ZombieLoad Cross-Privilege-Boundary Data Sampling Michael Schwarz 1 - - PowerPoint PPT Presentation

zombieload
SMART_READER_LITE
LIVE PREVIEW

ZombieLoad Cross-Privilege-Boundary Data Sampling Michael Schwarz 1 - - PowerPoint PPT Presentation

Apr 20, 2023 134 likes •1.17k views

ZombieLoad Cross-Privilege-Boundary Data Sampling Michael Schwarz 1 , Moritz Lipp 1 , Daniel Moghimi 2 , Jo Van Bulck 3 , Julian Stecklina 4 , Thomas Prescher 4 , Daniel Gruss 1 November 11, 2019 1 Graz University of Technology, 2 Worcester

slide-1
SLIDE 1

ZombieLoad

Cross-Privilege-Boundary Data Sampling

Michael Schwarz1, Moritz Lipp1, Daniel Moghimi2, Jo Van Bulck3, Julian Stecklina4, Thomas Prescher4, Daniel Gruss1 November 11, 2019

1 Graz University of Technology, 2 Worcester Polytechnic Institute, 3 imec-DistriNet, KU Leuven, 4 Cyberus

Technology

slide-2
SLIDE 2

ZombieLoad

www.tugraz.at

  • A new Meltdown-type transient-execution attack

1 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-3
SLIDE 3

ZombieLoad

www.tugraz.at

  • A new Meltdown-type transient-execution attack
  • Leaks data on Intel CPUs

1 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-4
SLIDE 4

ZombieLoad

www.tugraz.at

  • A new Meltdown-type transient-execution attack
  • Leaks data on Intel CPUs
  • Really new? Published in May 2019...

1 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-5
SLIDE 5

Intel Zombieload bug fix to slow data centre computers

ZombieLoad attack lets hackers steal data from Intel chips

'Zombieload' Flaw Lets Hackers Crack Almost Every Intel Chip Back to 2011. Why's It Being Downplayed?

Only New CPUs Can Truly Fix ZombieLoad and Spectre

slide-6
SLIDE 6

Microarchitectural Data Sampling (MDS)

www.tugraz.at

ZombieLoad

CVE-2018-12130 CVE-2019-11091

2 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-7
SLIDE 7

Microarchitectural Data Sampling (MDS)

www.tugraz.at

ZombieLoad

CVE-2018-12130 CVE-2019-11091

RIDL

CVE-2018-12127 CVE-2018-12130 CVE-2019-11091

2 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-8
SLIDE 8

Microarchitectural Data Sampling (MDS)

www.tugraz.at

ZombieLoad

CVE-2018-12130 CVE-2019-11091

RIDL

CVE-2018-12127 CVE-2018-12130 CVE-2019-11091

Fallout

CVE-2018-12126

2 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-9
SLIDE 9

Microarchitectural Data Sampling (MDS)

www.tugraz.at

ZombieLoad

CVE-2018-12130 CVE-2019-11091 CVE-2019-11135

RIDL

CVE-2018-12127 CVE-2018-12130 CVE-2019-11091

Fallout

CVE-2018-12126

2 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-10
SLIDE 10

ZombieLoad

www.tugraz.at

Variant 1 Kernel Mapping Variant 3 Microcode-Assisted Page-Table Walk

3 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-11
SLIDE 11

ZombieLoad

www.tugraz.at

Variant 1 Kernel Mapping Variant 2 Transactional Asynchronous Abort Variant 3 Microcode-Assisted Page-Table Walk

3 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-12
SLIDE 12

Embargo

www.tugraz.at

  • Variant 2 embargoed until November 12, 2019

4 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-13
SLIDE 13

Embargo

www.tugraz.at

  • Variant 2 embargoed until November 12, 2019
  • Only variant without hardware mitigations

4 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-14
SLIDE 14

Embargo

www.tugraz.at

  • Variant 2 embargoed until November 12, 2019
  • Only variant without hardware mitigations

