Transient Execution Attacks: Lessons from Spectre, Meltdown, and - - PowerPoint PPT Presentation

transient execution attacks lessons from spectre meltdown
SMART_READER_LITE
LIVE PREVIEW

Transient Execution Attacks: Lessons from Spectre, Meltdown, and - - PowerPoint PPT Presentation

Jan 14, 2023 314 likes •899 views

Transient Execution Attacks: Lessons from Spectre, Meltdown, and Foreshadow Jo Van Bulck imec-DistriNet, KU Leuven jo.vanbulck@cs.kuleuven.be jovanbulck ISSE Brussels, November 6, 2018 A primer on software security Secure

slide-1
SLIDE 1

Transient Execution Attacks: Lessons from Spectre, Meltdown, and Foreshadow

Jo Van Bulck

↸ imec-DistriNet, KU Leuven • jo.vanbulck@cs.kuleuven.be • jovanbulck

ISSE Brussels, November 6, 2018

slide-2
SLIDE 2

A primer on software security

Secure program: convert all input to expected output

INPUT OUTPUT

1 / 17

slide-3
SLIDE 3

A primer on software security

Buffer overflow vulnerabilities: trigger unexpected behavior

INPUT OUTPUT

1 / 17

slide-4
SLIDE 4

A primer on software security

Safe languages & formal verification: preserve expected behavior

INPUT OUTPUT

1 / 17

slide-5
SLIDE 5

A primer on software security

Side-channels: observe side-effects of the computation

INPUT OUTPUT

1 / 17

slide-6
SLIDE 6
slide-7
SLIDE 7
slide-8
SLIDE 8

Evolution of “side-channel attack” occurrences in Google Scholar

1990 1994 1998 2002 2006 2010 2014 2018 3000 4000 2000 1000

DO WE JUST SUCK AT... COMPUTERS?

  • YUP. ESPECIALLY SHARED ONES.

Based on github.com/Pold87/academic-keyword-occurrence and xkcd.com/1938/ 2 / 17

slide-9
SLIDE 9

CPU cache timing side-channel

Cache principle: CPU speed ≫ DRAM latency → cache code/data

CPU + cache DRAM memory

while true do maccess(&a); endwh

3 / 17

slide-10
SLIDE 10

CPU cache timing side-channel

Cache miss: Request data from (slow) DRAM upon first use

CPU + cache DRAM memory

while true do maccess(&a); endwh cache miss a

3 / 17

slide-11
SLIDE 11

CPU cache timing side-channel

Cache hit: No DRAM access required for subsequent uses

CPU + cache DRAM memory

while true do maccess(&a); endwh cache hit a

3 / 17

slide-12
SLIDE 12

Cache timing attacks in practice: Flush+Reload

if secret do maccess(&a); else maccess(&b); endif flush(&a); start_timer maccess(&a); end_timer

CPU + cache DRAM memory a

4 / 17

slide-13
SLIDE 13

Cache timing attacks in practice: Flush+Reload

if secret do maccess(&a); else maccess(&b); endif flush(&a); start_timer maccess(&a); end_timer

CPU + cache DRAM memory cache miss secret=1, load 'a' into cache a

4 / 17

slide-14
SLIDE 14

Cache timing attacks in practice: Flush+Reload

if secret do maccess(&a); else maccess(&b); endif flush(&a); start_timer maccess(&a); end_timer

CPU + cache DRAM memory a cache hit fast access(&a) → secret=1

4 / 17

slide-15
SLIDE 15

Cache timing attacks in practice: Flush+Reload

if secret do maccess(&a); else maccess(&b); endif flush(&a); start_timer maccess(&b); end_timer

CPU + cache DRAM memory cache miss slow access(&b) → secret=1 cache miss b

4 / 17

slide-16
SLIDE 16

A primer on software security (revisited)

Side-channels: observe side-effects of the computation

INPUT OUTPUT

5 / 17

slide-17
SLIDE 17

A primer on software security (revisited)

Constant-time code: eliminate secret-dependent side-effects

INPUT OUTPUT

5 / 17

slide-18
SLIDE 18

A primer on software security (revisited)

Transient execution: HW optimizations do not respect SW abstractions (!)

