ZombieLoad Cross-Privilege-Boundary Data Sampling Michael Schwarz, - - PowerPoint PPT Presentation
ZombieLoad Cross-Privilege-Boundary Data Sampling Michael Schwarz, Moritz Lipp, Daniel Moghimi , Jo Van Bulck, Julian Stecklina, Thomas Prescher, Daniel Gruss whoami Daniel Moghimi (@danielmgmi) Computer Security since 2010 Reverse
Cross-Privilege-Boundary Data Sampling
Michael Schwarz, Moritz Lipp, Daniel Moghimi, Jo Van Bulck, Julian Stecklina, Thomas Prescher, Daniel Gruss
whoami
▪ Daniel Moghimi (@danielmgmi) ▪ Computer Security since 2010
▪ Reverse Engineering ▪ Binary Analysis ▪ Application Security
▪ PhD Student since 2017
▪ Microarchitectural Security ▪ Side Channels ▪ Breaking Cryptographic Implementations
Background: Cache Attacks – Cache Memory
CPU Register Cache DRAM
Cheaper, but Slower More expensive, but Faster
Background: Cache Attacks – Cache Miss
Cache 10100110
Background: Cache Attacks
Cache 10100110 10100110
Background: Cache Attacks
Cache 10100110 10100110 10100110
Background: Cache Attacks – Cache Hit
Cache 10100110 10100110
Background: Cache Attacks – Cache Hit
Cache 10100110 10100110 10100110
Background: Cache Attacks – Flush & Reload (Yarom et al.)
Cache 10100110 10100110 Attacker Victim
Background: Cache Attacks – Flush & Reload (Yarom et al.)
Cache 10100110 Attacker Victim
Background: Cache Attacks – Flush & Reload (Yarom et al.)
Cache 10100110 Attacker Victim 10100110
Background: Cache Attacks – Flush & Reload (Yarom et al.)
Cache 10100110 Attacker Victim 10100110
Background: Cache Attacks – Flush & Reload (Yarom et al.)
Cache 10100110 Attacker Victim 10100110 delta > threshold = cache hit delta < threshold = cache miss
2018: Meltdown Attack?
2018: Meltdown Attack?
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space 256 different CPU Cache Line CPU Registers
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space
Oracle
256 different CPU Cache Line CPU Registers
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space
Oracle
256 different CPU Cache Line CPU Registers
Fault
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space
Oracle
256 different CPU Cache Line CPU Registers
P
Fault
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space
Oracle
256 different CPU Cache Line CPU Registers
P
Fault
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space
Oracle
256 different CPU Cache Line CPU Registers
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space
Oracle
256 different CPU Cache Line CPU Registers F+R
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space
Oracle
256 different CPU Cache Line CPU Registers F+R
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space
Oracle
256 different CPU Cache Line CPU Registers F+R
2018: Meltdown Attack?
0xf…81a0123 P A S S W O R D Virtual Address Space
User Space Kernel Space
Oracle
256 different CPU Cache Line CPU Registers
‘P’ = 0x50
Meltdown-style Attacks !!!
▪ Can we do Meltdown with other faults/microcode-assists? ▪ Which part of the CPU leak the data?! ▪ Can we still leak somebody’s data?
▪ KPTI ▪ Meltdown-resistant CPUs, .e.g. Coffee Lake
ZombieLoad – How does CPU Work these days?
234 0x000401
Virtual Address
ZombieLoad – How does CPU Work these days?
234 0x000401
Virtual Address TLB
PMH
ZombieLoad – How does CPU Work these days?
234 0x000401
Virtual Address TLB
PMH
ZombieLoad – How does CPU Work these days?
234 0x000401
Virtual Address TLB
P
RW US A …
Physical Page Number
… …
Page Walk
ZombieLoad – How does CPU Work these days?
L1D Cache
DRAM L3 L2
Core
ZombieLoad – How does CPU Work these days?
LFB
L1D Cache
DRAM L2 L3
Core
ZombieLoad – How does CPU Work these days?
LFB
L1D Cache
…
DRAM L3 L2
Core
DRAM
ZombieLoad – How does CPU Work these days?
LFB
L1D Cache
…
L3 L2
Core Cache Line
DRAM
ZombieLoad – How does CPU Work these days?
LFB
L1D Cache
…
L3
Cache Line
L2
Core
x x x x
DRAM
ZombieLoad – How does CPU Work these days?
LFB
L1D Cache
x x x …
L3
Cache Line
L2
Core
x x x x
DRAM
ZombieLoad Attack !?!
LFB (10 entries)
L1D Cache
x x x x x …
L3
Cache Line
L2
Core De-allocate
x x x x
DRAM
ZombieLoad Attack !?!
