@MilanPatnaik
Microarchitectural Attack
Transient State Attacks
Dr Milan Patnaik
Indian Institute of Technology Madras, India
Rashtriya Raksha University, India
@ Thanks to Prof Chester Rebiero, IIT Madras for some of his slides
@MilanPatnaik
Outline

Cache Timing Attacks.

Cache Covert Channel.

Flush + Reload Attack

Cache Collision Attacks.

Prime + Probe Attack

Time Driven Attacks

Transient Micro-architectural Attacks.

Meltdown

Spectre
@MilanPatnaik
Security

Cryptography

Passwords

Information Flow Policies

Privileged Rings

ASLR

Virtual Machines and confinement

Javascript and HTML5
(due to restricted access to system resouces)

Enclaves (SGX and Trustzone)
@MilanPatnaik
Security

Cryptography

Passwords

Information Flow Policies

Privileged Rings

ASLR

Virtual Machines and confinement

Javascript and HTML5
(due to restricted access to system resouces)

Enclaves (SGX and Trustzone)
Cache timing attackCache timing attack
Branch prediction attackBranch prediction attack
Speculation AttacksSpeculation Attacks
Row hammerRow hammer
Fault Injection AttacksFault Injection Attacks
….. and many more….. and many more
cold boot attackscold boot attacks
DRAM Row buffer (DRAMA)DRAM Row buffer (DRAMA)
@MilanPatnaik
Instruction Level Parallelism
@MilanPatnaik
Out of Order Execution
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
How instructions are
fetched
sub r4, r5, r6
store r1, add2
mov r2, r1
add r2, r2, r3
load r0, addr1
How they may be
executed
r0
r2
r2
addr2
r4
How the results are
committed
inorder order restoredout-of-order
Out of the processor core, execution looks in-order
Inside the processor core, execution is done out-of-order
@MilanPatnaik
Speculative Execution : Case 1
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more
instructions
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
How instructions are
fetched
How instructions are
executed
r0
r2
r2
add2
r4
:
:
:
How results are
committed when
speculation is correct
Speculative execution
(transient instructions)
@MilanPatnaik
Speculative Execution : Case 1
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more
instructions
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
How instructions are
fetched
How instructions are
executed
:
:
:
How results are
committed when
speculation is incorrect
Speculative execution
(transient instructions)
Speculated results
discarded
@MilanPatnaik
Speculative Execution : Case 2
cmp r0, r1
div r0, r1
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more
instructions
cmp r0, r1
div r0, r1
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
How instructions are
fetched
How instructions are
executed
:
:
:
How results are
committed when
speculation is incorrect
(eg. If r1 = 0)
Speculative execution
Speculated results
discarded
@MilanPatnaik
ILP Processors in Modern Processors
@MilanPatnaik
Speculation Attacks
Meltdown and Spectre
@MilanPatnaik
Speculation Attacks : Meltdown
Yuval Yarom’s talk on Meltdown and Spectre at the Cyber security research bootcamp 2018
@MilanPatnaik
Speculative Execution : Case 1
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more
instructions
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
How instructions are
fetched
How instructions are
executed
:
:
:
How results are
committed when
speculation is incorrect
Speculative execution
(transient instructions)
Speculated results
discarded
@MilanPatnaik
Speculative Execution
And Micro-architectural State
Even though line 3 is not reached, the
micro-architectural state is modified due
to Line 3.
@MilanPatnaik
Meltdown Concept
UserspaceKernelspace
i = *pointer
y = array[i * 256]
*pointer
array
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Virtual address
space of process
Normal Circumstances
@MilanPatnaik
Meltdown Concept
UserspaceKernelspace
i = *pointer
y = array[i * 256]
*pointer
array
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Virtual address
space of process
Normal Circumstances
@MilanPatnaik
Meltdown Concept
UserspaceKernelspace
i = *pointer
y = array[i * 256]
*pointer
array
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Normal Circumstances
Virtual address
space of process
@MilanPatnaik
Meltdown Concept
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]
*pointer
array
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Not normal Circumstances
@MilanPatnaik
Meltdown Concept
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]
*pointer
array
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Not normal Circumstances
@MilanPatnaik
Meltdown Concept
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]
*pointer
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Not normal Circumstances
array
@MilanPatnaik
Meltdown Concept
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]
*pointer
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
cache miss
Not normal Circumstances
array
@MilanPatnaik
Meltdown Concept
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]
*pointer
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
cache miss
Not normal Circumstances
array
@MilanPatnaik
Meltdown Concept