INPUT OUTPUT

5 / 17

slide-19
SLIDE 19
slide-20
SLIDE 20

Out-of-order and speculative execution

Key discrepancy: Programmers write sequential instructions

6 / 17

slide-21
SLIDE 21

Out-of-order and speculative execution

Key discrepancy: Programmers write sequential instructions Modern CPUs are inherently parallel ⇒ Speculatively execute instructions ahead of time

6 / 17

slide-22
SLIDE 22

Out-of-order and speculative execution

Overflow exception Roll-back

Key discrepancy: Programmers write sequential instructions Modern CPUs are inherently parallel ⇒ Speculatively execute instructions ahead of time Best-effort: What if triangle fails? → Commit in-order, roll-back square . . . But side-channels may leave traces (!)

6 / 17

slide-23
SLIDE 23

Transient execution attacks: Welcome to the world of fun!

CPU executes ahead of time in transient world Success → commit results to normal world Fail → discard results, compute again in normal world

7 / 17

slide-24
SLIDE 24

Transient execution attacks: Welcome to the world of fun!

CPU executes ahead of time in transient world Success → commit results to normal world Fail → discard results, compute again in normal world Transient world (microarchitecture) may temp bypass architectural software intentions: Delayed permission checks Mispredict control flow

7 / 17

slide-25
SLIDE 25

Transient execution attacks: Welcome to the world of fun!

Key finding of 2018 ⇒ transmit secrets from transient to normal world Transient world (microarchitecture) may temp bypass architectural software intentions: Delayed permission checks Mispredict control flow

7 / 17

slide-26
SLIDE 26
slide-27
SLIDE 27

Meltdown: Transiently encoding unauthorized memory

Unauthorized access

8 / 17

slide-28
SLIDE 28

Meltdown: Transiently encoding unauthorized memory

Unauthorized access Transient out-of-order window

  • racle array

secret idx

8 / 17

slide-29
SLIDE 29

Meltdown: Transiently encoding unauthorized memory

Unauthorized access Transient out-of-order window Exception (discard architectural state)

8 / 17

slide-30
SLIDE 30

Meltdown: Transiently encoding unauthorized memory

Unauthorized access Transient out-of-order window

  • racle array

cache hit

Exception handler

8 / 17

slide-31
SLIDE 31

Mitigating Meltdown: Unmap kernel addresses from user space

OS software fix for faulty hardware (↔ future CPUs) Unmap kernel from user virtual address space → Unauthorized physical addresses out-of-reach (˜cookie jar)

9 / 17

slide-32
SLIDE 32
slide-33
SLIDE 33

Rumors: Meltdown immunity for SGX enclaves?

“[enclaves] remain protected and completely secure” — International Business Times, February 2018

“[enclave memory accesses] redirected to an abort page, which has no value” — Anjuna Security, Inc., March 2018

10 / 17

slide-34
SLIDE 34

Rumors: Meltdown immunity for SGX enclaves?

https://wired.com and https://arstechnica.com 10 / 17

slide-35
SLIDE 35

Building Foreshadow

11 / 17

slide-36
SLIDE 36

Building Foreshadow

Foreshadow can read unmapped physical addresses from the cache (!)

11 / 17

slide-37
SLIDE 37

Foreshadow: Breaking the virtual memory abstraction

SGX? EPT walk? PT walk?

L1D vadrs guest padrs host padrs T ag? Pass to out-of-order CPU micro-architecture EPCM fail

1 2 3

3a

Arbitrary L1 cache read → bypass OS/hypervisor/enclave protection

12 / 17

slide-38
SLIDE 38

Mitigating Foreshadow

13 / 17

slide-39
SLIDE 39

Mitigating Foreshadow

Future CPUs (silicon-based changes)

https://newsroom.intel.com/editorials/advancing-security-silicon-level/ 13 / 17

slide-40
SLIDE 40

Mitigating Foreshadow

OS kernel updates (sanitize page frame bits)

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF 13 / 17

slide-41
SLIDE 41

Mitigating Foreshadow

Intel microcode updates

⇒ Flush L1 cache on enclave/VMM exit + disable HyperThreading

https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault 13 / 17

slide-42
SLIDE 42

Mitigating Foreshadow/L1TF: Hardware-software cooperation

14 / 17

slide-43
SLIDE 43
slide-44
SLIDE 44

Spectre v1: Speculative buffer over-read

secret user buffer

Programmer intention: never access out-of-bounds memory

15 / 17

slide-45
SLIDE 45

Spectre v1: Speculative buffer over-read

secret user buffer

Programmer intention: never access out-of-bounds memory Branch can be mistrained to speculatively (i.e., ahead of time) execute with idx ≥ LEN in the transient world