→ Works on MDS-resistant Cascade Lake CPUs

4 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-15
SLIDE 15

Timeline

www.tugraz.at

March 28, 2018 We report Meltdown on fill buffer (CVE-2019-11091)

5 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-16
SLIDE 16

Timeline

www.tugraz.at

March 28, 2018 We report Meltdown on fill buffer (CVE-2019-11091) September 12, 2018 VUSec reports fill-buffer leakage (RIDL)

5 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-17
SLIDE 17

Timeline

www.tugraz.at

March 28, 2018 We report Meltdown on fill buffer (CVE-2019-11091) September 12, 2018 VUSec reports fill-buffer leakage (RIDL) April 12, 2019 We report ZombieLoad Variant 1 (CVE-2018-12130)

5 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-18
SLIDE 18

Timeline

www.tugraz.at

March 28, 2018 We report Meltdown on fill buffer (CVE-2019-11091) September 12, 2018 VUSec reports fill-buffer leakage (RIDL) April 12, 2019 We report ZombieLoad Variant 1 (CVE-2018-12130) → All embargoed until May 14, 2019 (MDS)

5 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-19
SLIDE 19

Timeline

www.tugraz.at

March 28, 2018 We report Meltdown on fill buffer (CVE-2019-11091) September 12, 2018 VUSec reports fill-buffer leakage (RIDL) April 12, 2019 We report ZombieLoad Variant 1 (CVE-2018-12130) → All embargoed until May 14, 2019 (MDS) April 24, 2019 We report ZombieLoad Variant 2 (CVE-2019-11135)

5 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-20
SLIDE 20

Timeline

www.tugraz.at

March 28, 2018 We report Meltdown on fill buffer (CVE-2019-11091) September 12, 2018 VUSec reports fill-buffer leakage (RIDL) April 12, 2019 We report ZombieLoad Variant 1 (CVE-2018-12130) → All embargoed until May 14, 2019 (MDS) April 24, 2019 We report ZombieLoad Variant 2 (CVE-2019-11135) May 10, 2019 We report Variant 2 on Cascade Lake

5 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-21
SLIDE 21

Timeline

www.tugraz.at

March 28, 2018 We report Meltdown on fill buffer (CVE-2019-11091) September 12, 2018 VUSec reports fill-buffer leakage (RIDL) April 12, 2019 We report ZombieLoad Variant 1 (CVE-2018-12130) → All embargoed until May 14, 2019 (MDS) April 24, 2019 We report ZombieLoad Variant 2 (CVE-2019-11135) May 10, 2019 We report Variant 2 on Cascade Lake May 11, 2019 Call with Intel

5 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-22
SLIDE 22

Timeline

www.tugraz.at

March 28, 2018 We report Meltdown on fill buffer (CVE-2019-11091) September 12, 2018 VUSec reports fill-buffer leakage (RIDL) April 12, 2019 We report ZombieLoad Variant 1 (CVE-2018-12130) → All embargoed until May 14, 2019 (MDS) April 24, 2019 We report ZombieLoad Variant 2 (CVE-2019-11135) May 10, 2019 We report Variant 2 on Cascade Lake May 11, 2019 Call with Intel May 12, 2019 Not allowed to publish Variant 2

5 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-23
SLIDE 23

Timeline

www.tugraz.at

March 28, 2018 We report Meltdown on fill buffer (CVE-2019-11091) September 12, 2018 VUSec reports fill-buffer leakage (RIDL) April 12, 2019 We report ZombieLoad Variant 1 (CVE-2018-12130) → All embargoed until May 14, 2019 (MDS) April 24, 2019 We report ZombieLoad Variant 2 (CVE-2019-11135) May 10, 2019 We report Variant 2 on Cascade Lake May 11, 2019 Call with Intel May 12, 2019 Not allowed to publish Variant 2 → Additional embargo until November 12, 2019 (TAA)

