 2017 [VBPS17] https://github.com/jovanbulck/sgx-step 9 / 14

  26. Microbenchmarks: Measuring x86 instruction latencies Latency distribution: 10,000 samples from benchmark enclave add lfence fscale rdrand Frequency nop IRQ latency (cycles) 10 / 14

  27. Microbenchmarks: Measuring x86 instruction latencies Timing leak: reconstruct instruction latency class add lfence fscale rdrand Frequency nop IRQ latency (cycles) 10 / 14

  28. Microbenchmarks: Measuring x86 cache misses Timing leak: reconstruct micro-architectural cache state load cache hit Frequency load cache miss IRQ latency (cycles) 11 / 14

  29. Microbenchmarks: Measuring x86 cache misses Timing leak: many more → see paper! load cache hit Frequency load cache miss IRQ latency (cycles) 11 / 14

  30. Single-stepping SGX enclaves in practice Enclave x-ray: Start-to-end trace enclaved execution IRQ latency (cycles) Instruction (interrupt number) 12 / 14

  31. Single-stepping SGX enclaves in practice Enclave x-ray: Spotting high-latency instructions rdrand (generate stack canary on enclave entry) IRQ latency (cycles) Instruction (interrupt number) 12 / 14

  32. Single-stepping SGX enclaves in practice Enclave x-ray: Zooming in on bsearch function IRQ latency (cycles) Instruction (interrupt number) 12 / 14

  33. De-anonymizing enclave lookups Binary search: Find 40 in { 20, 30, 40, 50, 80, 90, 100 } 13 / 14

  34. De-anonymizing enclave lookups Adversary: Infer secret lookup in known array left right hit 13 / 14

  35. De-anonymizing enclave lookups Goal: Infer lookup → reconstruct bsearch control flow 7950 IRQ latency (cycles) 7800 Interrupt (instruction number) 13 / 14

  36. De-anonymizing enclave lookups Goal: Infer lookup → reconstruct bsearch control flow Hit Left Right 7950 IRQ latency (cycles) 7800 Interrupt (instruction number) 13 / 14

  37. De-anonymizing enclave lookups ⇒ Sample instruction latencies in secret-dependent path HLLL LLHL HHHH 7950 IRQ latency (cycles) 7800 Interrupt (instruction number) 13 / 14

  38. Conclusions Nemesis contributions ⇒ Understanding CPU interrupt leakage ⇒ (First) embedded + high-end µ -arch channel 14 / 14

  39. Conclusions Nemesis contributions ⇒ Understanding CPU interrupt leakage ⇒ (First) embedded + high-end µ -arch channel https://github.com/jovanbulck/nemesis 14 / 14

  40. References I Intel Corporation. Resources and response to side channel variants 1, 2, 3. intel.com/content/www/us/en/architecture-and-technology/side-channel-variants-1-2-3.html , 2018. S. Lee, M.-W. Shih, P. Gera, T. Kim, H. Kim, and M. Peinado. Inferring fine-grained control flow inside SGX enclaves with branch shadowing. In Proceedings of the 26th USENIX Security Symposium . USENIX Association, 2017. J. Noorman, J. T. M¨ uhlberg, and F. Piessens. Authentic execution of distributed event-driven applications with a small TCB. In 13th International Workshop on Security and Trust Management (STM’17) , vol. 10547 of LNCS , pp. 55–71, Heidelberg, 2017. Springer. J. Noorman, J. Van Bulck, J. T. M¨ uhlberg, F. Piessens, P. Maene, B. Preneel, I. Verbauwhede, J. G¨ otzfried, T. M¨ uller, and F. Freiling. Sancus 2.0: A low-cost security architecture for IoT devices. ACM Transactions on Privacy and Security (TOPS) , 2017. J. Van Bulck, J. T. M¨ uhlberg, and F. Piessens. VulCAN: Efficient component authentication and software isolation for automotive control networks. In Proceedings of the 33th Annual Computer Security Applications Conference (ACSAC’17) . ACM, 2017. J. Van Bulck, J. Noorman, J. T. M¨ uhlberg, and F. Piessens. Towards availability and real-time guarantees for protected module architectures. In Companion Proceedings of the 15th International Conference on Modularity (MASS’16) , pp. 146–151. ACM, 2016. J. Van Bulck, F. Piessens, and R. Strackx. SGX-Step: A practical attack framework for precise enclave execution control. In Proceedings of the 2nd Workshop on System Software for Trusted Execution , SysTEX’17, pp. 4:1–4:6. ACM, 2017. 15 / 14

  41. Appendix: Interrupting and resuming SGX enclaves 16 / 14

  42. Appendix: Sancus keypad application scenario MSP430 core while (poll_keypad()) INTERRUPT Timer_A SM_secure function poll_keypad : key_state = read_key_state() for i=0 to 15 do if key_state & (0x1<<i) then SM_driver MMIO secret_pin.add(keymap[i]) (asm) end if end for 17 / 14