15 / 17

slide-46
SLIDE 46

Spectre v1: Speculative buffer over-read

secret user buffer

Programmer intention: never access out-of-bounds memory Branch can be mistrained to speculatively (i.e., ahead of time) execute with idx ≥ LEN in the transient world Side-channels leak out-of-bounds secrets to the real world

15 / 17

slide-47
SLIDE 47

Mitigating Spectre v1: Inserting speculation barriers

secret user buffer

Programmer intention: never access out-of-bounds memory

16 / 17

slide-48
SLIDE 48

Mitigating Spectre v1: Inserting speculation barriers

secret user buffer

Programmer intention: never access out-of-bounds memory Insert speculation barrier to tell the CPU to halt the transient world until idx got evaluated ↔ performance

16 / 17

slide-49
SLIDE 49

Mitigating Spectre v1: Inserting speculation barriers

secret user buffer

Programmer intention: never access out-of-bounds memory Insert speculation barrier to tell the CPU to halt the transient world until idx got evaluated ↔ performance Huge error-prone manual effort, no reliable automated compiler approaches yet. . .

16 / 17

slide-50
SLIDE 50
slide-51
SLIDE 51

Conclusions and take-away

https://foreshadowattack.eu/

Hardware + software patches Update your systems! (+ disable HyperThreading)

17 / 17

slide-52
SLIDE 52

Conclusions and take-away

https://foreshadowattack.eu/

Hardware + software patches Update your systems! (+ disable HyperThreading) ⇒ New class of transient execution attacks ⇒ Security cross-cuts the system stack: hardware, hypervisor, kernel, compiler, application ⇒ Importance of fundamental side-channel research

17 / 17

slide-53
SLIDE 53

References I

  • P. Kocher, J. Horn, A. Fogh, , D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom.

Spectre attacks: Exploiting speculative execution. In Proceedings of the 40th IEEE Symposium on Security and Privacy (S&P’19), 2019.

  • M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, A. Fogh, J. Horn, S. Mangard, P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg.

Meltdown: Reading kernel memory from user space. In Proceedings of the 27th USENIX Security Symposium (USENIX Security 18), 2018.

  • J. Van Bulck, M. Minkin, O. Weisse, D. Genkin, B. Kasikci, F. Piessens, M. Silberstein, T. F. Wenisch, Y. Yarom, and R. Strackx.

Foreshadow: Extracting the keys to the Intel SGX kingdom with transient out-of-order execution. In Proceedings of the 27th USENIX Security Symposium. USENIX Association, August 2018.

  • J. Van Bulck, F. Piessens, and R. Strackx.

Nemesis: Studying microarchitectural timing leaks in rudimentary CPU interrupt logic. In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS’18). ACM, October 2018.

  • O. Weisse, J. Van Bulck, M. Minkin, D. Genkin, B. Kasikci, F. Piessens, M. Silberstein, R. Strackx, T. F. Wenisch, and Y. Yarom.

Foreshadow-NG: Breaking the virtual memory abstraction with transient out-of-order execution. Technical Report https: // foreshadowattack. eu/ , 2018.

  • Y. Yarom and K. Falkner.

Flush+reload: A high resolution, low noise, L3 cache side-channel attack. In Proceedings of the 23rd USENIX Security Symposium, pp. 719–732. USENIX Association, 2014. 18 / 17

slide-54
SLIDE 54

Appendix: Intel SGX promise: Hardware-level isolation and attestation Mem HDD OS kernel

Trusted Untrusted

CPU App App TPM Hypervisor Enclave app

19 / 17

slide-55
SLIDE 55

Appendix: Intel SGX promise: Hardware-level isolation and attestation Mem HDD OS kernel

Trusted Untrusted

CPU App App TPM Hypervisor Enclave app

19 / 17

slide-56
SLIDE 56

Appendix: Challenge #1: Intel SGX abort page semantics

Untrusted world view Enclaved memory reads 0xFF Intra-enclave view Access enclaved + unprotected memory

20 / 17

slide-57
SLIDE 57

Appendix: Challenge #1: Intel SGX abort page semantics

Untrusted world view Enclaved memory reads 0xFF Intra-enclave view Access enclaved + unprotected memory SGXpectre in-enclave code abuse

20 / 17

slide-58
SLIDE 58

Appendix: Challenge #1: Intel SGX abort page semantics

Untrusted world view Enclaved memory reads 0xFF Meltdown “bounces back” (∼ mirror) Intra-enclave view Access enclaved + unprotected memory SGXpectre in-enclave code abuse

20 / 17