安德斯·福格與丹尼爾·格魯斯_微架構漏洞的過去現在和未來.pdf

1、Microarchitecture VulnerabilitiesPast,Present and FutureDaniel Gruss(Graz University of Technology)Anders Fogh(Intel Corporation)IntroductionDaniel GrussGraz University of TechnologyAnders FoghIntelDaniel and Andersdo not always agree!PastPast earliest daysSide Channels always existedPast earliest d

2、aysSide Channels always existedFirst scientific observations in 1943Past earliest daysSide Channels always existedFirst scientific observations in 1943Concept of“covert channels”in 1973Past earliest daysSide Channels always existedFirst scientific observations in 1943Concept of“covert channels”in 19

3、731974-1980:Provable secure operating systems with exceptions for side channels1985:Orange book.Covert channels with low bandwidth not a problem1996:Paul Kochers seminal work on timing attacksPast:cryptographic attacks1996-2015 Mainly side channels on cryptography(threat model!)Past:cryptographic at

4、tacks1996-2015 Mainly side channels on cryptography(threat model!)Colin Percival(2005):“Cache Missing for fun and profit”ISCA 2014+BlackHat US 2015:RowhammerUSENIX Security 2015:Cache Template AttacksCCS+BlackHat US 2016:Breaking KASLRBlackHat EU 2017:Security through distrusting2017:Many academic w

5、orks on attacking TEEs with side channelsUSENIX+BlackHat US 2018,S&P 2019:Spectre&MeltdownPast:Moving beyond cryptoISCA 2014+BlackHat US 2015:RowhammerUSENIX Security 2015:Cache Template AttacksCCS+BlackHat US 2016:Breaking KASLRBlackHat EU 2017:Security through distrusting2017:Many academic works o

6、n attacking TEEs with side channelsUSENIX+BlackHat US 2018,S&P 2019:Spectre&MeltdownPast:Moving beyond cryptoISCA 2014+BlackHat US 2015:RowhammerUSENIX Security 2015:Cache Template AttacksCCS+BlackHat US 2016:Breaking KASLRBlackHat EU 2017:Security through distrusting2017:Many academic works on atta

7、cking TEEs with side channelsUSENIX+BlackHat US 2018,S&P 2019:Spectre&MeltdownPast:Moving beyond cryptoISCA 2014+BlackHat US 2015:RowhammerUSENIX Security 2015:Cache Template AttacksCCS+BlackHat US 2016:Breaking KASLR2017:Many academic works on attacking TEEs with side channelsUSENIX+BlackHat US 201

8、8,S&P 2019:Spectre&MeltdownPast:Moving beyond cryptoISCA 2014+BlackHat US 2015:RowhammerUSENIX Security 2015:Cache Template AttacksCCS+BlackHat US 2016:Breaking KASLR2017:Many academic works on attacking TEEs with side channelsUSENIX+BlackHat US 2018,S&P 2019:Spectre&MeltdownPast:Moving beyond crypt

9、o1.Window gadget starts executing2.Mov rbx,KernelAddress starts executing3.Mov rbx,KernelAddress Finish execution and deliver data4.Store in Side Channel(SC):starts execution with data from 3.5.Store in Side Channel(SC):Data is used to touch the cache allowing the attacker to recover the data6.Windo

10、ws Gadget finishes7.Fault is raised by“Mov rbx,KernelAddress“.All registers are cleared but data maintain persistent in the cache.Past:MeltdownOut-of-Order unit out of order execution(track speculation&faults)mov rbx,kerneladdressMeltdown:DetailsAGUCalculate Virtual Address(VA)L1“front end”Provide a

11、ll data from waysL1“back end”Select relevant data and return data to OoODTLBGet Physical Address(PA)&Raise faultsRowVA6.13VAAll data for VAPA(way select)Kernel addressFaultsDataOut-of-Order unit out of order execution(track speculation&faults)mov rbx,kerneladdressMeltdown:DetailsAGUCalculate Virtual

12、 Address(VA)L1“front end”Provide all data from waysL1“back end”Select relevant data and return data to OoODTLBGet Physical Address(PA)&Raise faultsRowVA6.13VAAll data for VAPA(way select)Kernel addressFaultsDataOut-of-Order unit out of order execution(track speculation&faults)mov rbx,kerneladdress1.