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]
*pointer
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
cache miss
Not normal Circumstances
array
@MilanPatnaik
Meltdown Concept
UserspaceKernelspace
Virtual address
space of process
i = *pointer
y = array[i * 256]
*pointer
way 0 way 1 way 2 way 3
Set 0
Set 1
Set 2
Set 3
Cache Memory
Not normal Circumstances
cache hit
array
@MilanPatnaik
Meltdown : The Attack
* Executing Transient Instructions
- Exception Handling
- Exception Supression
* Building a Covert Channel
Credits : Moritz Lipp et al
@MilanPatnaik
Meltdown : The Attack
Credits : Moritz Lipp et al
Step 1
Content of attacker-chosen memory
location loaded into register.
Step 2
Transient instruction accesses cache
line based on secret content of register.
Step 3
Attacker uses Flush+Reload to
determine accessed cache line and
secret stored at chosen
memory location.
@MilanPatnaik
Speculative Execution
And Micro-architectural State
data=84
@MilanPatnaik
Speculation Attacks : Spectre
Yuval Yarom’s talk on Meltdown and Spectre at the Cyber security research bootcamp 2018
@MilanPatnaik
Speculative Execution : Case 1
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more
instructions
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions
How instructions are
fetched
How instructions are
executed
:
:
:
How results are
committed when
speculation is incorrect
Speculative execution
(transient instructions)
Speculated results
discarded
@MilanPatnaik
Branch Prediction
cmp r0, r1
jnz label
load r0, addr1
mov r2, r1
add r2, r2, r3
store r1, add2
sub r4, r5, r6
:
:
:
label:
more instructions r0 = r1
r0 = r1
r0 != r1
Spectre (Variant 1)
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
@MilanPatnaik
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
<<
Spectre (Variant 1)
@MilanPatnaik
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
Normal Behavior
Spectre (Variant 1)
@MilanPatnaik
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
Normal Behavior
Spectre (Variant 1)
@MilanPatnaik
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
Normal Behavior
RegisterRegister
Spectre (Variant 1)
@MilanPatnaik
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
x 256
Normal Behavior
RegisterRegister
Spectre (Variant 1)
@MilanPatnaik
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
x 256
Normal Behavior
RegisterRegister
Spectre (Variant 1)
@MilanPatnaik
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
x 256
Normal Behavior
RegisterRegister
Spectre (Variant 1)
@MilanPatnaik
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
x 256
Normal Behavior
RegisterRegister
RegisterRegister
Spectre (Variant 1)
@MilanPatnaik
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory
x 256
Normal Behavior
RegisterRegister
Multiple NOT TAKEN Loops
RegisterRegister
Branch NOT TAKEN = TRUE if Condition
Spectre (Variant 1)
@MilanPatnaik
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory Under Attack
 x > array_len
 array_len not in cache
 secret in cache memory
Cache MISS
Spectre (Variant 1)
@MilanPatnaik
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory Under Attack
 x > array_len
 array_len not in cache
 secret in cache memory
Cache MISS
Spectre (Variant 1)
@MilanPatnaik
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory Under Attack
 x > array_len
 array_len not in cache
 secret in cache memory
Cache MISS
Spectre (Variant 1)
@MilanPatnaik
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory Under Attack
 x > array_len
 array_len not in cache
 secret in cache memory
Cache MISS
Spectre (Variant 1)
RegisterRegister
@MilanPatnaik
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory Under Attack
 x > array_len
 array_len not in cache
 secret in cache memory
RegisterRegister
RegisterRegister
Cache MISS
Spectre (Variant 1)
@MilanPatnaik
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory Under Attack
 x > array_len
 array_len not in cache
 secret in cache memory
RegisterRegister
RegisterRegister
Cache MISS
Spectre (Variant 1)
@MilanPatnaik
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory Under Attack
RegisterRegister
RegisterRegister
Cache MISS
Spectre (Variant 1)
Misprediction!Misprediction!
<<
@MilanPatnaik
if (x < array_len){
i = array[x];
y = array2[i * 256];
}
user space of
a process
array2
x
array
secret
array_len
Cache memory Under Attack
RegisterRegister
RegisterRegister
Cache MISS
Spectre (Variant 1)
<<
Cache hit found
here by
FLUSH_RELOAD
attack
Cache hit found
here by
FLUSH_RELOAD
attack
@MilanPatnaik
Victim’s
address space
Some gadgetSome gadget
Jmp *ebxJmp *ebx
Spectre (Variant 2)
@MilanPatnaik
Victim’s
address space
Attacker’s
address space
Some gadgetSome gadget
Jmp *ebxJmp *ebxJmp *eaxJmp *eax
retret
Spectre (Variant 2)
@MilanPatnaik
Victim’s
address space
Attacker’s
address space
Some gadgetSome gadget
Jmp *ebxJmp *ebxJmp *eaxJmp *eax
retret
Spectre (Variant 2)
@MilanPatnaik
Victim’s
address space
Attacker’s
address space
Some gadgetSome gadget
Jmp *eaxJmp *eax
retret
Jmp *ebxJmp *ebx
context
switch
Spectre (Variant 2)
@MilanPatnaik
@MilanPatnaik
Questions
Cache Attacks