2020. 6. 30. 11:07ㆍComputer Architecture/Cache security
Author: Moritz Lipp1 , Michael Schwarz1 , Daniel Gruss1 , Thomas Prescher2 , Werner Haas2 , Anders Fogh3 , Jann Horn4 , Stefan Mangard1 , Paul Kocher5 , Daniel Genkin6,9 , Yuval Yarom7 , Mike Hamburg8 1Graz University of Technology, 2Cyberus Technology GmbH, 3G-Data Advanced Analytics, 4Google Project Zero, 5 Independent (www.paulkocher.com), 6University of Michigan, 7University of Adelaide & Data61, 8Rambus, Cryptography Research Division
This paper is included in the Preceedings of the 27th USENIX Security Symposium. (August 15–17, 2018, Baltimore, MD, USA)
Total number of pages: 18
Writer: Yu-gyoung Yun
(DGIST, undergraduate student. searchien@dgist.ac.kr)
[3. A Toy Example]
OoO execution can cahnge the microarchitectural state in a way that leakks information.
Image from this thesis paper.
: Data accesses to probe_array are scattered over the array with a distance of 4KB (assuming an 1B data type for probe_array).
CPU might have already executed the “access(probe_array[data*4096]);”.
(Normally never be executed)
But) Due to the exception, the instructions executed OoO are not retired and, thus, never have architectural effects. → can’t effect on registers or memory.
→ microarchitectural side effects.
During the OoO execution, the referenced memory is fetched into a register and also stored in the cache.
If the OoO execution has to be discarded, the register and memory contents are never committed.
But) Cached memory contents are kept in the chache.
- We can leverage a microarchitectural side-channel attack such as Flush+Reload, Prime+Probes, Evict+Reload, Flush+Flush. → Flush+Reload is the most accurate known cache side channel and is simple to implement, they do not consider any other side channel for this example.
Image from this thesis paper.
if a cache line of a page is cached, we know the value of data.
Figure 4 shows the result of a Flush+Reload measurement iterating over all pages.
Although the array access should not have happened due to the exception, we can clearly see that the index which would have been accessed is cached.
→ → Even instructions which are never actually executed, change the microarchitectural state of the CPU.
→ → not to read a value but to leak an inaccessible secret.
Again) “Side-effects of OoO execution can modify the microarchitectural state to leak information.”
[4. Building Blocks of the Attack]
“pursue an orthogonal approach, called Spectre Attacks, which trick speculatively executed instructions into leaking information that the victim process is authorized to access. As a result, Spectre Attacks lack the privilege escalation aspect of Meltdown and require tailoring to the victim process’s software environment, but apply more broadly to CPUs that support speculative execution and are not prevented by KAISER.”
Image from this thesis paper.
The full Meltdown attack consists of two building blocks.
[4.1 Executing Transient Instructions]
The first building block of Meltdown is to make the CPU execute one or more instructions that would never occur in the executed path. (ex. toy example, this is an access to an array, which would normally never be executed.)
The first building block of meltdown is the execution of transient instructions.
Transient instructions introduce an exploitable side channel if their operation depends on a secret value.
we focus on addresses that are mapped within the attacker’s process, i.e., the user-accessible user space addresses as well as the user-inaccessible kernel space addresses.
“Note that attacks targeting code that is executed within the context (i.e., address space) of another process are possible [40], but out of scope in this work, since all physical memory (including the memory of other processes) can be read through the kernel address space regardless.”
- attacker targets a secret at a user-inaccessible address.
- Accessing user-inaccessible pages(Kernel pages) triggers an exception.
prevent exception: 1. exception handling, 2. exception supppression.
1. Exception handling:
Just fork.
- The CPU executes the transient instruction sequence in the child process before crashing. The parent process can then recover the secret by observing the microarchitectural state, e.g., through a side-channel.
- Or, install a signal handler that is executed when a certain exception occurs, e.g., a segmentation fault.
This allows the attacker to issue the instruction sequence and prevent the application from crashing.
2. Exception suppression:
Prevent them from being raised in the first place.
roll-back to a previous state if an error occurs.
If an exception occurs within the transaction, the architectural state is rest, and the program execution continues without disruption.
[4.2 Building a Covert Channel]
The second building block of Meltdown is the transfer of the microarchitectural state, which was changed by the transient instruction sequence, into an architectural state.