Meltdown & Spectre. Side-channels considered harmful. Qualcomm Mobile Security Summit May, San Diego, CA. Moritz Lipp

Transcription

1 Meltdown & Spectre Side-channels considered harmful Qualcomm Mobile Security Summit May, San Diego, CA Moritz Lipp (@mlqxyz) Michael Schwarz (@misc0110)

2 Flashback Qualcomm Mobile Security Summit Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

3 Flashback: Side-channel attacks Safe software infrastructure does not mean safe execution Information leaks because of the underlying hardware Side-channel attacks exploit unintentional information leakage by side-effects Power consumption Execution time CPU cache... Performance optimizations often induce side-channel leakage 3 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

4 Outline Last year Leaking keystroke timings via the cache Leaking AES keys from the cache Covertly sending data through the cache Rowhammer: flipping bits in DRAM 4 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

5 Outline Last year Leaking keystroke timings via the cache Leaking AES keys from the cache Covertly sending data through the cache Rowhammer: flipping bits in DRAM This year More leakage! Build upon the tools of last year Leaking arbitrary memory content Leaking privileged register content 4 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

6 Whoami Moritz Lipp PhD Graz University of mail@mlq.me 5 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

7 Whoami Michael Schwarz PhD Graz University of michael.schwarz91@gmail.com 6 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

8 Let s Read Kernel Memory from User Space!

9 Building the Code Find something human readable, e.g., the Linux version # sudo grep linux_banner /proc/kallsyms ffffffff81a000e0 R linux_banner 7 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

10 Building the Code char data = *(char*) 0xffffffff81a000e0; printf("%c\n", data); 8 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

11 Building the Code Compile and run segfault at ffffffff81a000e0 ip sp 00007ffce4a80610 error 5 in reader 9 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

12 Building the Code Compile and run segfault at ffffffff81a000e0 ip sp 00007ffce4a80610 error 5 in reader Kernel addresses are of course not accessible 9 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

13 Building the Code Compile and run segfault at ffffffff81a000e0 ip sp 00007ffce4a80610 error 5 in reader Kernel addresses are of course not accessible Any invalid access throws an exception segmentation fault 9 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

14 Building the Code Just catch the segmentation fault! 10 Moritz Lipp Michael Schwarz

15 Building the Code Just catch the segmentation fault! We can simply install a signal handler 10 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

16 Building the Code Just catch the segmentation fault! We can simply install a signal handler And if an exception occurs, just jump back and continue 10 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

17 Building the Code Just catch the segmentation fault! We can simply install a signal handler And if an exception occurs, just jump back and continue Then we can read the value 10 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

18 Building the Code Just catch the segmentation fault! We can simply install a signal handler And if an exception occurs, just jump back and continue Then we can read the value Sounds like a good idea 10 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

19 Building the Code Still no kernel memory 11 Moritz Lipp Michael Schwarz

20 Building the Code Still no kernel memory Privilege checks seem to work 11 Moritz Lipp Michael Schwarz

21 Building the Code Still no kernel memory Privilege checks seem to work Maybe it is not that straight forward 11 Moritz Lipp Michael Schwarz

22 Building the Code Still no kernel memory Privilege checks seem to work Maybe it is not that straight forward Back to the drawing board 11 Moritz Lipp Michael Schwarz

23 Caches and Cache Attacks

24 CPU Cache printf("%d", i); printf("%d", i); 12 Moritz Lipp Michael Schwarz

25 CPU Cache printf("%d", i); printf("%d", i); Cache miss 12 Moritz Lipp Michael Schwarz

26 CPU Cache printf("%d", i); printf("%d", i); Cache miss Request 12 Moritz Lipp Michael Schwarz

27 CPU Cache printf("%d", i); printf("%d", i); Cache miss Request Response 12 Moritz Lipp Michael Schwarz

28 CPU Cache printf("%d", i); printf("%d", i); Cache miss i Request Response 12 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

29 CPU Cache printf("%d", i); printf("%d", i); Cache miss Cache hit i Request Response 12 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

30 CPU Cache DRAM access, slow printf("%d", i); printf("%d", i); Cache miss Cache hit i Request Response 12 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

31 CPU Cache DRAM access, slow printf("%d", i); printf("%d", i); Cache miss Cache hit i No DRAM access, much faster Request Response 12 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

