Micro-architectural Attacks 2
Milan Patnaik
Indian Institute of Technology Madras
Credits: Prof Chester Rebeiro and my colleages of RISE Lab, IIT Madras
Things we thought
gave us security!
• Cryptography
• Passwords
• Information Flow Policies
• Privileged Rings
• ASLR
• Virtual Machines and confinement
• Javascript and HTML5
(due to restricted access to system
resouces)
• Enclaves (SGX and Trustzone)
Micro-Architectural Attacks
(can break all of this)
Cache timing attackCache timing attack
Speculation AttacksSpeculation Attacks
Branch prediction attackBranch prediction attack
Row hammerRow hammer
Fault Injection AttacksFault Injection Attacks
….. and many more….. and many more
cold boot attackscold boot attacks
• Cryptography
• Passwords
• Information Flow Policies
• Privileged Rings
• ASLR
• Virtual Machines and confinement
• Javascript and HTML5
(due to restricted access to system
resouces)
• Enclaves (SGX and Trustzone)
DRAM Row buffer (DRAMA)DRAM Row buffer (DRAMA)
Meltdown
Spectre
Causes
performance
security
Most micro-architectural attacks caused by
performance optimizations
Others due to inherent device properties
Third, due to stronger attackers
Instruction Level Parallelism
Out-of-order execution
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
How instructions are
fetched
sub r4, r5, r6
store r1, add2
mov r2, r1
add r2, r2, r3
load r0, addr1
How they may be
executed
r0
r2
r2
addr2
r4
How the results are
committed
inorder order restoredout-of-order
Out of the processor core, execution looks in-order
Inside the processor core, execution is done out-of-order
Speculative Execution: Case 1
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
How instructions are
fetched
How instructions are
executed
r0
r2
r2
add2
r4
:
:
:
How results are
committed when
speculation is correct
Speculative execution
(transient instructions)
Speculative Execution : Case 1
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
How instructions are
fetched
How instructions are
executed
:
:
:
How results are
committed when
speculation is incorrect
Speculative execution
(transient instructions)
Speculated results
discarded
Speculative Execution : Case 2
cmp r0, r1
div r0, r1
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
cmp r0, r1
div r0, r1
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
How instructions are
fetched
How instructions are
executed
:
:
:
How results are
committed when
speculation is incorrect
(eg. If r1 = 0)
Speculative execution
Speculated results
discarded
ILP Paradigms in Modern Processors
Speculation Attacks
Meltdown and Spectre
Meltdown
Slides motivated from Yuval Yarom’s talk on Meltdown and Spectre at the
Cyber security research bootcamp 2018
Speculative Execution : Case 2
cmp r0, r1
div r0, r1
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
cmp r0, r1
div r0, r1
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
How instructions are
fetched
How instructions are
executed
:
:
:
How results are
committed when
speculation is incorrect
(eg. If r1 = 0)
Speculative execution
Speculated results
discarded
Speculative Execution
and Micro-architectural State
Even though line 3 is not reached, the
micro-architectural state is modified due
to Line 3.
Meltdown Concept
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]
*pointer
array
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Normal Circumstances
Meltdown Concept
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]*pointer
array
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Not normal Circumstances
Meltdown Concept
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]*pointer
array
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Not normal Circumstances
cache miss
Meltdown Concept
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]*pointer
array
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Not normal Circumstances
cache miss
Meltdown Concept
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]*pointer
array
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Not normal Circumstances
cache miss
Meltdown Concept
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]*pointer
array
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Not normal Circumstances
cache hit
Meltdown : The Attack
* Executing Transient Instructions
- Exception Handling
- Exception Supression
* Building a Covert Channel
Credits : Moritz Lipp et al
Meltdown : The Attack
Step 1
Content of attacker-chosen memory
location loaded into register.
Step 2
Transient instruction accesses cache
line based on secret content of register.
Step 3
Attacker uses Flush+Reload to
determine accessed cache line and
secret stored at chosen
memory location.
