public clouds and vulnerable cpus are we secure
play

Public clouds and vulnerable CPUs: are we secure? FOSDEM 2020 - PowerPoint PPT Presentation

Mar 02, 2024 •104 likes •498 views

Public clouds and vulnerable CPUs: are we secure? FOSDEM 2020 Vitaly Kuznetsov <vkuznets@redhat.com> About About myself Focusing (mostly) on Linux kernel My areas of interest include: Linux as guest on public clouds (AWS,

  1. Public clouds and vulnerable CPUs: are we secure? FOSDEM 2020 Vitaly Kuznetsov <vkuznets@redhat.com>

  2. About About myself Focusing (mostly) on Linux kernel ● My areas of interest include: ● Linux as guest on public clouds (AWS, Azure, Aliyun,...) ○ Linux as guest on Hyper-V ○ Hyper-V Enlightenments in KVM ○ Running nested KVM on Hyper-V ○ Running nested Hyper-V on KVM ○

  3. Speculative vulnerabilities Speculative vulnerabilities discovered in the past few years: Spectre v1 ● SWAPGS ○ Spectre v2 ● Meltdown (Spectre v3) ● SSB (Spectre v4/NG) ● L1TF (AKA Foreshadow/Spectre v5) ● MDS & TAA ●

  4. Speculative vulnerabilities Speculative Execution Side Channel Methods Intel: “The concept behind speculative execution is that instructions are executed ahead of knowing that they are required. [...] By executing instructions speculatively, performance can be increased by minimizing latency and extracting greater parallelism. …. While speculative operations do not affect the architectural state of the processor, they can affect the microarchitectural state, such as information stored in Translation Lookaside Buffers (TLBs) and caches. ... A side channel method works by gaining information through observing the system, such as by measuring microarchitectural properties about the system. Unlike buffer overflows and other vulnerability classes, side channels do not directly influence the execution of the program, nor do they allow data to be modified or deleted. ”

  5. Speculative vulnerabilities and public clouds When running on a public cloud … but my cloud provider tells me they’ve patched everything and I don’t need to worry, is this so?

  6. Speculative vulnerabilities and public clouds Types of attacks: VM to VM ● VM to Host (hypervisor)  ● in-VM: userspace to kernel ● in-VM: userspace to userspace ●

  7. Speculative vulnerabilities and public clouds Types of attacks: Of paramount VM to VM ● importance to cloud providers! VM to Host (hypervisor)  ● in-VM: userspace to kernel ● in-VM: userspace to userspace ●

  8. Speculative vulnerabilities and public clouds Types of attacks: Of paramount VM to VM ● importance to cloud providers! VM to Host (hypervisor)  ● Outside of cloud in-VM: userspace to kernel ● providers’ responsibility domain in-VM: userspace to userspace ● (but they need to provide the required tools for guests!)

  9. Speculative vulnerabilities Things to consider for in-VM attacks Are you running a multi-tenant environment? ● Are you running (even in containers) untrusted code? ● Is this a ‘multi-task’ or a ‘single task’ VM? ● Are you relying on language-based security (e.g. running JITed untrusted ● code) ? Is it acceptable to disable SMT (Hyperthreading)? ● .... ●

  10. CPU vulnerabilities caused by “speculative execution”

  11. Speculative vulnerabilities Spectre v1 (Bounds Check Bypass, CVE-2017-5753) Caller-controlled offset

  12. Speculative vulnerabilities Spectre v1 Hardware ● No microcode update needed ○ VM-to-VM and VM-to-hypervisor attacks: ● Cloud provider fixes the hypervisor on a case by case basis (all ○ potentially vulnerable places) In-VM attacks: ● $ cat /sys/devices/system/cpu/vulnerabilities/spectre_v1 Mitigation: usercopy/swapgs barriers and __user pointer sanitization Fixed in the kernel on a case by case basis. Keep yours updated! ●

  13. Speculative vulnerabilities SWAPGS (Spectre v1 variant, CVE-2019-1125) Speculation related to GS segment switch (per-CPU data) ● Software mitigation is needed for (almost) all current CPUs ● Future CPUs may fix the bug in hardware (NO_SWAPGS) ●

  14. Speculative vulnerabilities Spectre v2 (Branch Target Injection, CVE-2017-5715) Indirect branch call (mis)trained branch predictor