32 Memory Access Latency 10 4 Number of accesses Cache hit Cache miss ,000 1,100 1,200 Measured access time (CPU cycles) 13 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

33 Flush+Reload ATTACKER Shared Memory VICTIM flush access access 14 Moritz Lipp Michael Schwarz

34 Flush+Reload ATTACKER Shared Memory VICTIM flush access cached Shared Memory cached access 14 Moritz Lipp Michael Schwarz

35 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access 14 Moritz Lipp Michael Schwarz

36 Flush+Reload ATTACKER Shared Memory VICTIM flush access access 14 Moritz Lipp Michael Schwarz

37 Flush+Reload ATTACKER Shared Memory VICTIM flush access access 14 Moritz Lipp Michael Schwarz

38 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access 14 Moritz Lipp Michael Schwarz

39 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access 14 Moritz Lipp Michael Schwarz

40 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access fast if victim accessed data, slow otherwise 14 Moritz Lipp Michael Schwarz

41 Operating Systems 101

42 Memory Isolation Kernel is isolated from user space This isolation is a combination of hardware and software User applications cannot access anything from the kernel There is only a well-defined interface called system calls Userspace Applications Kernelspace Operating System Memory 15 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

43 Out-of-order Execution

44 Out-of-order Execution int width = 10, height = 5; float diagonal = sqrt(width * width + height * height); int area = width * height; printf("area %d x %d = %d\n", width, height, area); 16 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

45 Out-of-order Execution Dependency int width = 10, height = 5; float diagonal = sqrt(width * width + height * height); int area = width * height; Parallelize printf("area %d x %d = %d\n", width, height, area); 16 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

46 Out-of-order Execution L1 Instruction Cache ITLB Frontend Branch Predictor µop Cache µops Instruction Fetch & PreDecode Instruction Queue 4-Way Decode µop µop µop µop MUX Allocation Queue CDB Execution Engine Reorder buffer µop µop µop µop µop µop µop µop Execution Units µop µop µop µop Scheduler µop µop µop µop µop µop µop µop ALU, AES,... ALU, FMA,... ALU, Vect,... ALU, Branch Load data Load data Store data AGU Instructions are fetched and decoded in the front-end Instructions are dispatched to the backend Instructions are processed by individual execution units Memory Subsystem Load Buffer Store Buffer DTLB L1 Data Cache STLB L2 Cache 17 Moritz Lipp Michael Schwarz

47 Out-of-order Execution L1 Instruction Cache ITLB Frontend Branch Predictor µop Cache µops Instruction Fetch & PreDecode Instruction Queue 4-Way Decode µop µop µop µop CDB Execution Engine Reorder buffer µop µop µop µop µop µop µop µop Execution Units MUX Allocation Queue µop µop µop µop Scheduler µop µop µop µop µop µop µop µop ALU, AES,... ALU, FMA,... ALU, Vect,... ALU, Branch Load data Load data Store data AGU Instructions are executed out-of-order Instructions wait until their dependencies are ready Later instructions might execute prior earlier instructions Instructions retire in-order State becomes architecturally visible Memory Subsystem Load Buffer Store Buffer DTLB L1 Data Cache STLB L2 Cache 18 Moritz Lipp Michael Schwarz

48 Reading memory If an application reads memory, permissions are checked... data is loaded If an application tries to read inaccessible memory, an error occurs... application is stopped But what happens if the checks are reordered? Would we know? 19 Moritz Lipp Michael Schwarz

49 Building the Code Adapted code *(volatile char*)0; array[84 * 4096] = 0; 20 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

50 Building the Code Adapted code *(volatile char*)0; array[84 * 4096] = 0; volatile because compiler was not happy warning : s t a t e m e n t with no e f f e c t [ Wunused v a l u e ] ( char ) 0 ; 20 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

51 Building the Code Adapted code *(volatile char*)0; array[84 * 4096] = 0; volatile because compiler was not happy warning : s t a t e m e n t with no e f f e c t [ Wunused v a l u e ] ( char ) 0 ; Static code analyzer is still not happy warning : D e r e f e r e n c e o f n u l l p o i n t e r ( v o l a t i l e char ) 0 ; 20 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

52 Building the Code Flush+Reload over all pages of the array Access time [cycles] Page Unreachable code line was actually executed 21 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

