Software-based Microarchitectural Attacks

Transcription

1 SCIENCE PASSION TECHNOLOGY Software-based Microarchitectural Attacks Daniel Gruss April 19, 2018 Graz University of Technology 1 Daniel Gruss Graz University of Technology

2 Whoami Daniel Gruss Graz University of Technology daniel.gruss@iaik.tugraz.at 2 Daniel Gruss Graz University of Technology

3 Timeline of Meltdown and Spectre Both vulnerabilities existed for many years 3 Daniel Gruss Graz University of Technology

4 Timeline of Meltdown and Spectre Both vulnerabilities existed for many years No one discovered it before 3 Daniel Gruss Graz University of Technology

5 Timeline of Meltdown and Spectre Both vulnerabilities existed for many years No one discovered it before Suddenly, 4 independent teams discover it within 6 months 3 Daniel Gruss Graz University of Technology

6 Timeline of Meltdown and Spectre Both vulnerabilities existed for many years No one discovered it before Suddenly, 4 independent teams discover it within 6 months Let s create an evidence board 3 Daniel Gruss Graz University of Technology

7 3 Daniel Gruss Graz University of Technology

8 3 Daniel Gruss Graz University of Technology

9 3 Daniel Gruss Graz University of Technology

10 3 Daniel Gruss Graz University of Technology

11 3 Daniel Gruss Graz University of Technology

12 3 Daniel Gruss Graz University of Technology

13 3 Daniel Gruss Graz University of Technology

14 3 Daniel Gruss Graz University of Technology

15 3 Daniel Gruss Graz University of Technology

16 3 Daniel Gruss Graz University of Technology

17 3 Daniel Gruss Graz University of Technology

18 3 Daniel Gruss Graz University of Technology

19 3 Daniel Gruss Graz University of Technology

20 3 Daniel Gruss Graz University of Technology

21 3 Daniel Gruss Graz University of Technology

22 3 Daniel Gruss Graz University of Technology

23 Meltdown vs. Spectre Why two names, two papers, etc? Two different problems 4 Daniel Gruss Graz University of Technology

24 Meltdown vs. Spectre Why two names, two papers, etc? Two different problems They only have a very loose connection 4 Daniel Gruss Graz University of Technology

25 Meltdown vs. Spectre Why two names, two papers, etc? Two different problems They only have a very loose connection Two different teams had already quite matured drafts ready when learning of each other 4 Daniel Gruss Graz University of Technology

26 Meltdown vs. Spectre Why two names, two papers, etc? Two different problems They only have a very loose connection Two different teams had already quite matured drafts ready when learning of each other Initially we tried to merge, but all co-authors quickly agreed that it would mix things that don t belong together More on that after we understand the attacks 4 Daniel Gruss Graz University of Technology

27 The Fallout You realize it is something big when... 5 Daniel Gruss Graz University of Technology

28 The Fallout You realize it is something big when... it is in the news, all over the world 5 Daniel Gruss Graz University of Technology

29 The Fallout You realize it is something big when... it is in the news, all over the world 5 Daniel Gruss Graz University of Technology

30 The Fallout You realize it is something big when... it is in the news, all over the world 5 Daniel Gruss Graz University of Technology

31 The Fallout You realize it is something big when... it is in the news, all over the world 5 Daniel Gruss Graz University of Technology

32 The Fallout You realize it is something big when... it is in the news, all over the world 5 Daniel Gruss Graz University of Technology

33 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages 5 Daniel Gruss Graz University of Technology

34 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages 5 Daniel Gruss Graz University of Technology

35 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages 5 Daniel Gruss Graz University of Technology

36 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages there are comics, including xkcd 5 Daniel Gruss Graz University of Technology

37 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages there are comics, including xkcd 5 Daniel Gruss Graz University of Technology

38 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages there are comics, including xkcd 5 Daniel Gruss Graz University of Technology

39 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages there are comics, including xkcd you get a lot of Twitter follower after Snowden mentioned you 5 Daniel Gruss Graz University of Technology

40 The Fallout You realize it is something big when... it is in the news, all over the world you get a Wikipedia article in multiple languages there are comics, including xkcd you get a lot of Twitter follower after Snowden mentioned you 5 Daniel Gruss Graz University of Technology

41 The Wall 6 Daniel Gruss Graz University of Technology

42

43 The Core of Meltdown/Spectre Kernel is isolated from user space Userspace Kernelspace Applications Operating System Memory 8 Daniel Gruss Graz University of Technology

44 The Core of Meltdown/Spectre Kernel is isolated from user space This isolation is a combination of hardware and software Userspace Kernelspace Applications Operating System Memory 8 Daniel Gruss Graz University of Technology