Credits : Moritz Lipp et al
Speculative Execution
and Micro-architectural State
data=84
Credits : Moritz Lipp et al
Spectre
Slides motivated from Yuval Yarom’s talk on Meltdown and Spectre at the
Cyber security research bootcamp 2018
Speculative Execution : Case 1
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
How instructions are
fetched
How instructions are
executed
:
:
:
How results are
committed when
speculation is incorrect
Speculative execution
(transient instructions)
Speculated results
discarded
Branch Prediction
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions r0 = r1
r0 = r1
r0 != r1
Spectre (Variant 1)
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
Spectre (Variant 1)
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
<<
Spectre (Variant 1)
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory Normal Behavior
Spectre (Variant 1)
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
Normal Behavior
RegisterRegister
Spectre (Variant 1)
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
x 256
Normal Behavior
RegisterRegister
Spectre (Variant 1)
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
x 256
Normal Behavior
RegisterRegister
RegisterRegister
Speculative Execution
and Micro-architectural State
Even though line 3 is not reached, the
micro-architectural state is modified due
to Line 3.
Spectre (variant 1)
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
x 256
Normal Behavior
RegisterRegister
Multiple TAKEN Loops
RegisterRegister
Branch TAKEN = TRUE if Condition
Spectre (Variant 1)
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory Under Attack
 x > array_len
 array_len not in cache
 secret in cache memory
Cache MISS
Spectre (Variant 1)
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory Under Attack
 x > array_len
 array_len not in cache
 secret in cache memory
Cache MISS
Spectre (Variant 1)
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory Under Attack
 x > array_len
 array_len not in cache
 secret in cache memory
RegisterRegister
Cache MISS
Spectre (Variant 1)
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory Under Attack
 x > array_len
 array_len not in cache
 secret in cache memory
RegisterRegister
RegisterRegister
Cache MISS
Spectre (Variant 1)
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
Misprediction!Misprediction!
<<
array_len
Spectre (Variant 1)
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Misprediction!Misprediction!
<<
Spectre (Variant 1)
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache hit
found here by
FLUSH_RELOAD
attack
Cache hit
found here by
FLUSH_RELOAD
attack
Spectre (Variant 2)
Victim’s
address space
Some
gadget
Some
gadget
Jmp *ebxJmp *ebx
Spectre (Variant 2)
Victim’s
address space
Attacker’s
address space
Some
gadget
Some
gadget
Jmp *ebxJmp *ebxJmp *eaxJmp *eax
retret
Spectre (Variant 2)
Victim’s
address space
Attacker’s
address space
Some
gadget
Some
gadget
Jmp *ebxJmp *ebxJmp *eaxJmp *eax
retret
Spectre (Variant 2)
Victim’s
address space
Attacker’s
address space
Some
gadget
Some
gadget
Jmp *eaxJmp *eax
retret
Jmp *ebxJmp *ebx
context
switch
Countermeasures
For meltdown: kpti (kernel page table isolation)
Countermeasures
For Spectre (variant 1): compiler patches
use barriers (LFENCE instruction) to prevent speculation
static analysis to identify locations where attackers can control
speculation
Countermeasures
• For Spectre (Variant 2): Separate BTBs for each process
– Prevent BTBs across SMT threads
– Prevent user code does not learn from lower security execution
Countermeasures
• For all: at hardware
– Every speculative load and store should bypass cache and stored in a
special buffer known as speculative buffer
DRAM
DRAM
- DRAM stores charge in a capacitor
- Capacitor must be large for reliable sensing
DRAM Refresh Cycles
- Stored data gets lost due to leakage
- Need for capacitor refresh
- Refresh cycles are in order of miliseconds still consuming some memory bandwidth
DRAM Cells
- Scaling beyond 35-40 nm is challenging
- DRAM cells become smaller with reduction in transistor size
- Space between cells also reduces
- Closer the two charged bodies, higher is the electro magnetic interference
Rowhammer
- Access during refresh cycle causes
neighbouring cells to loose charge faster
- Electromagnetoc decoupling
- Toggling a row increases the adjacent
row voltage
- Opens adjacent row : Charge leakage
- Data corrupted, read and written back
Rowhammer
Rowhammer
Rowhammer
Rowhammer Example
Countermeasures
That’s for the Lectures !!