53 Building the Code Flush+Reload over all pages of the array Access time [cycles] Page Unreachable code line was actually executed Exception was only thrown afterwards 21 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

54 Building the Code Out-of-order instructions leave microarchitectural traces 22 Moritz Lipp Michael Schwarz

55 Building the Code Out-of-order instructions leave microarchitectural traces We can see them for example in the cache 22 Moritz Lipp Michael Schwarz

56 Building the Code Out-of-order instructions leave microarchitectural traces We can see them for example in the cache Give such instructions a name: transient instructions 22 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

57 Building the Code Out-of-order instructions leave microarchitectural traces We can see them for example in the cache Give such instructions a name: transient instructions We can indirectly observe the execution of transient instructions 22 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

58 Building the Code Maybe there is no permission check in transient instructions Moritz Lipp Michael Schwarz

59 Building the Code Maybe there is no permission check in transient instructions......or it is only done when commiting them 23 Moritz Lipp Michael Schwarz

60 Building the Code Maybe there is no permission check in transient instructions......or it is only done when commiting them Add another layer of indirection to test char data = *(char*) 0xffffffff81a000e0; array[data * 4096] = 0; 23 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

61 Building the Code Maybe there is no permission check in transient instructions......or it is only done when commiting them Add another layer of indirection to test char data = *(char*) 0xffffffff81a000e0; array[data * 4096] = 0; Then check whether any part of array is cached 23 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

62 Building the Code Flush+Reload over all pages of the array Access time [cycles] Page Index of cache hit reveals data 24 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

63 Building the Code Flush+Reload over all pages of the array Access time [cycles] Page Index of cache hit reveals data Permission check is in some cases not fast enough 24 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

64 Meltdown Using out-of-order execution, we can read data at any address 25 Moritz Lipp Michael Schwarz

65 Meltdown Using out-of-order execution, we can read data at any address Privilege checks are sometimes too slow 25 Moritz Lipp Michael Schwarz

66 Meltdown Using out-of-order execution, we can read data at any address Privilege checks are sometimes too slow Allows to leak kernel memory 25 Moritz Lipp Michael Schwarz

67 Meltdown Using out-of-order execution, we can read data at any address Privilege checks are sometimes too slow Allows to leak kernel memory Entire physical memory is typically also accessible in kernel address space 25 Moritz Lipp Michael Schwarz

68 Meltdown Using out-of-order execution, we can read data at any address Privilege checks are sometimes too slow Allows to leak kernel memory Entire physical memory is typically also accessible in kernel address space Works on Intel CPUs and ARM Cortex-A75 25 Moritz Lipp Michael Schwarz

69 Demo

70 Can we fix that?

71 Take the kernel addresses... Kernel addresses in user space are a problem 26 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

72 Take the kernel addresses... Kernel addresses in user space are a problem Why don t we take the kernel addresses Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

73 ...and remove them...and remove them if not needed? 27 Moritz Lipp Michael Schwarz

74 ...and remove them...and remove them if not needed? User accessible check in hardware is not reliable 27 Moritz Lipp Michael Schwarz

75 Idea Let s just unmap the kernel in user space 28 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

76 Idea Let s just unmap the kernel in user space Kernel addresses are then no longer present 28 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

77 Idea Let s just unmap the kernel in user space Kernel addresses are then no longer present Memory which is not mapped cannot be accessed at all 28 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

78 Userspace Kernelspace Applications Operating System Memory

79 Kernel View User View Userspace Kernelspace Userspace Kernelspace Applications Operating System Memory Applications context switch

80 Kernel Address Space Isolation We published KAISER in July Moritz Lipp Michael Schwarz

81 Kernel Address Space Isolation We published KAISER in July 2017 Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation) 29 Moritz Lipp Michael Schwarz

82 Kernel Address Space Isolation We published KAISER in July 2017 Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation) Kernel patches available for arm64 29 Moritz Lipp Michael Schwarz

83 Kernel Address Space Isolation We published KAISER in July 2017 Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation) Kernel patches available for arm64 Microsoft and Apple implemented similar concepts, for x86 and ARM 29 Moritz Lipp Michael Schwarz

84 Kernel Address Space Isolation We published KAISER in July 2017 Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation) Kernel patches available for arm64 Microsoft and Apple implemented similar concepts, for x86 and ARM All share the same idea: switching address spaces on context switch 29 Moritz Lipp Michael Schwarz

