Daniel Gruss Slides PDF

SCIENCE PASSION TECHNOLOGY
Software-based Microarchitectural Attacks
Daniel Gruss
April 19, 2018
Graz University of Technology
1 Daniel Gruss — Graz University of Technology

Whoami www.tugraz.at
• Daniel Gruss
• Post-Doc @ Graz University of Technology
• Twitter: @lavados
• Email: daniel.gruss@iaik.tugraz.at

Timeline of Meltdown and Spectre www.tugraz.at
• Both vulnerabilities existed for many years


• No one discovered it before


• Suddenly, 4 independent teams discover it within 6 months


• Suddenly, 4 independent teams discover it within 6 months
• Let’s create an evidence board

Meltdown vs. Spectre www.tugraz.at
Why two names, two papers, etc?

• Two different problems


• They only have a very loose connection


• Two different teams had already quite matured drafts ready when
learning of each other


• Two different teams had already quite matured drafts ready when
learning of each other
• Initially we tried to merge, but all co-authors quickly agreed that it
would mix things that don’t belong together
→ More on that after we understand the attacks

The Fallout www.tugraz.at
You realize it is something big when...


• it is in the news, all over the world










• you get a Wikipedia article in multiple languages






• there are comics, including xkcd






• you get a lot of Twitter follower after Snowden mentioned you


• you get a lot of Twitter follower after Snowden mentioned you

The Wall www.tugraz.at

The Core of Meltdown/Spectre www.tugraz.at
• Kernel is isolated from user space Userspace Kernelspace
Operating
Applications System Memory

• This isolation is a combination of

hardware and software
Operating


• User applications cannot access
anything from the kernel
Operating


• User applications cannot access
anything from the kernel
• There is only a well-defined
Operating
interface → syscalls Applications System Memory

1337 4242
Revolutionary concept!
Store your food at home,

never go to the grocery store
during cooking.
Can store ALL kinds of food.
ONLY TODAY INSTEAD OF $1,300
ORDER VIA PHONE: +555 12345

CPU Cache www.tugraz.at
printf("%d", i);
printf("%d", i);

h e miss
Cac
printf("%d", i);
printf("%d", i);

h e miss Req
uest
Cac
printf("%d", i);
printf("%d", i);

h e miss Req
uest
Cac
printf("%d", i);
onse
printf("%d", i); Resp

h e miss Req
uest
Cac
printf("%d", i);
i onse

h e miss Req
uest
Cac
printf("%d", i);
i onse
e hit
Cach

ess,
DRAM acc
slow
h e miss Req
uest
Cac
printf("%d", i);
i onse
e hit
Cach

ess,
DRAM acc
slow
h e miss Req
uest
Cac
printf("%d", i);
i onse
e hit
Cach
acc ess,
No DRAM
er
much fast
Flush+Reload www.tugraz.at
Shared Memory
ATTACKER VICTIM
flush access
access

Shared Memory
ATTACKER VICTIM
flush ca
ch e d access
ed Shared Memory
ch
access ca

Shared Memory
ATTACKER VICTIM
flush Shared Memory access

access

Shared Memory
ATTACKER VICTIM
flush access
access

Shared Memory
ATTACKER VICTIM
flush access
access

Shared Memory
ATTACKER VICTIM

access

Shared Memory
ATTACKER VICTIM

access

Shared Memory
ATTACKER VICTIM

access
fast if victim accessed data,

slow otherwise
Memory Access Latency www.tugraz.at

Memory Access Latency www.tugraz.at

Cache Template Attack Demo
Cache Template www.tugraz.at
Key
g h i j k l m n o p q r s t u v w x y z
0x7c680
0x7c6c0
0x7c700
0x7c740
0x7c780
0x7c7c0
0x7c800
Address
0x7c840
0x7c880
0x7c8c0
0x7c900
0x7c940
0x7c980
0x7c9c0
0x7ca00
0x7cb80
0x7cc40
0x7cc80
0x7ccc0
0x7cd00

Wait for an hour

Wait for an hour
LATENCY

ency Parallelize
Depend

Out-of-order Execution www.tugraz.at
1 int width = 10 , height = 5;

2
3 float diagonal = sqrt ( width * width

4 + height * height ) ;
5 int area = width * height ;
6
7 printf ( " Area % d x % d = % d \ n " , width , height , area ) ;