45 The Core of Meltdown/Spectre Kernel is isolated from user space This isolation is a combination of hardware and software User applications cannot access anything from the kernel Userspace Kernelspace Applications Operating System Memory 8 Daniel Gruss Graz University of Technology

46 The Core of Meltdown/Spectre Kernel is isolated from user space This isolation is a combination of hardware and software User applications cannot access anything from the kernel There is only a well-defined interface syscalls Userspace Applications Kernelspace Operating System Memory 8 Daniel Gruss Graz University of Technology

47 8 Daniel Gruss Graz University of Technology

48 8 Daniel Gruss Graz University of Technology

49 8 Daniel Gruss Graz University of Technology

50 8 Daniel Gruss Graz University of Technology

51 Revolutionary concept! Store your food at home, never go to the grocery store during cooking. Can store ALL kinds of food. ONLY TODAY INSTEAD OF $1,300 ORDER VIA PHONE: Daniel Gruss Graz University of Technology

52 CPU Cache printf("%d", i); printf("%d", i); 9 Daniel Gruss Graz University of Technology

53 CPU Cache printf("%d", i); printf("%d", i); Cache miss 9 Daniel Gruss Graz University of Technology

54 CPU Cache printf("%d", i); printf("%d", i); Cache miss Request 9 Daniel Gruss Graz University of Technology

55 CPU Cache printf("%d", i); printf("%d", i); Cache miss Request Response 9 Daniel Gruss Graz University of Technology

56 CPU Cache printf("%d", i); printf("%d", i); Cache miss i Request Response 9 Daniel Gruss Graz University of Technology

57 CPU Cache printf("%d", i); printf("%d", i); Cache miss Cache hit i Request Response 9 Daniel Gruss Graz University of Technology

58 CPU Cache DRAM access, slow printf("%d", i); printf("%d", i); Cache miss Cache hit i Request Response 9 Daniel Gruss Graz University of Technology

59 CPU Cache DRAM access, slow printf("%d", i); printf("%d", i); Cache miss Cache hit i No DRAM access, much faster Request Response 9 Daniel Gruss Graz University of Technology

60 Flush+Reload ATTACKER Shared Memory VICTIM flush access access 10 Daniel Gruss Graz University of Technology

61 Flush+Reload ATTACKER Shared Memory VICTIM flush access cached Shared Memory cached access 10 Daniel Gruss Graz University of Technology

62 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access 10 Daniel Gruss Graz University of Technology

63 Flush+Reload ATTACKER Shared Memory VICTIM flush access access 10 Daniel Gruss Graz University of Technology

64 Flush+Reload ATTACKER Shared Memory VICTIM flush access access 10 Daniel Gruss Graz University of Technology

65 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access 10 Daniel Gruss Graz University of Technology

66 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access 10 Daniel Gruss Graz University of Technology

67 Flush+Reload ATTACKER Shared Memory VICTIM flush access Shared Memory access fast if victim accessed data, slow otherwise 10 Daniel Gruss Graz University of Technology

68 Memory Access Latency 11 Daniel Gruss Graz University of Technology

69 Memory Access Latency 11 Daniel Gruss Graz University of Technology

70 Cache Template Attack Demo

71 Cache Template Address 0x7c680 0x7c6c0 0x7c700 0x7c740 0x7c780 0x7c7c0 0x7c800 0x7c840 0x7c880 0x7c8c0 0x7c900 0x7c940 0x7c980 0x7c9c0 0x7ca00 0x7cb80 0x7cc40 0x7cc80 0x7ccc0 0x7cd00 Key g h i j k l m n o p q r s t u v w x y z 13 Daniel Gruss Graz University of Technology

72 13 Daniel Gruss Graz University of Technology

73 13 Daniel Gruss Graz University of Technology

74 13 Daniel Gruss Graz University of Technology

75 Wait for an hour 13 Daniel Gruss Graz University of Technology

76 Wait for an hour LATENCY 13 Daniel Gruss Graz University of Technology

77 13 Daniel Gruss Graz University of Technology

78 Dependency Parallelize 13 Daniel Gruss Graz University of Technology

79 Out-of-order Execution 1 int width = 10, height = 5; 2 3 float diagonal = sqrt(width * width 4 + height * height); 5 int area = width * height; 6 7 printf("area %d x %d = %d\n", width, height, area); 14 Daniel Gruss Graz University of Technology

80 Out-of-order Execution Dependency 1 int width = 10, height = 5; 2 3 float diagonal = sqrt(width * width 4 + height * height); 5 int area = width * height; 6 7 printf("area %d x %d = %d\n", width, height, area); Parallelize 14 Daniel Gruss Graz University of Technology