85 But wait, what about privileged registers?

86 Meltdown for Registers (Variant 3a) ARM found a closely related Meltdown variant 30 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

87 Meltdown for Registers (Variant 3a) ARM found a closely related Meltdown variant Read of system registers that are not accessible from current exception level 30 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

88 Meltdown for Registers (Variant 3a) ARM found a closely related Meltdown variant Read of system registers that are not accessible from current exception level ARM Cortex-A15, Cortex-A57 and Cortex-A72 are vulnerable 30 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

89 Meltdown for Registers (Variant 3a) ARM found a closely related Meltdown variant Read of system registers that are not accessible from current exception level ARM Cortex-A15, Cortex-A57 and Cortex-A72 are vulnerable Impact: breaking KASLR and pointer authentication 30 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

90 Demo

91 Meltdown for Registers (Variant 3a) Solution? Substitute registers with dummy values on context switch 31 Moritz Lipp Michael Schwarz

92 Meltdown for Registers (Variant 3a) Solution? Substitute registers with dummy values on context switch Only necessary for virtual addresses and secrets 31 Moritz Lipp Michael Schwarz

93 Meltdown for Registers (Variant 3a) Solution? Substitute registers with dummy values on context switch Only necessary for virtual addresses and secrets only a few registers affected 31 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

94 Meltdown for Registers (Variant 3a) Solution? Substitute registers with dummy values on context switch Only necessary for virtual addresses and secrets only a few registers affected Performance overhead should be minimal 31 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

95 Where are Variant 1 and 2?

96 Speculative Execution CPU tries to predict the future (branch predictor), based on events learned in the past Speculative execution of instructions If the prediction was correct, very fast otherwise: Discard results Measurable side-effects? 32 Moritz Lipp Michael Schwarz

97 Spectre if <access in bounds> predicted 33 Moritz Lipp Michael Schwarz

98 Spectre if <access in bounds> true predicted 33 Moritz Lipp Michael Schwarz

99 Spectre if <access in bounds> true predicted true 33 Moritz Lipp Michael Schwarz

100 Spectre if <access in bounds> true predicted true 33 Moritz Lipp Michael Schwarz

101 Spectre if <access in bounds> true predicted true false 33 Moritz Lipp Michael Schwarz

102 Spectre if <access in bounds> true predicted true false 33 Moritz Lipp Michael Schwarz

103 Spectre if <access in bounds> true false predicted true false 33 Moritz Lipp Michael Schwarz

104 Spectre if <access in bounds> true false false predicted true false 33 Moritz Lipp Michael Schwarz

105 Spectre if <access in bounds> true false false predicted true false 33 Moritz Lipp Michael Schwarz

106 Spectre if <access in bounds> true predicted true false false false true 33 Moritz Lipp Michael Schwarz

107 Spectre if <access in bounds> true predicted true false false false true 33 Moritz Lipp Michael Schwarz

108 Spectre (Variant 1: Bounds-check bypass) index = 0; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 34 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

109 Spectre (Variant 1: Bounds-check bypass) index = 0; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 34 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

110 Spectre (Variant 1: Bounds-check bypass) index = 0; char* data = "textkey"; if (index < 4) Speculate els en th e Prediction LUT[data[index] * 4096] 34 0 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

111 Spectre (Variant 1: Bounds-check bypass) index = 0; char* data = "textkey"; if (index < 4) Execute th els en e Prediction LUT[data[index] * 4096] 34 0 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

112 Spectre (Variant 1: Bounds-check bypass) index = 1; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 34 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

113 Spectre (Variant 1: Bounds-check bypass) index = 1; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 34 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

114 Spectre (Variant 1: Bounds-check bypass) index = 1; char* data = "textkey"; if (index < 4) Speculate els en th e Prediction LUT[data[index] * 4096] 34 0 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

115 Spectre (Variant 1: Bounds-check bypass) index = 1; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 34 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

116 Spectre (Variant 1: Bounds-check bypass) index = 2; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 34 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

117 Spectre (Variant 1: Bounds-check bypass) index = 2; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 34 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

118 Spectre (Variant 1: Bounds-check bypass) index = 2; char* data = "textkey"; if (index < 4) Speculate els en th e Prediction LUT[data[index] * 4096] 34 0 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

119 Spectre (Variant 1: Bounds-check bypass) index = 2; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 34 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