  15. Speculative vulnerabilities Spectre v2 (Branch Target Injection, CVE-2017-5715) Hardware support (microcode update) in combination with software ● techniques required for mitigations Hardware: ● IBRS : don’t speculate in certain (privileged) contexts ○ Enhanced IBRS : tag branch target buffer (BTB) ○ STIBP : don’t share BTB across CPU threads (for existing CPUs: ○ just turn it off) BTB may be shared across hyperthreads! ■ IBPB : clear BTB when switching between tasks ○ Software: retpoline , RSB filling ●

  16. Speculative vulnerabilities Spectre v2: hypervisor protection VM-to-VM attacks: ● Not possible with fully dedicated cores (most instance types) ○ SMT: core scheduling for VMs ○ VM-to-hypervisor attacks: ● Hypervisor itself needs to be protected ( retpoline or IBRS ) ○ SMT: protect with hardware features ( IBRS / STIBP ) or parallel threads ○ should be blocked while in hypervisor context

  17. Speculative vulnerabilities Spectre v2: guest protection $ cat /sys/devices/system/cpu/vulnerabilities/spectre_v2 Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling Userspace-to-kernel attacks: ● Enhanced IBRS ( IBRS_ALL ) or retpoline ○ Userspace-to-userspace attacks: ● spectre_v2_user=on/off/prctl/prctl,ibpb/seccomp/seccomp,ibpb/auto ○ depending on your needs! Hardware features: STIBP and IBPB need to be exposed to the guest ○ (check your /proc/cpuinfo ) “ nosmt ” can be used instead of STIBP (may give a better performance ○ in some cases)

  18. Speculative vulnerabilities Meltdown (Rogue data cache load, CVE-2017-5754) Page table user Read from userspace user user kernel kernel

  19. Speculative vulnerabilities Meltdown Hardware ● No microcode update needed for mitigation ○ Future CPUs may get fixed ( RDCL_NO ) ○ VM-to-VM and VM-to-hypervisor attacks: ● Only Xen PV is (was) vulnerable ● In-VM attacks: ● $ cat /sys/devices/system/cpu/vulnerabilities/meltdown Mitigation: PTI

  20. Speculative vulnerabilities Speculative Store Bypass (SSB, CVE-2018-3639) “slow” write memory attacker address “fast” read

  21. Speculative vulnerabilities Speculative Store Bypass: hypervisor protection Hardware: ● Microcode update required for mitigations ( SSBD , VIRT_SSBD - AMD ○ only) SMT: SSB may be per-core! ○ Future CPUs may get fixed ( NO_SSB ) ○ VM-to-VM and VM-to-hypervisor attacks: ● Don’t seem to be possible ●

  22. Speculative vulnerabilities Speculative Store Bypass: guest protection In-VM-attacks: ● “ Language-based security environments” (e.g. JIT) are at highest risk, ● e.g. javaws executing untrusted code. ‘ssbd’ cpu feature required for mitigation ● $ cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass Mitigation: Speculative Store Bypass disabled via prctl and seccomp ssbd=force-on/force-off/kernel ●

  23. Speculative vulnerabilities L1 Terminal Fault (L1TF , Foreshadow, CVE-2018-3615, CVE-2018-3620, CVE-2018-3646) Page table Data PTE Read Data PTE Data PTE !Present Data Reserved Data

  24. Speculative vulnerabilities L1 Terminal Fault: hypervisor protection Hardware ● Microcode update required for more effective mitigation on hypervisors ○ (“ flush_l1d ”) Future CPUs may get fixed ( RDCL_NO ) ○ VM-to-VM attacks: ● Not possible with dedicated cores (most instance types) ○ Core scheduling + L1D flush should be utilized when cores are shared ○ (L1D is per core) VM-to-hypervisor attacks: ● Core scheduling/simultaneous exit + L1D flush ○

  25. Speculative vulnerabilities L1 Terminal Fault: guest protection In-VM attacks: ● $ cat /sys/devices/system/cpu/vulnerabilities/l1tf Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable Software-based mitigation (PTE inversion) against userspace-to-kernel ○ attacks, always enabled l1tf=full/full,force/flush/flush,nosmt/flush,nowarn/off only applies if ○ you’re running VMs (on public clouds: likely nested)

  26. Speculative vulnerabilities Microarchitectural Data Sampling (MDS, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091) and TSX Asynchronous Abort (CVE-2019-11135) Store buffer Fill buffer Uncacheable memory Load ports