  43. Appendix: Measuring x86 data dependencies Division: execution time ≈ dividend significant bits 18 / 14

  44. Appendix: Measuring x86 page table walks TLB miss: flush unprotected page table entries 19 / 14

  45. Appendix: Measuring x86 cache misses 20 / 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University

Plugging Side-Channel Leaks with Timing Information Flow Control Bryan Ford Yale University http://dedis.cs.yale.edu/ USENIX HotCloud, June 13, 2012 The Long History of Timing Attacks Cooperative attacks apply to: Mandatory Access

359 views • 21 slides
IC OFF THE RECORD: Direct access to leaked information related to the surveillance activities of

IC OFF THE RECORD: Direct access to leaked information related to the surveillance activities of

NSA PRISM Slides - IC OFF THE RECORD 11.06.18 14:18 2013 LEAKS 2014 LEAKS 2015 LEAKS 2016 LEAKS 2017 LEAKS 2018 LEAKS IC OFF THE RECORD: Direct access to leaked information related to the

480 views • 18 slides
Intro to Microarchitectural Atacks Thomas Eisenbarth 12.06.2018 Summer School on Real-World

Intro to Microarchitectural Atacks Thomas Eisenbarth 12.06.2018 Summer School on Real-World

Intro to Microarchitectural Atacks Thomas Eisenbarth 12.06.2018 Summer School on Real-World Crypto &amp; Privacy ibenik, Croata Outline Timing Attcks Ctche Attcks Cloud Ctche Attcks Speculttve Executon Attcks Preventng

434 views • 39 slides
Project Feasibility Status Future

Project Feasibility Status Future

The Nemesis The Nemesis Project Feasibility Status Future http://assets.bwbx.io/images/users/iqjWHBFdfxIU/ih42EzFSRhXo/v2/-1x-1.jpg

273 views • 16 slides
Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi @danielmgmi https://moghimi.org Security Researcher PhD Candidate @ WPI Microarchitectural Attacks Side Channels Breaking Crypto

1.2k views • 71 slides
Tagging Boosted Objects with Timing Detectors Matthew Klimek Cornell University Korea

Tagging Boosted Objects with Timing Detectors Matthew Klimek Cornell University Korea

Tagging Boosted Objects with Timing Detectors Matthew Klimek Cornell University Korea University HL/HE-LHC Workshop, 05 April 2018, FNAL Physics Opportunities Timing Detectors @ HL-LHC Both LHC Experiments are studying new timing detectors for

679 views • 10 slides
In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data leaks exposed user

In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data leaks exposed user

In the news Data Leaks Mar 19 Apr 19 Mar 18 shutdown after data leaks exposed user data passwords stored in readable format 1B 600M 0.5M Data Breaches Cost of a Data Breach Study www.ibm.com/security/data-breach

677 views • 35 slides
High Performance Design and Implementation of Nemesis Communication Layer for Two-sided and

High Performance Design and Implementation of Nemesis Communication Layer for Two-sided and

High Performance Design and Implementation of Nemesis Communication Layer for Two-sided and One-Sided MPI Semantics in MVAPICH2 Miao Luo, Sreeram Potluri, Ping Lai, Emilio P. Mancini, Hari Subramoni, Krishna Kandalla, Sayantan Sur, D. K. Panda

596 views • 34 slides
Nemesis: Preventing Web Authentication &amp; Access Control Vulnerabilities Michael Dalton ,

Nemesis: Preventing Web Authentication &amp; Access Control Vulnerabilities Michael Dalton ,

Nemesis: Preventing Web Authentication &amp; Access Control Vulnerabilities Michael Dalton , Christos Kozyrakis Stanford University Nickolai Zeldovich Massachusetts Institute of Technology Web Application Overview User: webdb User: httpd

446 views • 22 slides
Detecting Pipeline Leaks Whats the Right Approach? October 20, 2016 | Pipeline Safety

Detecting Pipeline Leaks Whats the Right Approach? October 20, 2016 | Pipeline Safety

Detecting Pipeline Leaks Whats the Right Approach? October 20, 2016 | Pipeline Safety Trust Conference New Orleans, LA Leak Detection Best Defense is Preventing Leaks from Occurring in First Place Proactive pipeline integrity

258 views • 7 slides
Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD

Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD

Microarchitectural Attacks: Protecting Cloud Accelerators By Ahmad Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi OUTLINE Summary of Recent Contributions: Microarchiture MemJam Intel SGX

950 views • 52 slides
Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi Outline Data Dependency SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks

663 views • 28 slides
Microarchitectural Analysis and Optimization Techniques Gunther Huebler Collaborators: Vincent

Microarchitectural Analysis and Optimization Techniques Gunther Huebler Collaborators: Vincent

Microarchitectural Analysis and Optimization Techniques Gunther Huebler Collaborators: Vincent Larson, John Dennis All the Work Presented Has Been Implemented in CLUBB (Cloud Layers Unified By Binormals) CLUBB is a model that solves a set of