120 Spectre (Variant 1: Bounds-check bypass) index = 3; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 34 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

121 Spectre (Variant 1: Bounds-check bypass) index = 3; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 34 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

122 Spectre (Variant 1: Bounds-check bypass) index = 3; char* data = "textkey"; if (index < 4) Speculate els en th e Prediction LUT[data[index] * 4096] 34 0 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

123 Spectre (Variant 1: Bounds-check bypass) index = 3; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 34 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

124 Spectre (Variant 1: Bounds-check bypass) index = 4; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 34 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

125 Spectre (Variant 1: Bounds-check bypass) index = 4; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 34 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

126 Spectre (Variant 1: Bounds-check bypass) index = 4; char* data = "textkey"; if (index < 4) Speculate els en th e Prediction LUT[data[index] * 4096] 34 0 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

127 Spectre (Variant 1: Bounds-check bypass) index = 4; char* data = "textkey"; if (index < 4) Execute els en th e Prediction LUT[data[index] * 4096] 34 0 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

128 Spectre (Variant 1: Bounds-check bypass) index = 5; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 34 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

129 Spectre (Variant 1: Bounds-check bypass) index = 5; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 34 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

130 Spectre (Variant 1: Bounds-check bypass) index = 5; char* data = "textkey"; if (index < 4) Speculate els en th e Prediction LUT[data[index] * 4096] 34 0 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

131 Spectre (Variant 1: Bounds-check bypass) index = 5; char* data = "textkey"; if (index < 4) Execute els en th e Prediction LUT[data[index] * 4096] 34 0 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

132 Spectre (Variant 1: Bounds-check bypass) index = 6; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 34 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

133 Spectre (Variant 1: Bounds-check bypass) index = 6; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 34 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

134 Spectre (Variant 1: Bounds-check bypass) index = 6; char* data = "textkey"; if (index < 4) Speculate els en th e Prediction LUT[data[index] * 4096] 34 0 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

135 Spectre (Variant 1: Bounds-check bypass) index = 6; char* data = "textkey"; if (index < 4) Execute els en th e Prediction LUT[data[index] * 4096] 34 0 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

136 Demo

137 Spectre (Variant 2: Branch target injection) Animal* a = bird; a->move() fly() swim() swim() Prediction LUT[data[index] * 4096] 0 35 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

138 Spectre (Variant 2: Branch target injection) Animal* a = bird; a->move() () swim() fly sw Speculate im () Prediction LUT[data[index] * 4096] 35 0 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

139 Spectre (Variant 2: Branch target injection) Animal* a = bird; a->move() fly() swim() swim() Prediction LUT[data[index] * 4096] 0 35 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

140 Spectre (Variant 2: Branch target injection) Animal* a = bird; a->move() Execute () fly swim() sw im () Prediction LUT[data[index] * 4096] 35 0 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

141 Spectre (Variant 2: Branch target injection) Animal* a = bird; a->move() fly() fly() swim() Prediction LUT[data[index] * 4096] 0 35 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

142 Spectre (Variant 2: Branch target injection) Animal* a = bird; a->move() Speculate () fly fly() sw im () Prediction LUT[data[index] * 4096] 35 0 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

143 Spectre (Variant 2: Branch target injection) Animal* a = bird; a->move() fly() fly() swim() Prediction LUT[data[index] * 4096] 0 35 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

144 Spectre (Variant 2: Branch target injection) Animal* a = fish; a->move() fly() fly() swim() Prediction LUT[data[index] * 4096] 0 35 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

145 Spectre (Variant 2: Branch target injection) Animal* a = fish; a->move() Speculate ) ( fly fly() sw im () Prediction LUT[data[index] * 4096] 35 0 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

146 Spectre (Variant 2: Branch target injection) Animal* a = fish; a->move() fly() fly() swim() Prediction LUT[data[index] * 4096] 0 35 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

147 Spectre (Variant 2: Branch target injection) Animal* a = fish; a->move() () fly() fly Execute sw im () Prediction LUT[data[index] * 4096] 35 0 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

148 Spectre (Variant 2: Branch target injection) Animal* a = fish; a->move() fly() swim() swim() Prediction LUT[data[index] * 4096] 0 35 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

149 Demo

150 Spectre We can influence the CPU to mispredict the future 36 Moritz Lipp Michael Schwarz

151 Spectre We can influence the CPU to mispredict the future Convince other programs to reveal their secrets 36 Moritz Lipp Michael Schwarz