Out-of-order Execution www.tugraz.at
Parallelize
ency
int width = 10 , height = 5;

Depend
3 float diagonal = sqrt ( width * width

4 + height * height ) ;
5 int area = width * height ;
6
7 printf ( " Area % d x % d = % d \ n " , width , height , area ) ;

Building Meltdown www.tugraz.at
1 char data = *( char *) 0 xffffffff81a000e0 ;

2 printf ( " % c \ n " , data ) ;


2 printf ( " % c \ n " , data ) ;
1 segfault at ffffffff81a000e0 ip 0000000000400535

2 sp 00007 ffce4a80610 error 5 in reader


2 printf ( " % c \ n " , data ) ;

• Kernel addresses are not accessible


2 printf ( " % c \ n " , data ) ;

• Kernel addresses are not accessible

• Are privilege checks also done when executing instructions out of order?

• Adapted code
1 *( volatile char *) 0;
2 array [84 * 4096] = 0; // unreachable

• Adapted code
1 *( volatile char *) 0;
2 array [84 * 4096] = 0; // unreachable
• Static code analyzer is not happy
1 warning : Dereference of n u l l p o i n t e r
2 ∗( v o l a t i l e char ∗) 0 ;

• Flush+Reload over all pages of the array

500
Access time
[cycles]
400
300
0 50 100 150 200 250

Page
• “Unreachable” code line was actually executed


500
Access time
[cycles]
400
300
0 50 100 150 200 250

Page
• “Unreachable” code line was actually executed

• Exception was only thrown afterwards

• Combine the two things

2 array [ data * 4096] = 0;


2 array [ data * 4096] = 0;
= sending end of a cache covert channel

• Then check whether any part of array is cached


2 array [ data * 4096] = 0;
= sending end of a cache covert channel

• Then check whether any part of array is cached
= receiving end of a cache covert channel


500
Access time
[cycles]
400
300
0 50 100 150 200 250

Page
• Index of cache hit reveals data


500
Access time
[cycles]
400
300
0 50 100 150 200 250

Page
• Index of cache hit reveals data

• Permission check is in some cases not fast enough

Leaking Passwords from your Password Manager www.tugraz.at

Not so fast. . .

Take the kernel addresses... www.tugraz.at
• Kernel addresses in user space are a problem

Take the kernel addresses... www.tugraz.at
• Kernel addresses in user space are a problem

• Why don’t we take the kernel addresses...

...and remove them www.tugraz.at
• ...and remove them if not needed?

...and remove them www.tugraz.at
• ...and remove them if not needed?

• User accessible check in hardware is not reliable

Idea www.tugraz.at
• Let’s just unmap the kernel in user space

Idea www.tugraz.at

• Kernel addresses are then no longer present

Idea www.tugraz.at

• Kernel addresses are then no longer present
• Memory which is not mapped cannot be accessed at all

27
K ernel A ddress I solation to have S ide channels E fficiently R emoved
Daniel Gruss — Graz University of Technology
KAISER /ˈkʌɪzə/
1. [german] Emperor,
ruler of an empire
2. largest penguin,
emperor penguin
27
K ernel A ddress I solation to have S ide channels E fficiently R emoved
Daniel Gruss — Graz University of Technology
Userspace Kernelspace
Operating
Kernel View User View
Userspace Kernelspace Userspace Kernelspace
Operating
Applications System Memory Applications
context switch
Kernel Address Space Isolation www.tugraz.at
• We published KAISER in July 2017


• Intel and others improved and merged it into Linux as KPTI (Kernel
Page Table Isolation)


• Microsoft implemented similar concept in Windows 10


• Apple implemented it in macOS 10.13.2 and called it “Double Map”


• Apple implemented it in macOS 10.13.2 and called it “Double Map”
• All share the same idea: switching address spaces on context switch

Performance www.tugraz.at
• Depends on how often you need to switch between kernel and user space

• Can be slow, 40% or more on old hardware

• But modern CPUs have additional features

• But modern CPUs have additional features
• ⇒ Performance overhead on average below 2%

Meltdown and Spectre www.tugraz.at

Meltdown and Spectre www.tugraz.at

30
Prosciutto Daniel Gruss — Graz University of Technology
Funghi
30
Diavolo Daniel Gruss — Graz University of Technology
30
30
30
»A table for 6 please«