81 Building Meltdown 1 char data = *(char*)0xffffffff81a000e0; 2 printf("%c\n", data); 15 Daniel Gruss Graz University of Technology

82 Building Meltdown 1 char data = *(char*)0xffffffff81a000e0; 2 printf("%c\n", data); 1 segfault at ffffffff81a000e0 ip sp ffce4a80610 error 5 in reader 15 Daniel Gruss Graz University of Technology

83 Building Meltdown 1 char data = *(char*)0xffffffff81a000e0; 2 printf("%c\n", data); 1 segfault at ffffffff81a000e0 ip sp ffce4a80610 error 5 in reader Kernel addresses are not accessible 15 Daniel Gruss Graz University of Technology

84 Building Meltdown 1 char data = *(char*)0xffffffff81a000e0; 2 printf("%c\n", data); 1 segfault at ffffffff81a000e0 ip sp ffce4a80610 error 5 in reader Kernel addresses are not accessible Are privilege checks also done when executing instructions out of order? 15 Daniel Gruss Graz University of Technology

85 Building Meltdown Adapted code 1 *(volatile char*)0; 2 array[84 * 4096] = 0; // unreachable 16 Daniel Gruss Graz University of Technology

86 Building Meltdown Adapted code 1 *(volatile char*)0; 2 array[84 * 4096] = 0; // unreachable Static code analyzer is not happy 1 warning : Dereference of null pointer 2 ( volatile char ) 0; 16 Daniel Gruss Graz University of Technology

87 Building Meltdown Flush+Reload over all pages of the array Access time [cycles] Page Unreachable code line was actually executed 17 Daniel Gruss Graz University of Technology

88 Building Meltdown Flush+Reload over all pages of the array Access time [cycles] Page Unreachable code line was actually executed Exception was only thrown afterwards 17 Daniel Gruss Graz University of Technology

89 Building Meltdown Combine the two things 1 char data = *(char*)0xffffffff81a000e0; 2 array[data * 4096] = 0; 18 Daniel Gruss Graz University of Technology

90 Building Meltdown Combine the two things 1 char data = *(char*)0xffffffff81a000e0; 2 array[data * 4096] = 0; = sending end of a cache covert channel Then check whether any part of array is cached 18 Daniel Gruss Graz University of Technology

91 Building Meltdown Combine the two things 1 char data = *(char*)0xffffffff81a000e0; 2 array[data * 4096] = 0; = sending end of a cache covert channel Then check whether any part of array is cached = receiving end of a cache covert channel 18 Daniel Gruss Graz University of Technology

92 Building Meltdown Flush+Reload over all pages of the array Access time [cycles] Page Index of cache hit reveals data 19 Daniel Gruss Graz University of Technology

93 Building Meltdown Flush+Reload over all pages of the array Access time [cycles] Page Index of cache hit reveals data Permission check is in some cases not fast enough 19 Daniel Gruss Graz University of Technology

94

95

96

97 Leaking Passwords from your Password Manager 23 Daniel Gruss Graz University of Technology

98

99 Not so fast Daniel Gruss Graz University of Technology

100 Take the kernel addresses... Kernel addresses in user space are a problem 25 Daniel Gruss Graz University of Technology

101 Take the kernel addresses... Kernel addresses in user space are a problem Why don t we take the kernel addresses Daniel Gruss Graz University of Technology

102 ...and remove them...and remove them if not needed? 26 Daniel Gruss Graz University of Technology

103 ...and remove them...and remove them if not needed? User accessible check in hardware is not reliable 26 Daniel Gruss Graz University of Technology

104 Idea Let s just unmap the kernel in user space 27 Daniel Gruss Graz University of Technology

105 Idea Let s just unmap the kernel in user space Kernel addresses are then no longer present 27 Daniel Gruss Graz University of Technology

106 Idea Let s just unmap the kernel in user space Kernel addresses are then no longer present Memory which is not mapped cannot be accessed at all 27 Daniel Gruss Graz University of Technology

107 27 Daniel Gruss Graz University of Technology

108 Kernel Address Isolation to have Side channels Efficiently Removed 27 Daniel Gruss Graz University of Technology

109 KAISER /ˈkʌɪzə/ 1. [german] Emperor, ruler of an empire 2. largest penguin, emperor penguin Kernel Address Isolation to have Side channels Efficiently Removed 27 Daniel Gruss Graz University of Technology