  27. Speculative vulnerabilities MDS & TAA Hardware ● Future hardware is expected to get fixed: ○ MFBDS: RDCL_NO ■ MFBDS/MSBDS/MLPDS/MDSUM: MDS_NO ■ TAA: TAA_NO ■ Existing hardware: microcode update required for mitigating (check for ○ “ md_clear ”) VM-to-VM attacks: ● Not possible with dedicated cores (most instance types) ○ Core scheduling + MD_CLEAR should be utilized when cores are shared ○ VM-to-hypervisor attacks: ● Core scheduling/simultaneous exit + MD_CLEAR ○

  28. Speculative vulnerabilities MDS & TAA In-VM attacks: ● $ cat /sys/devices/system/cpu/vulnerabilities/mds Mitigation: Clear CPU buffers; SMT vulnerable $ cat /sys/devices/system/cpu/vulnerabilities/tsx_async_abort Mitigation: Clear CPU buffers; SMT vulnerable ‘ md_clear ’ feature needed for effective mitigation ○ State is unknown if absent, Linux still tries ■ SMT: no protection ○ Manual CPU pinning or “core scheduler” (not yet upstream) may ■ help to certain extent ( userspace-to-userspace but not userspace-to-kernel ) Use “ nosmt ” for ultimate protection ■

  29. Other CPU vulnerabilities

  30. Other vulnerabilities ITLB_MULTIHIT (MCE on Page Size change, CVE-2018-12207) Instruction Linear fetch address Page tables iTLB 4k page 2M page 1G page

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

When you look up into the sky, you will often see clouds. No two clouds are the same, and there

When you look up into the sky, you will often see clouds. No two clouds are the same, and there

When you look up into the sky, you will often see clouds. No two clouds are the same, and there are many different types of clouds. Different kinds of clouds lead to different types of weather. Cirrus clouds are the highest group of clouds that

271 views • 5 slides
A Model-driven Approach Towards Designing and Analysing Secure Systems for Multi-clouds Shaun

A Model-driven Approach Towards Designing and Analysing Secure Systems for Multi-clouds Shaun

A Model-driven Approach Towards Designing and Analysing Secure Systems for Multi-clouds Shaun Shei Secure and Dependable Software Systems (SenSe) Haralambos Mouratidis Stylianos Kapetanakis Aidan Delaney Overview What is Cloud Computing?

774 views • 56 slides
Toronto Public Library January 29, 2018 Defining Vulnerable Persons &quot;The City of Toronto

Toronto Public Library January 29, 2018 Defining Vulnerable Persons &quot;The City of Toronto

Services to Vulnerable Persons at Toronto Public Library January 29, 2018 Defining Vulnerable Persons &quot;The City of Toronto Working Group on Vulnerable Individuals defines vulnerability as the result of interaction between the

293 views • 15 slides
Mixing Public Mixing Public and private and private clouds clouds a Practical Perspective a

Mixing Public Mixing Public and private and private clouds clouds a Practical Perspective a

Mixing Public Mixing Public and private and private clouds clouds a Practical Perspective a Practical Perspective Maarten Koopmans Maarten Koopmans Nordunet Conference 2009 Nordunet Conference 2009 1 1 Who Who ING Group -2002

526 views • 27 slides
Leveraging Public Clouds for DOE Environmental Streaming Data Marty Humphrey Dept of Computer

Leveraging Public Clouds for DOE Environmental Streaming Data Marty Humphrey Dept of Computer

Leveraging Public Clouds for DOE Environmental Streaming Data Marty Humphrey Dept of Computer Science University of Virginia Jon Goodall Dept of Civil and Environmental Engineering University of Virginia Public Clouds should be utilized MORE

369 views • 9 slides
Public-Key Cryptography Lecture 12 CCA Secure PKE Hybrid Encryption CCA Secure PKE In SKE, to get

Public-Key Cryptography Lecture 12 CCA Secure PKE Hybrid Encryption CCA Secure PKE In SKE, to get

Public-Key Cryptography Lecture 12 CCA Secure PKE Hybrid Encryption CCA Secure PKE In SKE, to get CCA security, we used a MAC Bob would accept only messages from Alice But in PKE, Bob wants to receive messages from Eve as well! But only if it is

336 views • 14 slides
Social Clouds Creating a research agenda Andrew Lippman MIT Media Lab October, 2010 Clouds and