Speculative Cooking

»A table for 6 please«

What does Spectre do? www.tugraz.at
• Mistrains branch prediction


• CPU speculatively executes code which should not be executed


• Can also mistrain indirect calls


• Can also mistrain indirect calls
→ Spectre “convinces” program to execute code

Spectre (variant 1) www.tugraz.at
index = 0;
char* data = "textKEY";
if (index < 4)
el s
en e
th
Prediction
LUT[data[index] * 4096] 0

index = 0;
if (index < 4)
el s
en e
th
Prediction

index = 0;
if (index < 4)
Speculate
el s
en e
th
Prediction

index = 0;
if (index < 4)
Execute
el s
en e
th
Prediction

index = 1;
if (index < 4)
el s
en e
th
Prediction

index = 1;
if (index < 4)
el s
en e
th
Prediction

index = 1;
if (index < 4)
Speculate
el s
en e
th
Prediction

index = 1;
if (index < 4)
el s
en e
th
Prediction

index = 2;
if (index < 4)
el s
en e
th
Prediction

index = 2;
if (index < 4)
el s
en e
th
Prediction

index = 2;
if (index < 4)
Speculate
el s
en e
th
Prediction

index = 2;
if (index < 4)
el s
en e
th
Prediction

index = 3;
if (index < 4)
el s
en e
th
Prediction

index = 3;
if (index < 4)
el s
en e
th
Prediction

index = 3;
if (index < 4)
Speculate
el s
en e
th
Prediction

index = 3;
if (index < 4)
el s
en e
th
Prediction

index = 4;
if (index < 4)
el s
en e
th
Prediction

index = 4;
if (index < 4)
el s
en e
th
Prediction

index = 4;
if (index < 4)
Speculate
el s
en e
th
Prediction

index = 4;
if (index < 4)
Execute
el s
en e
th
Prediction

index = 5;
if (index < 4)
el s
en e
th
Prediction

index = 5;
if (index < 4)
el s
en e
th
Prediction

index = 5;
if (index < 4)
Speculate
el s
en e
th
Prediction

index = 5;
if (index < 4)
Execute
el s
en e
th
Prediction

index = 6;
if (index < 4)
el s
en e
th
Prediction

index = 6;
if (index < 4)
el s
en e
th
Prediction

index = 6;
if (index < 4)
Speculate
el s
en e
th
Prediction

index = 6;
if (index < 4)
Execute
el s
en e
th
Prediction

Animal* a = bird;
a->move()
sw
( ) swim() im
fly ()
Prediction

Animal* a = bird;
a->move()
Speculate
sw
() swim() im
fly ()
Prediction

Animal* a = bird;
a->move()
sw
( ) swim() im
fly ()
Prediction

Animal* a = bird;
a->move()
Execute
sw
( ) swim() im
fly ()
Prediction

Animal* a = bird;
a->move()
sw
( ) fly() im
fly ()
Prediction

Animal* a = bird;
a->move()
Speculate
sw
( ) fly() im
fly ()
Prediction

Animal* a = bird;
a->move()
sw
( ) fly() im
fly ()
Prediction

Animal* a = fish;
a->move()
sw
( ) fly() im
fly ()
Prediction

Animal* a = fish;
a->move()
Speculate
sw
( ) fly() im
fly ()
Prediction

Animal* a = fish;
a->move()
sw
( ) fly() im
fly ()
Prediction

Animal* a = fish;
a->move()
Execute
sw
() fly() im
fly ()
Prediction

Animal* a = fish;
a->move()
sw
( ) swim() im
fly ()
Prediction

Mitigating Spectre www.tugraz.at
• Trivial approach: disable speculative execution


• No wrong speculation if there is no speculation


• Problem: massive performance hit!


• Also: How to disable it?