431 views • 21 slides
AQUAPHONIE TOXIQUE TROTTOIR ABOUT THE SHOW AQUAPHONIE SUITE FOR LEAKS IN GLEE MAJOR! This

AQUAPHONIE TOXIQUE TROTTOIR ABOUT THE SHOW AQUAPHONIE SUITE FOR LEAKS IN GLEE MAJOR! This

SUITE FOR LEAKS IN GLEE MAJOR! AQUAPHONIE TOXIQUE TROTTOIR ABOUT THE SHOW AQUAPHONIE SUITE FOR LEAKS IN GLEE MAJOR! This aquatic celebration for all ages wont leave Acrobatic diving, fishing, swimming, sailboat anyone high and dry! Dive

407 views • 7 slides
The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of

The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of

The Hidden Nemesis: Backdooring Embedded Controllers Ralf-Philipp Weinmann University of Luxembourg ralf-philipp.weinmann@uni.lu Targets. Targets. You can be one, too. Assume I briefly have physical access your laptop. #FAIL for you, I

327 views • 30 slides
Debugging Memory Leaks in .NET CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM

Debugging Memory Leaks in .NET CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM

Debugging Memory Leaks in .NET CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 18.07.2020 DEBUGGING MEMORY LEAKS IN .NET - ADAM FURMANEK About me Experienced with backend, frontend, mobile, desktop, ML, databases.

779 views • 40 slides
1 Interrupts in Ada95 and the lab assignment Dahlberg/Johansson Interrupts in Ada95 and the lab

1 Interrupts in Ada95 and the lab assignment Dahlberg/Johansson Interrupts in Ada95 and the lab

Interrupts in Ada95 and the lab assignment Dahlberg/Johansson Interrupts in Ada95 and the lab assignment Dahlberg/Johansson Interrupts in Ada95 Interrupts in Ada95 and the lab assignment An Interrupt represents a class of events that are

320 views • 8 slides
Week 3 - Monday What did we talk about last time? Graphics rendering pipeline

Week 3 - Monday What did we talk about last time? Graphics rendering pipeline

Week 3 - Monday What did we talk about last time? Graphics rendering pipeline Rasterizer Stage The final screen data containing the colors for each pixel is stored in the color buffer The merging stage is responsible for merging

631 views • 27 slides
MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 16 Today: Non-Interactive

MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 16 Today: Non-Interactive

MIT 6.875 &amp; Berkeley CS276 Foundations of Cryptography Lecture 16 Today: Non-Interactive Zero-Knowledge (NIZK) In Two Days: An Application of NIZK NP Proofs For the NP-complete problem of graph 3-coloring Proof = Verifier V checks:

538 views • 37 slides
DialogueMaps: Creating Interactive Visualisations in learning and meeting contexts In many

DialogueMaps: Creating Interactive Visualisations in learning and meeting contexts In many

Arno Sagawe Janis Bullert sagawe@informatik.uni-hamburg.de 9bullert@informatik.uni-hamburg.de URL: https://dialoguemaps.informatik.uni-hamburg.de/dev User: LGM14 Password: lgm14 DialogueMaps: Creating Interactive Visualisations in learning

299 views • 28 slides
ECE 697J Advanced Topics Advanced Topics ECE 697J in Computer Networks in Computer

ECE 697J Advanced Topics Advanced Topics ECE 697J in Computer Networks in Computer

ECE 697J Advanced Topics Advanced Topics ECE 697J in Computer Networks in Computer Networks Software-Based Router Architectures 9/25/03 Tilman Wolf 1 TCP Connection Recognition TCP Connection Recognition Track currently

700 views • 13 slides
Interrogation Policy &amp; the Global War on Terrorism Office of Detainee Affairs Presentation

Interrogation Policy &amp; the Global War on Terrorism Office of Detainee Affairs Presentation

Interrogation Policy &amp; the Global War on Terrorism Office of Detainee Affairs Presentation for the University of California, Berkeley Goldman School of Public Policy November 30, 2005 Christina Filarowski Sheaks Special Assistant Office

553 views • 13 slides
10-Step Interrogation Perioperative Electrophysiology: 1. Get the Cardiac Anesthesia Programmer

10-Step Interrogation Perioperative Electrophysiology: 1. Get the Cardiac Anesthesia Programmer

11/25/2019 10-Step Interrogation Perioperative Electrophysiology: 1. Get the Cardiac Anesthesia Programmer Cart Perioperative Device Interrogation: How does an 2. Initiate interrogation with appropriate programmer Anesthesiologist do it 3.

418 views • 3 slides
Interactive Proofs Lecture 19 And Beyond 1 So far 2 So far IP = PSPACE = AM[poly] 2 So far

Interactive Proofs Lecture 19 And Beyond 1 So far 2 So far IP = PSPACE = AM[poly] 2 So far

Interactive Proofs Lecture 19 And Beyond 1 So far 2 So far IP = PSPACE = AM[poly] 2 So far IP = PSPACE = AM[poly] PSPACE enough to calculate max Pr[yes] 2 So far IP = PSPACE = AM[poly] PSPACE enough to calculate max Pr[yes] AM[poly]

1.33k views • 115 slides

More recommend