Micro-architectural Attacks 2
1
Milan Patnaik
IIT Madras
Things we thought
gave us security!
• Cryptography
• Passwords
• Information Flow Policies
• Privileged Rings
• ASLR
• Virtual Machines and confinement
• Javascript and HTML5
(due to restricted access to system
resouces)
• Enclaves (SGX and Trustzone)
2
Micro-Architectural Attacks
(can break all of this)
3
Cache timing attackCache timing attack
Branch prediction attackBranch prediction attack
Speculation AttacksSpeculation Attacks
Row hammerRow hammer
Fault Injection AttacksFault Injection Attacks
….. and many more….. and many more
cold boot attackscold boot attacks
• Cryptography
• Passwords
• Information Flow Policies
• Privileged Rings
• ASLR
• Virtual Machines and confinement
• Javascript and HTML5
(due to restricted access to system
resouces)
• Enclaves (SGX and Trustzone)
DRAM Row buffer (DRAMA)DRAM Row buffer (DRAMA)
Causes
4
performance
security
Most micro-architectural attacks caused by
performance optimizations
Others due to inherent device properties
Third, due to stronger attackers
Instruction Level Parallelism
5
Out-of-order execution
6
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
How instructions are
fetched
sub r4, r5, r6
store r1, add2
mov r2, r1
add r2, r2, r3
load r0, addr1
How they may be
executed
r0
r2
r2
addr2
r4
How the results are
committed
inorder order restoredout-of-order
Out the processor core, execution looks in-order
Insider the processor core, execution is done out-of-order
Speculative Execution
7
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
How instructions are
fetched
How instructions are
executed
r0
r2
r2
add2
r4
:
:
:
How results are
committed when
speculation is correct
Speculative execution
(transient instructions)
Speculative Execution
8
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
How instructions are
fetched
How instructions are
executed
:
:
:
How results are
committed when
speculation is incorrect
Speculative execution
(transient instructions)
Speculated results
discarded
Speculative Execution
9
cmp r0, r1
div r0, r1
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
cmp r0, r1
div r0, r1
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
How instructions are
fetched
How instructions are
executed
:
:
:
How results are
committed when
speculation is incorrect
(eg. If r1 = 0)
Speculative execution
Speculated results
discarded
Speculative Execution
and Micro-architectural State
10
Even though line 3 is not reached, the
micro-architectural state is modified due
to Line 3.
data=84
ILP Paradigms in Modern Processors
Speculation Attacks
Meltdown and Spectre
12
Meltdown
13
Slides motivated from Yuval Yarom’s talk on Meltdown and Spectre at the
Cyber security research bootcamp 2018
Meltdown
14
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]
*pointer
array
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Normal Circumstances
Meltdown
15
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]*pointer
array
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Not normal Circumstances
Meltdown
16
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]*pointer
array
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Not normal Circumstances
cache miss
Meltdown
17
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]*pointer
array
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Not normal Circumstances
cache miss
Meltdown
18
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]*pointer
array
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Not normal Circumstances
cache miss
Meltdown
19
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]*pointer
array
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Not normal Circumstances
cache hit
Speculative Execution
and Micro-architectural State
20
data=84
Spectre
21
Slides motivated from Yuval Yarom’s talk on Meltdown and Spectre at the
Cyber security research bootcamp 2018
Spectre (variant 1)
22
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
Spectre (variant 1)
23
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
<<
Spectre (variant 1)
24
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory Normal Behavior
Spectre (variant 1)
25
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
x 256
Normal Behavior
Spectre (variant 1)
26
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
x 256
Normal Behavior
Spectre (variant 1)
27
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
x 256
Normal Behavior
Spectre (variant 1)
28
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory Under Attack
 x > array_len
 array_len not in cache
 secret in cache memory
Spectre (variant 1)
29
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Misprediction!Misprediction!
<<
Spectre (variant 1)
30
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Misprediction!Misprediction!
<<
Spectre (variant 1)
31
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache hit found
only here
Cache hit found
only here
Spectre (variant 2)
Victim’s
address space
32
Some
gadget
Some
gadget
Jmp *ebxJmp *ebx
Spectre (variant 2)
Victim’s
address space
33
Attacker’s
address space
Some
gadget
Some
gadget
Jmp *ebxJmp *ebxJmp *eaxJmp *eax
retret
Spectre (variant 2)
Victim’s
address space
34
Attacker’s
address space
Some
gadget
Some
gadget
Jmp *ebxJmp *ebxJmp *eaxJmp *eax
retret
Spectre (variant 2)
Victim’s
address space
35
Attacker’s
address space
Some
gadget
Some
gadget
Jmp *eaxJmp *eax
retret
Jmp *ebxJmp *ebx
context
switch
Countermeasures
For meltdown: kpti (kernel page table isolation)
36
Countermeasures
37
For Spectre (variant 1): compiler patches
use barriers (LFENCE instruction) to prevent speculation
static analysis to identify locations where attackers can control
speculation
Countermeasures
• For Spectre (Variant 2): Separate BTBs for each process
– Prevent BTBs across SMT threads
– Prevent user code does not learn from lower security execution
38
Countermeasures
• For all: at hardware
– Every speculative load and store should bypass cache and stored in a
special buffer known as speculative buffer
39
That’s for the Day !!