LFB (10 entries)
L1D Cache
x x x x x …
L3
Cache Line P
RW
US
A …
Physical Page Number
… …
Cache Line
L2
Core
x x x x
DRAM
ZombieLoad Attack !?!
LFB (10 entries)
L1D Cache
x x x x x …
L3
Cache Line P
RW
US
A …
Physical Page Number
… …
L2
Core
x x x x
DRAM
ZombieLoad Attack !?!
LFB (10 entries)
L1D Cache
x x x x x …
L3
Cache Line P
RW
US
A …
Physical Page Number
… …
L2
Core
x x x x
DRAM
ZombieLoad Attack !?!
LFB (10 entries)
L1D Cache
x x x x x …
L3
Cache Line P
RW
US
A …
Physical Page Number
… …
x x x x
L2
Core
0 0 0 0
DRAM
ZombieLoad Attack !?!
LFB (10 entries)
L1D Cache
x x x x x …
L3
Cache Line P
RW
US
A …
Physical Page Number
… …
x x x x Cache Line 0 0 0
L2
Core
0 0 0 0
DRAM
ZombieLoad Attack !?!
LFB (10 entries)
L1D Cache
x x x x x …
L3
Cache Line P
RW
US
A
…
Physical Page Number
… …
x x x x Cache Line 0 0 0
Variant 1 Variant 3
L2
Core
ZombieLoad – Microcode Assist on ‘A’ Bit
▪ Access Bit
▪ CPU tells → OS: A page has been accessed by setting the ‘A’ Bit ▪ OS tells → CPU: A page has not been accessed (just allocated) by clearing the bit
▪ ‘A’ Bit Microcode Assist
▪ Microcode Assists: The CPU executes an internal event handler to service complex instructions/operations ▪ The microcode assist flushes the pipeline. ▪ Intel CPUs set ‘A’ bit using a microcode assist P
RW
US
A
…
Physical Page Number
… …
Variant 3
ZombieLoad VS. other Meltdown-Style Attacks
What can we do with this data leakage?
▪ Architecturally
▪ Attack across Process Context Switches ▪ Attack across Simultaneous Multithreading (SMT) AKA. Intel Hyperthreading
▪ Scenarios:
▪ Cross-Process ▪ Cross-VM ▪ Intel SGX
Data Sampling - Domino Attack
▪ We may leak bytes of data from other unimportant fill buffer entries ▪ Leak domino bytes to perform error correction
T arget Secret
1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1
…
Data Sampling - Domino Attack
1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1
…
T arget Secret
0xd3 0x10 0x4f
▪ We may leak bytes of data from other unimportant fill buffer entries ▪ Leak domino bytes to perform error correction
Data Sampling - Domino Attack
1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1
…
T arget Secret
0xd3 0x10 0x4f 0x37 0x0e 0xb0
▪ We may leak bytes of data from other unimportant fill buffer entries ▪ Leak domino bytes to perform error correction
Data Sampling - Domino Attack
1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1
…
T arget Secret
0xd3 0x10 0x4f 0x37 0x0e 0xb0 0x7f 0x84
▪ We may leak bytes of data from other unimportant fill buffer entries ▪ Leak domino bytes to perform error correction
Data Sampling - Domino Attack
1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1
…
T arget Secret
0xd3 0x10 0x4f 0x37 0x0e 0xb0 0x7f 0x84 0xd3 0x37 0x7f
▪ We may leak bytes of data from other unimportant fill buffer entries ▪ Leak domino bytes to perform error correction
Recovering Intel SGX Sealing Key
▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS
Recovering Intel SGX Sealing Key
sgx-step
▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS
Recovering Intel SGX Sealing Key
sgx-step
▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS
Recovering Intel SGX Sealing Key
sgx-step
▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS
Recovering Intel SGX Sealing Key
sgx-step
▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS
Recovering Intel SGX Sealing Key
z-step Mark Non- Executabl e
▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS
Recovering Intel SGX Sealing Key
z-step Mark Non- Executabl e Try to Execute
▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS
Recovering Intel SGX Sealing Key
z-step Mark Non- Executabl e Try to Execute Exception
▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS
Recovering Intel SGX Sealing Key
z-step Mark Non- Executabl e Try to Execute Exception Handle Exception
▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS
Recovering Intel SGX Sealing Key
▪ Intel SGX allow developers to have hardware support for TEE ▪ Malicious OS is part of the threat model ▪ We can read register values of a trusted enclave with help of a malicious OS ▪ Repeated Context Switch in the transient domain w/ the same register values
Is there any Mitigation?
▪ Short-term
▪ Intel suggested an instruction sequence to fill all the buffers across context switch ▪ Disable hyperthreading ▪ Intel SGX: Remote attestation to Verify hyperthreading is Disabled
▪ Long-term
▪ Microarchitectural hardware fixes (Buy new CPUs !! ☺)
https://zombieloadattack.com/