13、OoO Trigger load to AGUMeltdown:DetailsAGUCalculate Virtual Address(VA)L1“front end”Provide all data from waysL1“back end”Select relevant data and return data to OoODTLBGet Physical Address(PA)&Raise faultsRowVA6.13VAAll data for VAPA(way select)Kernel addressFaultsDataOut-of-Order unit out of order

14、 execution(track speculation&faults)mov rbx,kerneladdress1.1.OoO Trigger load to AGU2.2.AGU sends index to L1&VA to DTLBMeltdown:DetailsAGUCalculate Virtual Address(VA)L1“front end”Provide all data from waysL1“back end”Select relevant data and return data to OoODTLBGet Physical Address(PA)&Raise fau

15、ltsRowVA6.13VAAll data for VAPA(way select)Kernel addressFaultsDataOut-of-Order unit out of order execution(track speculation&faults)mov rbx,kerneladdress1.OoO Trigger load to AGU2.AGU sends index to L1&VA to DTLB3.L1 identifies all cache lines for for indexMeltdown:DetailsAGUCalculate Virtual Addre

16、ss(VA)L1“front end”Provide all data from waysL1“back end”Select relevant data and return data to OoODTLBGet Physical Address(PA)&Raise faultsRowVA6.13VAAll data for VAPA(way select)Kernel addressFaultsDataOut-of-Order unit out of order execution(track speculation&faults)mov rbx,kerneladdress1.1.OoO

17、Trigger load to AGU2.2.AGU sends index to L1&VA to DTLB3.3.a L1 identifies all cache lines for for index4.DTLB sends PA to L1 and faults to OoOMeltdown:DetailsAGUCalculate Virtual Address(VA)L1“front end”Provide all data from waysL1“back end”Select relevant data and return data to OoODTLBGet Physica

18、l Address(PA)&Raise faultsRowVA6.13VAAll data for VAPA(way select)Kernel addressFaultsDataOut-of-Order unit out of order execution(track speculation&faults)mov rbx,kerneladdress1.OoO Trigger load to AGU2.AGU sends index to L1&VA to DTLB3.L1 identifies all cache lines for for index4.DTLB sends PA&fau

19、lts to L1/OoO5.L1 send right data to OoO Meltdown:DetailsAGUCalculate Virtual Address(VA)L1“front end”Provide all data from waysL1“back end”Select relevant data and return data to OoODTLBGet Physical Address(PA)&Raise faultsRowVA6.13VAAll data for VAPA(way select)Kernel addressFaultsDataOut-of-Order

20、 unit out of order execution(track speculation&faults)mov rbx,kerneladdress1.OoO Trigger load to AGU2.AGU sends index to L1&VA to DTLB3.L1 identifies all cache lines for for index4.DTLB sends PA&faults to L1/OoO5.L1 send right data to OoO6.OoO execute depend instructionsAGUCalculate Virtual Address(

21、VA)L1“front end”Provide all data from waysL1“back end”Select relevant data and return data to OoOIf Fault return 0DTLBGet Physical Address(PA)&Raise faultsRowVA6.13VAAll data for VAPA(way select)+FaultsKernel addressFaultsData or 0 The First Meltdown MitigationsOut-of-Order unit out of order executi

22、on(track speculation&faults)mov rbx,kerneladdressAGUCalculate Virtual Address(VA)If CPL=3&VA&bit63raise faultand stopL1“front end”Provide all data from waysL1“back end”Select relevant data and return data to OoOIf Fault return 0DTLBGet Physical Address(PA)&Raise faultsRowVA6.13VAAll data for VAPA(wa

23、y select)+FaultsKAFaultsData or 0FaultMeltdown defense in depth (LASS)Out-of-Order unit out of order execution(track speculation&faults)mov rbx,kerneladdressSpectre and LVIPresentPresent:TrendsAttack typeActivity level(Point)MitigationNotableCrypto side channelsGuidance&DOITData dependent features f