Social Clouds Creating a research agenda Andrew Lippman MIT Media Lab October, 2010 Clouds and

Social Clouds Creating a research agenda Andrew Lippman MIT Media Lab October, 2010 Clouds and Mists: 1 st Cloud Defined by access Familiar as the internet Result of a nexus: PC, backbone, ISPs Web Opened vast doors to creativity Clouds and

592 views • 24 slides
SERVERLESS COMPUTING FOR DATA-PROCESSING ACROSS PUBLIC AND FEDERATED CLOUDS Sebastin Risco,

SERVERLESS COMPUTING FOR DATA-PROCESSING ACROSS PUBLIC AND FEDERATED CLOUDS Sebastin Risco,

Instituto de Instrumentacin para Imagen Molecular Universitat Politcnica de Valncia Spain SERVERLESS COMPUTING FOR DATA-PROCESSING ACROSS PUBLIC AND FEDERATED CLOUDS Sebastin Risco, Alfonso Prez, Miguel Caballer, Germn Molt

218 views • 21 slides
Session 3: Hydrology &amp; Clouds 3:00- 5:30 PM Session 3: Hydrology &amp; Clouds 3:00- 5:30 PM

Session 3: Hydrology &amp; Clouds 3:00- 5:30 PM Session 3: Hydrology &amp; Clouds 3:00- 5:30 PM

Session 3: Hydrology &amp; Clouds 3:00- 5:30 PM Session 3: Hydrology &amp; Clouds 3:00- 5:30 PM Session 3: Hydrology &amp; Clouds 3:00- 5:30 PM Session 3: Hydrology &amp; Clouds 3:00- 5:30 PM Theme: Basically a continuation of climate talks

453 views • 19 slides
Public FPGA based DM Public FPGA based DMA Atta A Attacking king UlfFrisk Agenda Background

Public FPGA based DM Public FPGA based DMA Atta A Attacking king UlfFrisk Agenda Background

Public FPGA based DM Public FPGA based DMA Atta A Attacking king UlfFrisk Agenda Background and Previous work Transmit and Receive PCIe TLPs DUMP memory FPGA Design Attack vulnerable vanilla Linux system Attack vulnerable UEFI Windows

359 views • 19 slides
The Vulnerable Worker Notes from the Field Robert Harrison MD, MPH Public Health Medical

The Vulnerable Worker Notes from the Field Robert Harrison MD, MPH Public Health Medical

The Vulnerable Worker Notes from the Field Robert Harrison MD, MPH Public Health Medical Officer California Department of Public Health Clinical Professor of Medicine University of California, San Francisco TEL: 415 885 7580 Email:

746 views • 27 slides
RESOURCE MANAGEMENT RESOURCE MANAGEMENT STRATEGIES FOR SDR CLOUDS STRATEGIES FOR SDR CLOUDS Vuk

RESOURCE MANAGEMENT RESOURCE MANAGEMENT STRATEGIES FOR SDR CLOUDS STRATEGIES FOR SDR CLOUDS Vuk

Department of Signal Theory and Communications UNIVERSITAT POLITCNICA DE CATALUNYA RESOURCE MANAGEMENT RESOURCE MANAGEMENT STRATEGIES FOR SDR CLOUDS STRATEGIES FOR SDR CLOUDS Vuk Marojevic Ismael Gomez Pere Gilabert Gabriel Montoro

399 views • 27 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research &amp; Boston University y Michael Schapira

701 views • 54 slides
Health Care for Vulnerable Travis County Residents: A Public-Private Partnership

Health Care for Vulnerable Travis County Residents: A Public-Private Partnership

Health Care for Vulnerable Travis County Residents: A Public-Private Partnership Presentation #3 May 22, 2013 Remarks by Central Health Board of Managers Chairperson Rosie Mendoza Agenda 1. Opening

427 views • 39 slides
Abstraction is our Business What I have A single (or a finite number) of CPUs Memory Management

Abstraction is our Business What I have A single (or a finite number) of CPUs Memory Management

Abstraction is our Business What I have A single (or a finite number) of CPUs Memory Management Many programs I would like to run What I want : a Thread Each program has full control of one or more CPUs 1 Abstraction Address Space is our

280 views • 7 slides
Abstraction is our Business What I have A single (or a finite number) of CPUs Memory Management