5 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-24
SLIDE 24

Comparison

www.tugraz.at

Fill Buffer, Load Ports, ? Fill Buffer, Load Ports Store Buffer All loads & stores Uncached loads & stores Stores ✓ ✗ ✗ ✓ ✗ (before Cascade Lake) ✗ (before Cascade Lake) ZombieLoad works despite software mitigations and even on MDS-resistant CPUs (e.g., Cascade Lake)

6 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-25
SLIDE 25

ZombieLoad Cache-line Conflicts

www.tugraz.at

Page Mapping v1 cache line

7 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-26
SLIDE 26

ZombieLoad Cache-line Conflicts

www.tugraz.at

Page Mapping v1 Mapping v2 cache line

7 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-27
SLIDE 27

ZombieLoad Cache-line Conflicts

www.tugraz.at

Page Mapping v1 Mapping v2 cache line flush

7 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-28
SLIDE 28

ZombieLoad Cache-line Conflicts

www.tugraz.at

Page Mapping v1 Mapping v2 cache line flush faulting load

7 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-29
SLIDE 29

Data Encoding

www.tugraz.at

User Memory A B C D E F G H I J K L M N O P Q R S T U V W X Y Z char value = faulting[0]

8 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-30
SLIDE 30

Data Encoding

www.tugraz.at

Out of order

User Memory A B C D E F G H I J K L M N O P Q R S T U V W X Y Z K char value = faulting[0] mem[value]

8 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-31
SLIDE 31

Data Encoding

www.tugraz.at

Out of order

User Memory A B C D E F G H I J K L M N O P Q R S T U V W X Y Z K K char value = faulting[0] mem[value] K

8 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-32
SLIDE 32
slide-33
SLIDE 33

There is no noise. Noise is just someone else's data

slide-34
SLIDE 34

Complex Load Situations

www.tugraz.at Execution Engine

Reorder buffer

µOP µOP µOP µOP µOP µOP µOP µOP

Scheduler Execution Units

ALU, AES, . . . ALU, FMA, . . . ALU, Vect, . . . ALU, Branch Load data Load data Store data AGU

µOP µOP µOP µOP µOP µOP µOP µOP

CDB

Core Memory

Load Buffer Store Buffer

L1 Data Cache

DTLB LFB

9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-35
SLIDE 35

Complex Load Situations

www.tugraz.at Execution Engine

Reorder buffer ... mov al, byte [rcx] ...

µOP µOP µOP µOP µOP µOP µOP µOP

Scheduler Execution Units

ALU, AES, . . . ALU, FMA, . . . ALU, Vect, . . . ALU, Branch Load data Load data Store data AGU

µOP µOP µOP µOP µOP µOP µOP µOP

CDB

Core Memory

Load Buffer Store Buffer

L1 Data Cache

DTLB LFB

9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-36
SLIDE 36

Complex Load Situations

www.tugraz.at Execution Engine

Reorder buffer ... mov al, byte [rcx] ...

µOP µOP µOP µOP µOP µOP µOP µOP

Scheduler Execution Units

ALU, AES, . . . ALU, FMA, . . . ALU, Vect, . . . ALU, Branch Load data Load data Store data AGU

µOP µOP µOP µOP µOP µOP µOP µOP

CDB

Core Memory

Load Buffer Store Buffer

L1 Data Cache

DTLB LFB

9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-37
SLIDE 37

Complex Load Situations

www.tugraz.at Execution Engine

Reorder buffer ... mov al, byte [rcx] ...

µOP µOP µOP µOP µOP µOP µOP µOP

Scheduler Execution Units

ALU, AES, . . . ALU, FMA, . . . ALU, Vect, . . . ALU, Branch Load data Load data Store data AGU

µOP µOP µOP µOP µOP µOP µOP µOP

CDB

Core Memory

Load Buffer Store Buffer

L1 Data Cache

DTLB LFB

9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-38
SLIDE 38

Complex Load Situations

www.tugraz.at Execution Engine

Reorder buffer ... mov al, byte [rcx] ...