152 Spectre We can influence the CPU to mispredict the future Convince other programs to reveal their secrets Can even be triggered from the browser 36 Moritz Lipp Michael Schwarz

153 Spectre We can influence the CPU to mispredict the future Convince other programs to reveal their secrets Can even be triggered from the browser Untrusted code can convince trusted code to reveal secrets 36 Moritz Lipp Michael Schwarz

154 Spectre Demonstrated on Intel, AMD and ARM CPUs 37 Moritz Lipp Michael Schwarz

155 Spectre Demonstrated on Intel, AMD and ARM CPUs Affects processor with branch target speculation 37 Moritz Lipp Michael Schwarz

156 Spectre Demonstrated on Intel, AMD and ARM CPUs Affects processor with branch target speculation Much harder to fix, KAISER does not help 37 Moritz Lipp Michael Schwarz

157 Can we fix that?

158 Spectre Trivial approach: disable speculative execution 38 Moritz Lipp Michael Schwarz

159 Spectre Trivial approach: disable speculative execution No wrong speculation if there is no speculation 38 Moritz Lipp Michael Schwarz

160 Spectre Trivial approach: disable speculative execution No wrong speculation if there is no speculation Problem: massive performance hit! 38 Moritz Lipp Michael Schwarz

161 Spectre Trivial approach: disable speculative execution No wrong speculation if there is no speculation Problem: massive performance hit! Also: How to disable it? 38 Moritz Lipp Michael Schwarz

162 Spectre Trivial approach: disable speculative execution No wrong speculation if there is no speculation Problem: massive performance hit! Also: How to disable it? Speculative execution is deeply integrated into CPU 38 Moritz Lipp Michael Schwarz

163 Drilling template Drilling template nrw) 39 Moritz Lipp Michael Schwarz

164 More things which do not work Prevent access to high-resolution timer 40 Moritz Lipp Michael Schwarz

165 More things which do not work Prevent access to high-resolution timer Own timer using timing thread (last year) 40 Moritz Lipp Michael Schwarz

166 More things which do not work Prevent access to high-resolution timer Own timer using timing thread (last year) Flush instruction only privileged 40 Moritz Lipp Michael Schwarz

167 More things which do not work Prevent access to high-resolution timer Own timer using timing thread (last year) Flush instruction only privileged Cache eviction through memory accesses (last year) 40 Moritz Lipp Michael Schwarz

168 More things which do not work Prevent access to high-resolution timer Own timer using timing thread (last year) Flush instruction only privileged Cache eviction through memory accesses (last year) Just move secrets into secure world 40 Moritz Lipp Michael Schwarz

169 More things which do not work Prevent access to high-resolution timer Own timer using timing thread (last year) Flush instruction only privileged Cache eviction through memory accesses (last year) Just move secrets into secure world Spectre works on secure enclaves 40 Moritz Lipp Michael Schwarz

170 Spectre Variant 1 Mitigations 41 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

171 Spectre Variant 1 Mitigations Workaround: insert instructions stopping speculation 41 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

172 Spectre Variant 1 Mitigations Workaround: insert instructions stopping speculation insert after every bounds check 41 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

173 Spectre Variant 1 Mitigations Workaround: insert instructions stopping speculation insert after every bounds check ARM: Conditional select or conditional move and new barrier CSDB 41 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

174 Spectre Variant 1 Mitigations Workaround: insert instructions stopping speculation insert after every bounds check ARM: Conditional select or conditional move and new barrier CSDB Alternative: DSB SYS + ISB greater performance hit Retrofitted to existing ARMv7 and ARMv8 41 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

175 Spectre Variant 1 Mitigations 42 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

176 Spectre Variant 1 Mitigations Speculation barrier requires compiler supported 42 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

177 Spectre Variant 1 Mitigations Speculation barrier requires compiler supported Already implemented in GCC, LLVM, and MSVC 42 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

178 Spectre Variant 1 Mitigations Speculation barrier requires compiler supported Already implemented in GCC, LLVM, and MSVC Can be automated (MSVC) not really reliable 42 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

179 Spectre Variant 1 Mitigations Speculation barrier requires compiler supported Already implemented in GCC, LLVM, and MSVC Can be automated (MSVC) not really reliable Explicit use by programmer: builtin load no speculate 42 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