Abstraction is our Business What I have A single (or a finite number) of CPUs Memory Management

Abstraction is our Business What I have A single (or a finite number) of CPUs Memory Management Many programs I would like to run What I want : a Thread Each program has full control of one or more CPUs 1 2 Abstraction Address Space is our

368 views • 11 slides
Hypercolumns for Object Segmentation and Fine-grained Localization Bharath Hariharan, Pablo

Hypercolumns for Object Segmentation and Fine-grained Localization Bharath Hariharan, Pablo

Hypercolumns for Object Segmentation and Fine-grained Localization Bharath Hariharan, Pablo Arbelaez, RossGirshick, Jitendra Malik Gksu Erdoan Image Classification horse, person, building Slide credit:Bharath Hariharan Object Detection

1.28k views • 49 slides
Hyper-local sustainable assortment planning Nupur Aggarwal, Abhishek Bansal, Kushagra Manglik,

Hyper-local sustainable assortment planning Nupur Aggarwal, Abhishek Bansal, Kushagra Manglik,

Hyper-local sustainable assortment planning Nupur Aggarwal, Abhishek Bansal, Kushagra Manglik, Kedar Kulkarni, Vikas Raykar IBM Research Sustainability The fashion industry is considered to be the worlds second largest polluter, after oil

393 views • 18 slides
Recurrent Pixel Embedding for Grouping Shu Kong CS, ICS, UCI Outline 1. Problem Statement --

Recurrent Pixel Embedding for Grouping Shu Kong CS, ICS, UCI Outline 1. Problem Statement --

Recurrent Pixel Embedding for Grouping Shu Kong CS, ICS, UCI Outline 1. Problem Statement -- Pixel Grouping 2. Pixel-Pair Spherical Max-Margin Embedding 3. Recurrent Mean Shift Grouping 4. Experiment 5. Conclusion and Extension Note: the

1.07k views • 82 slides
3.2 Hypergeometric Distribution 3.5, 3.9 Mean and Variance Prof. Tesler Math 186 Winter 2017

3.2 Hypergeometric Distribution 3.5, 3.9 Mean and Variance Prof. Tesler Math 186 Winter 2017

3.2 Hypergeometric Distribution 3.5, 3.9 Mean and Variance Prof. Tesler Math 186 Winter 2017 Prof. Tesler 3.2 Hypergeometric Distribution Math 186 / Winter 2017 1 / 15 Sampling from an urn

977 views • 15 slides
Learning From Data Lecture 23 SVMs: Maximizing the Margin A Better Hyperplane Maximizing the

Learning From Data Lecture 23 SVMs: Maximizing the Margin A Better Hyperplane Maximizing the

Learning From Data Lecture 23 SVMs: Maximizing the Margin A Better Hyperplane Maximizing the Margin Link to Regularization M. Magdon-Ismail CSCI 4100/6100 recap: Linear Models, RBFs, Neural Networks Linear Model with Nonlinear Transform

349 views • 19 slides
Machine learning with mlr Dr. Shirin Elsinghorst Data Scientist DataCamp Hyperparameter Tuning

Machine learning with mlr Dr. Shirin Elsinghorst Data Scientist DataCamp Hyperparameter Tuning

DataCamp Hyperparameter Tuning in R HYPERPARAMETER TUNING IN R Machine learning with mlr Dr. Shirin Elsinghorst Data Scientist DataCamp Hyperparameter Tuning in R The mlr package mlr is another framework for machine learning in R. Model

454 views • 28 slides
Move to High Availability with Hyper-v What is it and Why do you need it? Refers to a systems

Move to High Availability with Hyper-v What is it and Why do you need it? Refers to a systems

Move to High Availability with Hyper-v What is it and Why do you need it? Refers to a systems continuous uptime Reduces risk of data loss Handles failures of many components Minimises business impact One bad customer

446 views • 15 slides
A Sequence-based Selection Hyper-heuristic Utilising a Hidden Markov Model Ahmed Kheiri Ed

A Sequence-based Selection Hyper-heuristic Utilising a Hidden Markov Model Ahmed Kheiri Ed

Introduction Proposed Method Case Studies Summary A Sequence-based Selection Hyper-heuristic Utilising a Hidden Markov Model Ahmed Kheiri Ed Keedwell College of Engineering, Mathematics and Physical Sciences The 43rd CREST Open Workshop -

616 views • 36 slides

More recommend