µOP µOP µOP µOP µOP µOP µOP µOP

Scheduler Execution Units

ALU, AES, . . . ALU, FMA, . . . ALU, Vect, . . . ALU, Branch Load data Load data Store data AGU

µOP µOP µOP µOP µOP µOP µOP µOP

CDB

Core Memory

Load Buffer Store Buffer

L1 Data Cache

DTLB LFB

9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-39
SLIDE 39

Complex Load Situations

www.tugraz.at Execution Engine

Reorder buffer ... mov al, byte [rcx] ...

µOP µOP µOP µOP µOP µOP µOP µOP

Scheduler Execution Units

ALU, AES, . . . ALU, FMA, . . . ALU, Vect, . . . ALU, Branch Load data Load data Store data AGU

µOP µOP µOP µOP µOP µOP µOP µOP

CDB

Core Memory

Load Buffer Store Buffer

L1 Data Cache

DTLB LFB

9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-40
SLIDE 40

Complex Load Situations

www.tugraz.at Execution Engine

Reorder buffer ... mov al, byte [rcx] ...

µOP µOP µOP µOP µOP µOP µOP µOP

Scheduler Execution Units

ALU, AES, . . . ALU, FMA, . . . ALU, Vect, . . . ALU, Branch Load data Load data Store data AGU

µOP µOP µOP µOP µOP µOP µOP µOP

CDB

Core Memory

#n+1 ... #n ppn vpn offset reg.no. #n-1 ... Load Buffer Store Buffer

L1 Data Cache

DTLB LFB

9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-41
SLIDE 41

Complex Load Situations

www.tugraz.at Execution Engine

Reorder buffer ... mov al, byte [rcx] ...

µOP µOP µOP µOP µOP µOP µOP µOP

Scheduler Execution Units

ALU, AES, . . . ALU, FMA, . . . ALU, Vect, . . . ALU, Branch Load data Load data Store data AGU

µOP µOP µOP µOP µOP µOP µOP µOP

CDB

Core Memory

#n+1 ... #n ppn vpn offset reg.no. #n-1 ... Load Buffer Store Buffer

L1 Data Cache

DTLB LFB

9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-42
SLIDE 42

Complex Load Situations

www.tugraz.at Execution Engine

Reorder buffer ... mov al, byte [rcx] ...

µOP µOP µOP µOP µOP µOP µOP µOP

Scheduler Execution Units

ALU, AES, . . . ALU, FMA, . . . ALU, Vect, . . . ALU, Branch Load data Load data Store data AGU

µOP µOP µOP µOP µOP µOP µOP µOP

CDB

Core Memory

#n+1 ... #n ppn vpn offset reg.no. #n-1 ... Load Buffer Store Buffer

L1 Data Cache

DTLB LFB

9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-43
SLIDE 43

Complex Load Situations

www.tugraz.at Execution Engine

Reorder buffer ... mov al, byte [rcx] ...

µOP µOP µOP µOP µOP µOP µOP µOP

Scheduler Execution Units

ALU, AES, . . . ALU, FMA, . . . ALU, Vect, . . . ALU, Branch Load data Load data Store data AGU

µOP µOP µOP µOP µOP µOP µOP µOP

CDB

Core Memory

#n+1 ... #n ppn vpn offset reg.no. #n-1 ...

data can go to register

Load Buffer Store Buffer

L1 Data Cache

DTLB LFB

9 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-44
SLIDE 44

Microcode Assists

www.tugraz.at

  • Complex situations handled in microcode

10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-45
SLIDE 45

Microcode Assists

www.tugraz.at

  • Complex situations handled in microcode
  • Setting accessed/dirty bit

10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-46
SLIDE 46

Microcode Assists

www.tugraz.at

  • Complex situations handled in microcode
  • Setting accessed/dirty bit
  • TSX abort + rollback

10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-47
SLIDE 47

Microcode Assists

www.tugraz.at

  • Complex situations handled in microcode
  • Setting accessed/dirty bit
  • TSX abort + rollback
  • ...