110 Userspace Kernelspace Applications Operating System Memory 27 Daniel Gruss Graz University of Technology

111 Kernel View User View Userspace Kernelspace Userspace Kernelspace Applications Operating System Memory Applications context switch 27 Daniel Gruss Graz University of Technology

112 Kernel Address Space Isolation We published KAISER in July Daniel Gruss Graz University of Technology

113 Kernel Address Space Isolation We published KAISER in July 2017 Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation) 28 Daniel Gruss Graz University of Technology

114 Kernel Address Space Isolation We published KAISER in July 2017 Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation) Microsoft implemented similar concept in Windows Daniel Gruss Graz University of Technology

115 Kernel Address Space Isolation We published KAISER in July 2017 Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation) Microsoft implemented similar concept in Windows 10 Apple implemented it in macos and called it Double Map 28 Daniel Gruss Graz University of Technology

116 Kernel Address Space Isolation We published KAISER in July 2017 Intel and others improved and merged it into Linux as KPTI (Kernel Page Table Isolation) Microsoft implemented similar concept in Windows 10 Apple implemented it in macos and called it Double Map All share the same idea: switching address spaces on context switch 28 Daniel Gruss Graz University of Technology

117 28 Daniel Gruss Graz University of Technology

118 Performance Depends on how often you need to switch between kernel and user space 29 Daniel Gruss Graz University of Technology

119 Performance Depends on how often you need to switch between kernel and user space Can be slow, 40% or more on old hardware 29 Daniel Gruss Graz University of Technology

120 Performance Depends on how often you need to switch between kernel and user space Can be slow, 40% or more on old hardware But modern CPUs have additional features 29 Daniel Gruss Graz University of Technology

121 Performance Depends on how often you need to switch between kernel and user space Can be slow, 40% or more on old hardware But modern CPUs have additional features Performance overhead on average below 2% 29 Daniel Gruss Graz University of Technology

122 Meltdown and Spectre 30 Daniel Gruss Graz University of Technology

123 Meltdown and Spectre 30 Daniel Gruss Graz University of Technology

124 30 Daniel Gruss Graz University of Technology

125 Prosciutto 30 Daniel Gruss Graz University of Technology

126 Funghi 30 Daniel Gruss Graz University of Technology

127 Diavolo 30 Daniel Gruss Graz University of Technology

128 Diavolo 30 Daniel Gruss Graz University of Technology

129 Diavolo 30 Daniel Gruss Graz University of Technology

130 Diavolo 30 Daniel Gruss Graz University of Technology

131 »A table for 6 please«30 Daniel Gruss Graz University of Technology

132 30 Daniel Gruss Graz University of Technology

133 Speculative Cooking 30 Daniel Gruss Graz University of Technology

134 »A table for 6 please«30 Daniel Gruss Graz University of Technology

135 30 Daniel Gruss Graz University of Technology

136 30 Daniel Gruss Graz University of Technology

137 30 Daniel Gruss Graz University of Technology

138 30 Daniel Gruss Graz University of Technology

139 What does Spectre do? Mistrains branch prediction 31 Daniel Gruss Graz University of Technology

140 What does Spectre do? Mistrains branch prediction CPU speculatively executes code which should not be executed 31 Daniel Gruss Graz University of Technology

141 What does Spectre do? Mistrains branch prediction CPU speculatively executes code which should not be executed Can also mistrain indirect calls 31 Daniel Gruss Graz University of Technology

142 What does Spectre do? Mistrains branch prediction CPU speculatively executes code which should not be executed Can also mistrain indirect calls Spectre convinces program to execute code 31 Daniel Gruss Graz University of Technology

143 Spectre (variant 1) index = 0; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

144 Spectre (variant 1) index = 0; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

145 Spectre (variant 1) index = 0; char* data = "textkey"; then if (index < 4) Prediction else Speculate LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

146 Spectre (variant 1) index = 0; char* data = "textkey"; Execute then if (index < 4) Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

147 Spectre (variant 1) index = 1; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

148 Spectre (variant 1) index = 1; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

149 Spectre (variant 1) index = 1; char* data = "textkey"; Speculate then if (index < 4) Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

150 Spectre (variant 1) index = 1; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

151 Spectre (variant 1) index = 2; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

152 Spectre (variant 1) index = 2; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

153 Spectre (variant 1) index = 2; char* data = "textkey"; Speculate then if (index < 4) Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

154 Spectre (variant 1) index = 2; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

155 Spectre (variant 1) index = 3; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

156 Spectre (variant 1) index = 3; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

157 Spectre (variant 1) index = 3; char* data = "textkey"; Speculate then if (index < 4) Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