24、or example data dependent prefetchersTransient execution vulnerabilitiesHardware+Software+on/off switches WorkaroundsPredictive store forwardingStale data vulnerabilitiesMicrocode Patches or SW Mitigation(if possible)Not any recent attacksLogical bugsMicrocode Patches(if possible)Reptar,CacheWarpPhy

25、sical propertiesHertzbleed,Collide+PowerExploitation methodsSpectre&PowerLogic IssuesReptar-Whats supposed to happenREPNZ is a prefix that will repeat an operation until the Z-flag becomes zero.MOVSB will copy a single byte from DS:RSI to ES:RDI and increment both registers and decrement RCX&update

26、flags.REPNZ MOVSB is thus a simple memcpy.The REX-prefix(REX.PF)changes the meaning of how explicit operands of an instruction are interpreted.MOVSB doesnt have any explicit operands.If you use the REX-prefix with REPNZ MOVSB the CPU should ignore the prefix entirelyReptar-The bugWhen the REX-prefix

27、 is parsed instead of ignored a single bit is overwritten.This cause an invalid input to be used to generate uOps.Under certain conditions this leads to a machine check.Careful analysis found that a condition could potentially lead to privilege escalation.A microcode change that mitigates the issue

28、has been made public.CachewarpConfidential VM(encrypted but basically no data integrity)invd instruction can invalidate a single cache lineAttack in three steps:1.let confidential VM modify a target cache line2.use invd to drop the modification3.confidential VM continues with an outdated valueZenble

29、edRegister names are just for the user,CPU uses register fileXMM Register Merge Optimization:merge registers(e.g.zero registers)also:for zero just set a zero-bitZenbleed:1.misspeculation2.vzeroupper set zero-bit3.merge storage in register file released4.victim stores data in this register5.unroll mi

30、sspeculation6.architectural access to a victim dataExploitation TechniquesExploitation techniques-exampleGhostRace:Exploiting and Mitigating Speculative Race Conditions-Hany Ragab et.al.Spectre v1.variant that speculatively bypasses synchronization primitives.Existing methods of mitigating Spectre v

31、1 remain effective.Quote from the papers abstract:“Theres is security,and then theres just being ridiculous”-Linus Torvalds,on Speculative Race ConditionsPhysical Domain in SoftwareSoftware-based Power Analysisbefore 2020:mainly fingerprintingSoftware-based Power Analysisbefore 2020:mainly fingerpri

32、nting2020:Platypusfull recovery of cryptographic keysSoftware-based Power Analysisbefore 2020:mainly fingerprinting2020:Platypusfull recovery of cryptographic keys2023:HertzbleedDVFS makes timing a proxy for energy consumption remote attacksSoftware-based Power Analysisbefore 2020:mainly fingerprint

33、ing2020:Platypusfull recovery of cryptographic keys2023:HertzbleedDVFS makes timing a proxy for energy consumption remote attacks2023:Collide+PowerGeneric Attacks(not just crypto)Software-basedFault Attackssince 2015:Rowhammerstill not solved!Software-basedFault Attackssince 2015:Rowhammerstill not

34、solved!2017:CLKScrewoverclock and attack Arm TrustZoneSoftware-basedFault Attackssince 2015:Rowhammerstill not solved!2017:CLKSkrewoverclock and attack Arm TrustZone2020:Plundervolt(VoltJockey,V0ltpwn,VoltPillager)undervolt and attack Intel SGXMitigation effortsLimitations of mitigationsPhysical har

35、dware cannot be changed in the fieldLimitations of mitigationsPhysical hardware cannot be changed in the fieldLimitations of mitigationsPhysical hardware cannot be changed in the fieldVendors build in“Survivability features”Microcode is the most common used tool for mitigations.Other firmware is als