10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-48
SLIDE 48

Microcode Assists

www.tugraz.at

  • Complex situations handled in microcode
  • Setting accessed/dirty bit
  • TSX abort + rollback
  • ...
  • Load needs to be re-issued

10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-49
SLIDE 49

Microcode Assists

www.tugraz.at

  • Complex situations handled in microcode
  • Setting accessed/dirty bit
  • TSX abort + rollback
  • ...
  • Load needs to be re-issued
  • Meltdown effects due to “microarchitectural fault”

10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-50
SLIDE 50

Microcode Assists

www.tugraz.at

  • Complex situations handled in microcode
  • Setting accessed/dirty bit
  • TSX abort + rollback
  • ...
  • Load needs to be re-issued
  • Meltdown effects due to “microarchitectural fault”
  • No architectural fault handling required

10 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-51
SLIDE 51

Attack Targets

www.tugraz.at

  • Leak data on same and sibling hyperthread

11 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-52
SLIDE 52

Attack Targets

www.tugraz.at

  • Leak data on same and sibling hyperthread

Applications

11 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-53
SLIDE 53

Attack Targets

www.tugraz.at

  • Leak data on same and sibling hyperthread

Applications Operating System

11 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-54
SLIDE 54

Attack Targets

www.tugraz.at

  • Leak data on same and sibling hyperthread

Applications Operating System SGX Enclave

11 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-55
SLIDE 55

Attack Targets

www.tugraz.at

  • Leak data on same and sibling hyperthread

Applications Operating System SGX Enclave Virtual Machine

11 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-56
SLIDE 56

Attack Targets

www.tugraz.at

  • Leak data on same and sibling hyperthread

Applications Operating System SGX Enclave Virtual Machine Hypervisor

11 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-57
SLIDE 57

Control

www.tugraz.at

12 Physical 12 Virtual

ZombieLoad/ RIDL

51 47 11 6 5 12 Physical 12 Virtual

Fallout

51 47 11 12 Physical 12 Virtual

Foreshadow

51 47 11 12 Physical 12 Virtual

Meltdown

51 47 11

Page Number Page Offset

12 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-58
SLIDE 58

Control

www.tugraz.at

1 1 1 1 keyn (0xD2)

13 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-59
SLIDE 59

Control

www.tugraz.at

(4,4)-dominon,n+1 (0x21)

1 1 1 1 keyn (0xD2) 1

13 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-60
SLIDE 60

Control

www.tugraz.at

(4,4)-dominon,n+1 (0x21)

1 1 1 1 keyn (0xD2) 1 1 1 keyn+1 (0x1C)

13 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-61
SLIDE 61

Results

www.tugraz.at

AES-NI key

14 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-62
SLIDE 62

Results

www.tugraz.at

AES-NI key SGX sealing key

14 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-63
SLIDE 63

Results

www.tugraz.at

AES-NI key SGX sealing key Cross-VM covert channel

14 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-64
SLIDE 64

Results

www.tugraz.at

AES-NI key SGX sealing key Cross-VM covert channel Keyword matching

14 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-65
SLIDE 65

Results

www.tugraz.at

AES-NI key SGX sealing key Cross-VM covert channel Keyword matching URL recovery

14 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-66
SLIDE 66

Results

www.tugraz.at

AES-NI key SGX sealing key Cross-VM covert channel Keyword matching URL recovery Targeted leakage