158 Spectre (variant 1) index = 3; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

159 Spectre (variant 1) index = 4; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

160 Spectre (variant 1) index = 4; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

161 Spectre (variant 1) index = 4; char* data = "textkey"; Speculate then if (index < 4) Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

162 Spectre (variant 1) index = 4; char* data = "textkey"; then if (index < 4) Prediction else Execute LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

163 Spectre (variant 1) index = 5; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

164 Spectre (variant 1) index = 5; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

165 Spectre (variant 1) index = 5; char* data = "textkey"; Speculate then if (index < 4) Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

166 Spectre (variant 1) index = 5; char* data = "textkey"; then if (index < 4) Prediction else Execute LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

167 Spectre (variant 1) index = 6; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

168 Spectre (variant 1) index = 6; char* data = "textkey"; if (index < 4) then Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

169 Spectre (variant 1) index = 6; char* data = "textkey"; Speculate then if (index < 4) Prediction else LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

170 Spectre (variant 1) index = 6; char* data = "textkey"; then if (index < 4) Prediction else Execute LUT[data[index] * 4096] 0 32 Daniel Gruss Graz University of Technology

171 Spectre (variant 2) Animal* a = bird; a->move() fly() swim() swim() Prediction LUT[data[index] * 4096] 0 33 Daniel Gruss Graz University of Technology

172 Spectre (variant 2) Animal* a = bird; a->move() fly() swim() swim() Speculate Prediction LUT[data[index] * 4096] 0 33 Daniel Gruss Graz University of Technology

173 Spectre (variant 2) Animal* a = bird; a->move() fly() swim() swim() Prediction LUT[data[index] * 4096] 0 33 Daniel Gruss Graz University of Technology

174 Spectre (variant 2) Animal* a = bird; a->move() Execute fly() swim() swim() Prediction LUT[data[index] * 4096] 0 33 Daniel Gruss Graz University of Technology

175 Spectre (variant 2) Animal* a = bird; a->move() fly() fly() swim() Prediction LUT[data[index] * 4096] 0 33 Daniel Gruss Graz University of Technology

176 Spectre (variant 2) Animal* a = bird; a->move() Speculate fly() fly() swim() Prediction LUT[data[index] * 4096] 0 33 Daniel Gruss Graz University of Technology

177 Spectre (variant 2) Animal* a = bird; a->move() fly() fly() swim() Prediction LUT[data[index] * 4096] 0 33 Daniel Gruss Graz University of Technology

178 Spectre (variant 2) Animal* a = fish; a->move() fly() fly() swim() Prediction LUT[data[index] * 4096] 0 33 Daniel Gruss Graz University of Technology

179 Spectre (variant 2) Animal* a = fish; a->move() Speculate fly() fly() swim() Prediction LUT[data[index] * 4096] 0 33 Daniel Gruss Graz University of Technology

180 Spectre (variant 2) Animal* a = fish; a->move() fly() fly() swim() Prediction LUT[data[index] * 4096] 0 33 Daniel Gruss Graz University of Technology

181 Spectre (variant 2) Animal* a = fish; a->move() fly() fly() swim() Execute Prediction LUT[data[index] * 4096] 0 33 Daniel Gruss Graz University of Technology

182 Spectre (variant 2) Animal* a = fish; a->move() fly() swim() swim() Prediction LUT[data[index] * 4096] 0 33 Daniel Gruss Graz University of Technology

183 Mitigating Spectre Trivial approach: disable speculative execution 34 Daniel Gruss Graz University of Technology

184 Mitigating Spectre Trivial approach: disable speculative execution No wrong speculation if there is no speculation 34 Daniel Gruss Graz University of Technology

185 Mitigating Spectre Trivial approach: disable speculative execution No wrong speculation if there is no speculation Problem: massive performance hit! 34 Daniel Gruss Graz University of Technology

186 Mitigating Spectre Trivial approach: disable speculative execution No wrong speculation if there is no speculation Problem: massive performance hit! Also: How to disable it? 34 Daniel Gruss Graz University of Technology

187 Mitigating Spectre Trivial approach: disable speculative execution No wrong speculation if there is no speculation Problem: massive performance hit! Also: How to disable it? Speculative execution is deeply integrated into CPU 34 Daniel Gruss Graz University of Technology

188 Spectre Variant 1 Mitigations 35 Daniel Gruss Graz University of Technology

189 Spectre Variant 1 Mitigations Workaround: insert instructions stopping speculation 35 Daniel Gruss Graz University of Technology

190 Spectre Variant 1 Mitigations Workaround: insert instructions stopping speculation insert after every bounds check 35 Daniel Gruss Graz University of Technology

191 Spectre Variant 1 Mitigations Workaround: insert instructions stopping speculation insert after every bounds check x86: LFENCE, ARM: CSDB 35 Daniel Gruss Graz University of Technology