• Also: How to disable it?
• Speculative execution is deeply integrated into CPU

Spectre Variant 1 Mitigations www.tugraz.at

• Workaround: insert instructions stopping speculation


→ insert after every bounds check


• x86: LFENCE, ARM: CSDB


• x86: LFENCE, ARM: CSDB
• Available on all Intel CPUs, retrofitted to existing
ARMv7 and ARMv8


• Speculation barrier requires compiler supported


• Already implemented in GCC, LLVM, and MSVC


• Can be automated (MSVC) → not really reliable


• Can be automated (MSVC) → not really reliable
• Explicit use by programmer: builtin load no speculate




• Speculation barrier works if affected code constructs are

known


known
• Programmer has to fully understand vulnerability


known
• Automatic detection is not reliable


known
• Automatic detection is not reliable
• Non-negligible performance overhead of barriers

Spectre Variant 2 Mitigations (Microcode/MSRs) www.tugraz.at
Intel released microcode updates

• Indirect Branch Restricted Speculation (IBRS):


• Do not speculate based on anything before entering IBRS mode


→ lesser privileged code cannot influence predictions


• Indirect Branch Predictor Barrier (IBPB):


• Flush branch-target buffer


• Single Thread Indirect Branch Predictors (STIBP):


• Single Thread Indirect Branch Predictors (STIBP):
• Isolates branch prediction state between two hyperthreads

Spectre Variant 2 Mitigations (Software) www.tugraz.at
Retpoline (compiler extension)


1 push < call_target >
2 call 1 f
3 2: ; s p e c u l a t i o n will continue here
4 lfence ; s p e c u l a t i o n barrier
5 jmp 2 b ; endless loop
6 1:
7 lea 8(% rsp ) , % rsp ; restore stack pointer
8 ret ; the actual call to < call_target >
→ always predict to enter an endless loop


2 call 1 f
6 1:

• instead of the correct (or wrong) target function


2 call 1 f
6 1:

• instead of the correct (or wrong) target function → performance?


2 call 1 f
6 1:

• On Broadwell or newer:


2 call 1 f
6 1:

• ret may fall-back to the BTB for prediction


2 call 1 f
6 1:

• ret may fall-back to the BTB for prediction
→ microcode patches to prevent that

• ARM provides hardened Linux kernel


• Clears branch-predictor state on context switch


• Either via instruction (BPIALL)...


• ...or workaround (disable/enable MMU)


• ...or workaround (disable/enable MMU)
• Non-negligible performance overhead (≈ 200-300 ns)

What does not work www.tugraz.at
• Prevent access to high-resolution timer


→ Own timer using timing thread


• Flush instruction only privileged


→ Cache eviction through memory accesses


• Just move secrets into secure world


• Just move secrets into secure world
→ Spectre works on secure enclaves

Meltdown Spectre

Meltdown Spectre
• Out-of-Order Execution • Speculative Execution (subset of
Out-of-Order Execution)

Meltdown Spectre
• has nothing to do with branch prediction Out-of-Order Execution)
• fundamentally builds on branch
(mis)prediction

Meltdown Spectre
• turning off speculative execution entirely • fundamentally builds on branch
has no effect on Meltdown (mis)prediction
• turning off speculative execution entirely
would work

Meltdown Spectre
→ melts down the isolation provided by the • turning off speculative execution entirely
user accessible-bit would work
• has nothing to do with the
user accessible-bit

Meltdown Spectre
• in theory: OoO not required, pipelining • has nothing to do with the
can be sufficient user accessible-bit
• KAISER has no effect on Spectre at all

Meltdown Spectre
• in theory: OoO not required, pipelining • has nothing to do with the
can be sufficient user accessible-bit
• mitigated by KAISER • KAISER has no effect on Spectre at all

Meltdown
Spectre

Meltdown
Spectre
• performs illegal memory accesses → we
• performs only legal memory accesses
need to take care of processor exceptions

Meltdown
Spectre
• has nothing to do with exception
• exception handling
handling

Meltdown
Spectre
handling or suppression
• exception suppression with TSX

Meltdown
Spectre
• exception suppression with branch
misprediction

Meltdown
Spectre
• exception suppression with branch
misprediction
→ two papers, two names, etc.

But ... www.tugraz.at


... why were they named variant 1, 2 and 3 by Google?


• “How can you use speculative execution maliciously?”


• Intel had much interest in not fancy-naming them ;)




... why were they presented on the same date and on the same website?