14 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-67
SLIDE 67

Performance

www.tugraz.at

Variant 1 Kernel Mapping

5.30 kB/s

15 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-68
SLIDE 68

Performance

www.tugraz.at

Variant 1 Kernel Mapping

5.30 kB/s

Variant 2 Transactional Asynchronous Abort

39.66 kB/s

15 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-69
SLIDE 69

Performance

www.tugraz.at

Variant 1 Kernel Mapping

5.30 kB/s

Variant 2 Transactional Asynchronous Abort

39.66 kB/s

Variant 3 Microcode-Assisted Page-Table Walk

7.73 kB/s

15 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-70
SLIDE 70
slide-71
SLIDE 71

ZombieLoad Insights

www.tugraz.at

Address

17 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-72
SLIDE 72

ZombieLoad Insights

www.tugraz.at

Instruction Pointer Address Memory-based Side-Channel Attacks

17 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-73
SLIDE 73

ZombieLoad Insights

www.tugraz.at

Instruction Pointer Address Data Meltdown Memory-based Side-Channel Attacks

17 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-74
SLIDE 74

ZombieLoad Insights

www.tugraz.at

Instruction Pointer Address Data Meltdown Memory-based Side-Channel Attacks Data Sampling (this paper)

17 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-75
SLIDE 75

Intel Mitigations

www.tugraz.at

  • Disable hyperthreading or group scheduling

18 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-76
SLIDE 76

Intel Mitigations

www.tugraz.at

  • Disable hyperthreading or group scheduling
  • Overwrite microarchitectural buffers

18 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-77
SLIDE 77

Intel Mitigations

www.tugraz.at

  • Disable hyperthreading or group scheduling
  • Overwrite microarchitectural buffers
  • VERW instruction (microcode update)

18 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-78
SLIDE 78

Intel Mitigations

www.tugraz.at

  • Disable hyperthreading or group scheduling
  • Overwrite microarchitectural buffers
  • VERW instruction (microcode update)
  • Software sequences

18 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-79
SLIDE 79

Intel Mitigations

www.tugraz.at

  • Disable hyperthreading or group scheduling
  • Overwrite microarchitectural buffers
  • VERW instruction (microcode update)
  • Software sequences
  • New CPUs which are not affected

CPU Meltdown Foreshadow RIDL Fallout MLPDS MDSUM 8th/9th gen. Intel Core Coffee Lake Intel Xeon Cascade Lake

18 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-80
SLIDE 80

Intel Mitigations

www.tugraz.at

  • Disable hyperthreading or group scheduling
  • Overwrite microarchitectural buffers
  • VERW instruction (microcode update)
  • Software sequences
  • New CPUs which are not affected

CPU Meltdown Foreshadow RIDL Fallout MLPDS MDSUM ZombieLoad 8th/9th gen. Intel Core Coffee Lake Intel Xeon Cascade Lake

18 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-81
SLIDE 81

Circumventing Mitigations

www.tugraz.at

  • Variant 2 works on all CPUs

19 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-82
SLIDE 82

Circumventing Mitigations

www.tugraz.at

  • Variant 2 works on all CPUs

→ Embargoed until November 12, 2019

19 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-83
SLIDE 83

Circumventing Mitigations

www.tugraz.at

  • Variant 2 works on all CPUs

→ Embargoed until November 12, 2019

  • Microcode and software sequences do not prevent ZombieLoad

19 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-84
SLIDE 84

Circumventing Mitigations

www.tugraz.at

  • Variant 2 works on all CPUs

→ Embargoed until November 12, 2019

  • Microcode and software sequences do not prevent ZombieLoad

→ Reported on May 16, 2019

19 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-85
SLIDE 85

Circumventing Mitigations

www.tugraz.at

  • Variant 2 works on all CPUs

→ Embargoed until November 12, 2019

  • Microcode and software sequences do not prevent ZombieLoad

→ Reported on May 16, 2019

  • ZombieLoad might not only leak from fill buffer

19 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-86
SLIDE 86

ZombieLoad Mitigations

www.tugraz.at

  • Disable hyperthreading

20 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-87
SLIDE 87

ZombieLoad Mitigations

www.tugraz.at

  • Disable hyperthreading
  • Flush all buffers on privilege-level change

20 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-88
SLIDE 88

ZombieLoad Mitigations

www.tugraz.at

  • Disable hyperthreading
  • Flush all buffers on privilege-level change
  • Fill buffer, store buffer, load ports → VERW