36、o usedInstructionsMicrocode/FirmwareHardwareLimitations of mitigationsPhysical hardware cannot be changed in the fieldVendors build in“Survivability features”Microcode is the most common used tool for mitigations.Other firmware is also used“Chicken bits”to disable/change behaviorLimitations of mitig

37、ationsPhysical hardware cannot be changed in the fieldVendors build in“Survivability features”Microcode is the most common used tool for mitigations.Other firmware is also used“Chicken bits”to disable/change behaviorSome issues are best mitigated in softwareLimitations of mitigationsPhysical hardwar

38、e cannot be changed in the fieldVendors build in“Survivability features”Microcode is the most common used tool for mitigations.Other firmware is also used“Chicken bits”to disable/change behaviorSome issues are best mitigated in softwareMitigations are not always possible/reasonable and almost always

39、 difficult and time-consuming to engineerPrevention starts before the product exist:pre-siliconPre-silicon is slow and cumbersome as the chips are emulated or simulated.This makes security validation&research significantly different from software validationPrevention Pre-siliconValidation03Security

40、properties to standard validationFInds bugs during developmentFormal validation04Formal works well with hardware IPFormal definition of security properties can be done,but not easyArchitecture reviews01Gives great ROIThere is formal and informal reviews on archTaint tracking02Taint tracking has prov

41、en useful for some issuesTechniques such as CellFT used in productionDefense in depth&hardening05Bug analysis should lead to lessons learnedPost-siliconPrevention in silicon happens before product ship from A0 to shipping systems.Some issues are best found in post-silicon.Post-silicon issues are par

42、ticularly difficult.Learning from issues on last generation hardware is critically important.Validation03Especially useful on early siliconRegression issuesIssues not easily found in pre-siFuzzing04Problematic:Large state space,slow with good feedbackThere are exceptionsManual research01Manual resea

43、rch is effectiveEnabled by expertise,documentation,access to devs,debug,etc.Early silicon helps prevent escapesVariant analysis02Variant analysis on every issueOccasionally finds issues,but lots of learning for systematic effortsFutureFuture of uArch security is future of uArchSilicon performance is

44、 the main underlying driver for growth in compute ecosystemPerformance comes from 3 sourcesNew process technologyuArch improvementsAdaptation to changed workloadsuArch improvements&Changed workloads will lead to new security challengesuArch security futureOffenseNew kinds of prediction&data dependen

45、t behaviors(memory latency!).Memory is order of magnitude slower than compute.Some examples:New kinds of caches and bigger cachesWork load specific prefetchersDifferent kinds of value predictionCache&memory compressionGrowth in reorder buffer sizesNew exploitation techniquesDefenseIncreased maturity

46、Better toolingMore defense in depthNew microarchitecture security featuresMore configurability of security Ex.PSF switch on AMDImproved support for software influenceEx.Local configuration switchesNew kinds of computemore heterogeneous-but all have uArch:GPU(new use cases)Remote accessibleIncreased

47、complexity and new work loadsExample:“LeftoverLocals”by Trails of BitsNeural Processing UnitsNew model of computeNew threats:Integrity of modelsAttack vector against systemAI training accelerators in the cloudSoon:shared resources+multi tenantMore generally:More kinds of compute,more acceleratorsDef

48、ensive side of thingsHuge gap between academia and industry:Academiaprovable Rowhammer mitigations availableprovable secure cache availableIndustryprobabilistic Rowhammer mitigationssecure caches not adopted(but non-inclusive LLCs)uArch in uArchEmbedded processors everywhere-already with speculation

49、:Speculation vs confidentiality?Threat models rarely contain arbitrary execution constrains attackersEmbedded processors often provide low-level access new and different kinds of assetsTake AwaysSide channels are here to stay-Side channels can be managedmore aspects of microarchitecture and differen

50、t kinds of issues-Hard work for both offensive research and defense-Defense is maturingMicroarchitecture is a growth area,so is microarchitecture securityMicroarchitecture matters,so does microarchitecture securityMicroarchitecture VulnerabilitiesPast,Present and FutureDaniel Gruss(Graz University of Technology)Anders Fogh(Intel Corporation)