192 Spectre Variant 1 Mitigations Workaround: insert instructions stopping speculation insert after every bounds check x86: LFENCE, ARM: CSDB Available on all Intel CPUs, retrofitted to existing ARMv7 and ARMv8 35 Daniel Gruss Graz University of Technology

193 Spectre Variant 1 Mitigations 36 Daniel Gruss Graz University of Technology

194 Spectre Variant 1 Mitigations Speculation barrier requires compiler supported 36 Daniel Gruss Graz University of Technology

195 Spectre Variant 1 Mitigations Speculation barrier requires compiler supported Already implemented in GCC, LLVM, and MSVC 36 Daniel Gruss Graz University of Technology

196 Spectre Variant 1 Mitigations Speculation barrier requires compiler supported Already implemented in GCC, LLVM, and MSVC Can be automated (MSVC) not really reliable 36 Daniel Gruss Graz University of Technology

197 Spectre Variant 1 Mitigations Speculation barrier requires compiler supported Already implemented in GCC, LLVM, and MSVC Can be automated (MSVC) not really reliable Explicit use by programmer: builtin load no speculate 36 Daniel Gruss Graz University of Technology

198 Spectre Variant 1 Mitigations 37 Daniel Gruss Graz University of Technology

199 Spectre Variant 1 Mitigations 37 Daniel Gruss Graz University of Technology

200 Spectre Variant 1 Mitigations 38 Daniel Gruss Graz University of Technology

201 Spectre Variant 1 Mitigations Speculation barrier works if affected code constructs are known 38 Daniel Gruss Graz University of Technology

202 Spectre Variant 1 Mitigations Speculation barrier works if affected code constructs are known Programmer has to fully understand vulnerability 38 Daniel Gruss Graz University of Technology

203 Spectre Variant 1 Mitigations Speculation barrier works if affected code constructs are known Programmer has to fully understand vulnerability Automatic detection is not reliable 38 Daniel Gruss Graz University of Technology

204 Spectre Variant 1 Mitigations Speculation barrier works if affected code constructs are known Programmer has to fully understand vulnerability Automatic detection is not reliable Non-negligible performance overhead of barriers 38 Daniel Gruss Graz University of Technology

205 Spectre Variant 2 Mitigations (Microcode/MSRs) Intel released microcode updates Indirect Branch Restricted Speculation (IBRS): 39 Daniel Gruss Graz University of Technology

206 Spectre Variant 2 Mitigations (Microcode/MSRs) Intel released microcode updates Indirect Branch Restricted Speculation (IBRS): Do not speculate based on anything before entering IBRS mode 39 Daniel Gruss Graz University of Technology

207 Spectre Variant 2 Mitigations (Microcode/MSRs) Intel released microcode updates Indirect Branch Restricted Speculation (IBRS): Do not speculate based on anything before entering IBRS mode lesser privileged code cannot influence predictions 39 Daniel Gruss Graz University of Technology

208 Spectre Variant 2 Mitigations (Microcode/MSRs) Intel released microcode updates Indirect Branch Restricted Speculation (IBRS): Do not speculate based on anything before entering IBRS mode lesser privileged code cannot influence predictions Indirect Branch Predictor Barrier (IBPB): 39 Daniel Gruss Graz University of Technology

209 Spectre Variant 2 Mitigations (Microcode/MSRs) Intel released microcode updates Indirect Branch Restricted Speculation (IBRS): Do not speculate based on anything before entering IBRS mode lesser privileged code cannot influence predictions Indirect Branch Predictor Barrier (IBPB): Flush branch-target buffer 39 Daniel Gruss Graz University of Technology

210 Spectre Variant 2 Mitigations (Microcode/MSRs) Intel released microcode updates Indirect Branch Restricted Speculation (IBRS): Do not speculate based on anything before entering IBRS mode lesser privileged code cannot influence predictions Indirect Branch Predictor Barrier (IBPB): Flush branch-target buffer Single Thread Indirect Branch Predictors (STIBP): 39 Daniel Gruss Graz University of Technology

211 Spectre Variant 2 Mitigations (Microcode/MSRs) Intel released microcode updates Indirect Branch Restricted Speculation (IBRS): Do not speculate based on anything before entering IBRS mode lesser privileged code cannot influence predictions Indirect Branch Predictor Barrier (IBPB): Flush branch-target buffer Single Thread Indirect Branch Predictors (STIBP): Isolates branch prediction state between two hyperthreads 39 Daniel Gruss Graz University of Technology