• We did not choose the date


• We did not choose the date
• We did not want to have one of them overshadow the other
immediately

What do we learn from it? www.tugraz.at
We have ignored microarchitectural attacks for many many years:


• attacks on crypto


• attacks on crypto → “software should be fixed”


• attacks on ASLR


• attacks on ASLR → “ASLR is broken anyway”


• attacks on SGX and TrustZone


• attacks on SGX and TrustZone → “not part of the threat model”


• attacks on SGX and TrustZone → “not part of the threat model”
→ for years we solely optimized for performance

When you read the manuals... www.tugraz.at
After learning about a side channel you realize:


• the side channels were documented in the Intel manual


• the side channels were documented in the Intel manual
• only now we understand the implications

Motor Vehicle Deaths in U.S. by Year

Conclusions www.tugraz.at
A unique chance to
• rethink processor design

A unique chance to
• grow up, like other fields (car industry, construction industry)

A unique chance to
• grow up, like other fields (car industry, construction industry)
• dedicate more time into identifying problems and not solely in
mitigating known problems

SCIENCE PASSION TECHNOLOGY
Software-based Microarchitectural Attacks
Daniel Gruss
April 19, 2018
Graz University of Technology

Daniel Gruss Slides PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Daniel Gruss Slides PDF

Hochgeladen von

Copyright:

Verfügbare Formate

SCIENCE PASSION TECHNOLOGY

Software-based Microarchitectural Attacks

1 Daniel Gruss — Graz University of Technology

2 Daniel Gruss — Graz University of Technology

• Both vulnerabilities existed for many years

3 Daniel Gruss — Graz University of Technology

• Both vulnerabilities existed for many years

3 Daniel Gruss — Graz University of Technology

• Both vulnerabilities existed for many years

3 Daniel Gruss — Graz University of Technology

• Both vulnerabilities existed for many years

3 Daniel Gruss — Graz University of Technology

Why two names, two papers, etc?

4 Daniel Gruss — Graz University of Technology

Why two names, two papers, etc?

4 Daniel Gruss — Graz University of Technology

Why two names, two papers, etc?

4 Daniel Gruss — Graz University of Technology

Why two names, two papers, etc?

4 Daniel Gruss — Graz University of Technology

You realize it is something big when...

5 Daniel Gruss — Graz University of Technology

You realize it is something big when...

5 Daniel Gruss — Graz University of Technology

You realize it is something big when...

5 Daniel Gruss — Graz University of Technology

You realize it is something big when...

5 Daniel Gruss — Graz University of Technology

You realize it is something big when...

5 Daniel Gruss — Graz University of Technology

You realize it is something big when...

5 Daniel Gruss — Graz University of Technology

You realize it is something big when...

5 Daniel Gruss — Graz University of Technology

You realize it is something big when...

5 Daniel Gruss — Graz University of Technology

You realize it is something big when...

5 Daniel Gruss — Graz University of Technology

You realize it is something big when...

5 Daniel Gruss — Graz University of Technology

You realize it is something big when...

5 Daniel Gruss — Graz University of Technology

You realize it is something big when...

5 Daniel Gruss — Graz University of Technology

You realize it is something big when...

5 Daniel Gruss — Graz University of Technology

You realize it is something big when...

5 Daniel Gruss — Graz University of Technology

6 Daniel Gruss — Graz University of Technology

• Kernel is isolated from user space Userspace Kernelspace

8 Daniel Gruss — Graz University of Technology

• Kernel is isolated from user space Userspace Kernelspace

• This isolation is a combination of

8 Daniel Gruss — Graz University of Technology

• Kernel is isolated from user space Userspace Kernelspace

• This isolation is a combination of

8 Daniel Gruss — Graz University of Technology

• Kernel is isolated from user space Userspace Kernelspace

• This isolation is a combination of

8 Daniel Gruss — Graz University of Technology

Store your food at home,

Can store ALL kinds of food.

ONLY TODAY INSTEAD OF $1,300

1 char data = ( char ) 0 xffffffff81a000e0 ;

1 char data = ( char ) 0 xffffffff81a000e0 ;

1 char data = ( char ) 0 xffffffff81a000e0 ;

1 char data = ( char ) 0 xffffffff81a000e0 ;

1 char data = ( char ) 0 xffffffff81a000e0 ;

1 char data = ( char ) 0 xffffffff81a000e0 ;

1 char data = ( char ) 0 xffffffff81a000e0 ;