20 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-89
SLIDE 89

ZombieLoad Mitigations

www.tugraz.at

  • Disable hyperthreading
  • Flush all buffers on privilege-level change
  • Fill buffer, store buffer, load ports → VERW
  • Flush L1 cache → MSR IA32 FLUSH CMD

20 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-90
SLIDE 90

ZombieLoad Mitigations

www.tugraz.at

  • Disable hyperthreading
  • Flush all buffers on privilege-level change
  • Fill buffer, store buffer, load ports → VERW
  • Flush L1 cache → MSR IA32 FLUSH CMD
  • Disable Intel TSX (MSR TSX FORCE ABORT)

20 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-91
SLIDE 91

Transient Execution Attack Tree

www.tugraz.at

Transient cause

21 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-92
SLIDE 92

Transient Execution Attack Tree

www.tugraz.at

Transient cause Meltdown-type

21 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-93
SLIDE 93

Transient Execution Attack Tree

www.tugraz.at

Transient cause Meltdown-type Meltdown-PF Meltdown-MCA

21 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-94
SLIDE 94

Transient Execution Attack Tree

www.tugraz.at

Transient cause Meltdown-type Meltdown-PF Meltdown-MCA Meltdown-US Meltdown-AD Meltdown-TAA Variant 2 Meltdown-US-LFB Variant 1 Meltdown-AD-LFB Variant 3

21 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-95
SLIDE 95
slide-96
SLIDE 96

GitHub

www.tugraz.at

You can find our proof-of-concept implementation on:

  • https://github.com/IAIK/ZombieLoad

22 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-97
SLIDE 97

Conclusion

www.tugraz.at

  • Transient-execution attacks: the gift that keeps on giving

23 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-98
SLIDE 98

Conclusion

www.tugraz.at

  • Transient-execution attacks: the gift that keeps on giving
  • Class of Meltdown attacks is larger than expected

23 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-99
SLIDE 99

Conclusion

www.tugraz.at

  • Transient-execution attacks: the gift that keeps on giving
  • Class of Meltdown attacks is larger than expected
  • CPUs are deterministic - there is no noise

23 Michael Schwarz (@misc0110) et al. — Graz University of Technology

slide-100
SLIDE 100
slide-101
SLIDE 101

ZombieLoad

Cross-Privilege-Boundary Data Sampling

Michael Schwarz, Moritz Lipp, Daniel Moghimi, Jo Van Bulck, Julian Stecklina, Thomas Prescher, Daniel Gruss November 11, 2019

Graz University of Technology

slide-102
SLIDE 102

Acknowledgements

www.tugraz.at

We thank Werner Haas (Cyberus Technology), Claudio Canella (Graz University of Technology), Jon Masters (Red Hat), Alex Ionescu (CrowdStrike), and Martin Schwarzl (Graz University of Technology). We would like to thank our anonymous reviewers and especially our shepherd, Yinqian Zhang, for their comments and suggestions that helped improving the paper. The research presented in this paper was partially supported by the Research Fund KU Leuven. Jo Van Bulck is supported by a grant of the Research Foundation – Flanders (FWO). Daniel Moghimi is supported by the National Science Foundation, under grant CNS-1814406. The project was supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 681402). It was also supported by the Austrian Research Promotion Agency (FFG) via the K-project DeSSnet, which is funded in the context of COMET - Competence Centers for Excellent Technologies by BMVIT, BMWFW, Styria and Carinthia. Additional funding was provided by a generous gift from Intel. Any opinions, findings, and conclusions or recommendations expressed in this paper are those of the authors and do not necessarily reflect the views of the funding parties.