212 Spectre Variant 2 Mitigations (Software) Retpoline (compiler extension) 40 Daniel Gruss Graz University of Technology

213 Spectre Variant 2 Mitigations (Software) Retpoline (compiler extension) 1 push < call_target > 2 call 1f 3 2: ; speculation will continue here 4 lfence ; speculation barrier 5 jmp 2b ; endless loop 6 1: 7 lea 8(%rsp), %rsp ; restore stack pointer 8 ret ; the actual call to <call_target> always predict to enter an endless loop 40 Daniel Gruss Graz University of Technology

214 Spectre Variant 2 Mitigations (Software) Retpoline (compiler extension) 1 push < call_target > 2 call 1f 3 2: ; speculation will continue here 4 lfence ; speculation barrier 5 jmp 2b ; endless loop 6 1: 7 lea 8(%rsp), %rsp ; restore stack pointer 8 ret ; the actual call to <call_target> always predict to enter an endless loop instead of the correct (or wrong) target function 40 Daniel Gruss Graz University of Technology

215 Spectre Variant 2 Mitigations (Software) Retpoline (compiler extension) 1 push < call_target > 2 call 1f 3 2: ; speculation will continue here 4 lfence ; speculation barrier 5 jmp 2b ; endless loop 6 1: 7 lea 8(%rsp), %rsp ; restore stack pointer 8 ret ; the actual call to <call_target> always predict to enter an endless loop instead of the correct (or wrong) target function performance? 40 Daniel Gruss Graz University of Technology

216 Spectre Variant 2 Mitigations (Software) Retpoline (compiler extension) 1 push < call_target > 2 call 1f 3 2: ; speculation will continue here 4 lfence ; speculation barrier 5 jmp 2b ; endless loop 6 1: 7 lea 8(%rsp), %rsp ; restore stack pointer 8 ret ; the actual call to <call_target> always predict to enter an endless loop instead of the correct (or wrong) target function performance? On Broadwell or newer: 40 Daniel Gruss Graz University of Technology

217 Spectre Variant 2 Mitigations (Software) Retpoline (compiler extension) 1 push < call_target > 2 call 1f 3 2: ; speculation will continue here 4 lfence ; speculation barrier 5 jmp 2b ; endless loop 6 1: 7 lea 8(%rsp), %rsp ; restore stack pointer 8 ret ; the actual call to <call_target> always predict to enter an endless loop instead of the correct (or wrong) target function performance? On Broadwell or newer: ret may fall-back to the BTB for prediction 40 Daniel Gruss Graz University of Technology

218 Spectre Variant 2 Mitigations (Software) Retpoline (compiler extension) 1 push < call_target > 2 call 1f 3 2: ; speculation will continue here 4 lfence ; speculation barrier 5 jmp 2b ; endless loop 6 1: 7 lea 8(%rsp), %rsp ; restore stack pointer 8 ret ; the actual call to <call_target> always predict to enter an endless loop instead of the correct (or wrong) target function performance? On Broadwell or newer: ret may fall-back to the BTB for prediction microcode patches to prevent that 40 Daniel Gruss Graz University of Technology

219 Spectre Variant 2 Mitigations (Software) ARM provides hardened Linux kernel 41 Daniel Gruss Graz University of Technology

220 Spectre Variant 2 Mitigations (Software) ARM provides hardened Linux kernel Clears branch-predictor state on context switch 41 Daniel Gruss Graz University of Technology

221 Spectre Variant 2 Mitigations (Software) ARM provides hardened Linux kernel Clears branch-predictor state on context switch Either via instruction (BPIALL) Daniel Gruss Graz University of Technology

222 Spectre Variant 2 Mitigations (Software) ARM provides hardened Linux kernel Clears branch-predictor state on context switch Either via instruction (BPIALL)......or workaround (disable/enable MMU) 41 Daniel Gruss Graz University of Technology

223 Spectre Variant 2 Mitigations (Software) ARM provides hardened Linux kernel Clears branch-predictor state on context switch Either via instruction (BPIALL)......or workaround (disable/enable MMU) Non-negligible performance overhead ( ns) 41 Daniel Gruss Graz University of Technology

224 What does not work Prevent access to high-resolution timer 42 Daniel Gruss Graz University of Technology

225 What does not work Prevent access to high-resolution timer Own timer using timing thread 42 Daniel Gruss Graz University of Technology

226 What does not work Prevent access to high-resolution timer Own timer using timing thread Flush instruction only privileged 42 Daniel Gruss Graz University of Technology

227 What does not work Prevent access to high-resolution timer Own timer using timing thread Flush instruction only privileged Cache eviction through memory accesses 42 Daniel Gruss Graz University of Technology