180 Spectre Variant 1 Mitigations 43 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

181 Spectre Variant 1 Mitigations 43 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

182 Spectre Variant 1 Mitigations 44 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

183 Spectre Variant 1 Mitigations Speculation barrier works if affected code constructs are known 44 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

184 Spectre Variant 1 Mitigations Speculation barrier works if affected code constructs are known Programmer has to fully understand vulnerability 44 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

185 Spectre Variant 1 Mitigations Speculation barrier works if affected code constructs are known Programmer has to fully understand vulnerability Automatic detection is not reliable 44 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

186 Spectre Variant 1 Mitigations Speculation barrier works if affected code constructs are known Programmer has to fully understand vulnerability Automatic detection is not reliable Non-negligible performance overhead of barriers 44 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

187 Spectre Variant 2 Mitigations (Software) ARM provides hardened Linux kernel and ARM Trusted Firmware patches 45 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

188 Spectre Variant 2 Mitigations (Software) ARM provides hardened Linux kernel and ARM Trusted Firmware patches Clears branch-predictor state on context switch 45 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

189 Spectre Variant 2 Mitigations (Software) ARM provides hardened Linux kernel and ARM Trusted Firmware patches Clears branch-predictor state on context switch Either via instruction (BPIALL) Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

190 Spectre Variant 2 Mitigations (Software) ARM provides hardened Linux kernel and ARM Trusted Firmware patches Clears branch-predictor state on context switch Either via instruction (BPIALL)......or workaround (disable/enable MMU) 45 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

191 Spectre Variant 2 Mitigations (Software) ARM provides hardened Linux kernel and ARM Trusted Firmware patches Clears branch-predictor state on context switch Either via instruction (BPIALL)......or workaround (disable/enable MMU) Google s Retpoline does not work on ARM 45 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

192 Learn from it We have ignored software side-channels for many many years: 46 Moritz Lipp Michael Schwarz

193 Learn from it We have ignored software side-channels for many many years: attacks on crypto 46 Moritz Lipp Michael Schwarz

194 Learn from it We have ignored software side-channels for many many years: attacks on crypto software should be fixed 46 Moritz Lipp Michael Schwarz

195 Learn from it We have ignored software side-channels for many many years: attacks on crypto software should be fixed attacks on ASLR 46 Moritz Lipp Michael Schwarz

196 Learn from it We have ignored software side-channels for many many years: attacks on crypto software should be fixed attacks on ASLR ASLR is broken anyway 46 Moritz Lipp Michael Schwarz

197 Learn from it We have ignored software side-channels for many many years: attacks on crypto software should be fixed attacks on ASLR ASLR is broken anyway attacks on SGX and TrustZone 46 Moritz Lipp Michael Schwarz

198 Learn from it We have ignored software side-channels for many many years: attacks on crypto software should be fixed attacks on ASLR ASLR is broken anyway attacks on SGX and TrustZone not part of the threat model 46 Moritz Lipp Michael Schwarz

199 Learn from it We have ignored software side-channels for many many years: attacks on crypto software should be fixed attacks on ASLR ASLR is broken anyway attacks on SGX and TrustZone not part of the threat model for years we solely optimized for performance 46 Moritz Lipp Michael Schwarz

200 When you read the manuals... After learning about a side channel you realize: 47 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

201 When you read the manuals... After learning about a side channel you realize: the side channels were documented in the processor manual 47 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

202 When you read the manuals... After learning about a side channel you realize: the side channels were documented in the processor manual only now we understand the implications 47 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

203 What do we learn from it? Motor Vehicle Deaths in U.S. by Year 48 Moritz Lipp Michael Schwarz

204 A unique chance A unique chance to rethink processor design grow up, like other fields (car industry, construction industry) find good trade-offs between security and performance 49 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

205 Conclusion Underestimated microarchitectural attacks for a long time Meltdown and Spectre exploit performance optimizations Allow to leak arbitrary memory Countermeasures come with a performance impact Find trade-offs between security and performance 50 Moritz Lipp (@mlqxyz), Michael Schwarz (@misc0110)

206 Meltdown & Spectre Side-channels considered harmful Qualcomm Mobile Security Summit May, San Diego, CA Moritz Lipp (@mlqxyz) Michael Schwarz (@misc0110)