228 What does not work Prevent access to high-resolution timer Own timer using timing thread Flush instruction only privileged Cache eviction through memory accesses Just move secrets into secure world 42 Daniel Gruss Graz University of Technology

229 What does not work Prevent access to high-resolution timer Own timer using timing thread Flush instruction only privileged Cache eviction through memory accesses Just move secrets into secure world Spectre works on secure enclaves 42 Daniel Gruss Graz University of Technology

230 Meltdown vs. Spectre Meltdown Spectre 43 Daniel Gruss Graz University of Technology

231 Meltdown vs. Spectre Meltdown Out-of-Order Execution Spectre Speculative Execution (subset of Out-of-Order Execution) 43 Daniel Gruss Graz University of Technology

232 Meltdown vs. Spectre Meltdown Out-of-Order Execution has nothing to do with branch prediction Spectre Speculative Execution (subset of Out-of-Order Execution) fundamentally builds on branch (mis)prediction 43 Daniel Gruss Graz University of Technology

233 Meltdown vs. Spectre Meltdown Out-of-Order Execution has nothing to do with branch prediction turning off speculative execution entirely has no effect on Meltdown Spectre Speculative Execution (subset of Out-of-Order Execution) fundamentally builds on branch (mis)prediction turning off speculative execution entirely would work 43 Daniel Gruss Graz University of Technology

234 Meltdown vs. Spectre Meltdown Out-of-Order Execution has nothing to do with branch prediction turning off speculative execution entirely has no effect on Meltdown melts down the isolation provided by the user accessible-bit Spectre Speculative Execution (subset of Out-of-Order Execution) fundamentally builds on branch (mis)prediction turning off speculative execution entirely would work has nothing to do with the user accessible-bit 43 Daniel Gruss Graz University of Technology

235 Meltdown vs. Spectre Meltdown Out-of-Order Execution has nothing to do with branch prediction turning off speculative execution entirely has no effect on Meltdown melts down the isolation provided by the user accessible-bit in theory: OoO not required, pipelining can be sufficient Spectre Speculative Execution (subset of Out-of-Order Execution) fundamentally builds on branch (mis)prediction turning off speculative execution entirely would work has nothing to do with the user accessible-bit KAISER has no effect on Spectre at all 43 Daniel Gruss Graz University of Technology

236 Meltdown vs. Spectre Meltdown Out-of-Order Execution has nothing to do with branch prediction turning off speculative execution entirely has no effect on Meltdown melts down the isolation provided by the user accessible-bit in theory: OoO not required, pipelining can be sufficient mitigated by KAISER Spectre Speculative Execution (subset of Out-of-Order Execution) fundamentally builds on branch (mis)prediction turning off speculative execution entirely would work has nothing to do with the user accessible-bit KAISER has no effect on Spectre at all 43 Daniel Gruss Graz University of Technology

237 Meltdown vs. Spectre Meltdown Spectre 44 Daniel Gruss Graz University of Technology

238 Meltdown vs. Spectre Meltdown performs illegal memory accesses we need to take care of processor exceptions Spectre performs only legal memory accesses 44 Daniel Gruss Graz University of Technology

239 Meltdown vs. Spectre Meltdown performs illegal memory accesses we need to take care of processor exceptions exception handling Spectre performs only legal memory accesses has nothing to do with exception handling 44 Daniel Gruss Graz University of Technology

240 Meltdown vs. Spectre Meltdown performs illegal memory accesses we need to take care of processor exceptions exception handling exception suppression with TSX Spectre performs only legal memory accesses has nothing to do with exception handling or suppression 44 Daniel Gruss Graz University of Technology

241 Meltdown vs. Spectre Meltdown performs illegal memory accesses we need to take care of processor exceptions exception handling exception suppression with TSX exception suppression with branch misprediction Spectre performs only legal memory accesses has nothing to do with exception handling or suppression 44 Daniel Gruss Graz University of Technology

242 Meltdown vs. Spectre Meltdown performs illegal memory accesses we need to take care of processor exceptions exception handling exception suppression with TSX exception suppression with branch misprediction Spectre performs only legal memory accesses has nothing to do with exception handling or suppression two papers, two names, etc. 44 Daniel Gruss Graz University of Technology

243 But Daniel Gruss Graz University of Technology

244 But Daniel Gruss Graz University of Technology

245 But why were they named variant 1, 2 and 3 by Google? 45 Daniel Gruss Graz University of Technology

246 But why were they named variant 1, 2 and 3 by Google? How can you use speculative execution maliciously? 45 Daniel Gruss Graz University of Technology

247 But why were they named variant 1, 2 and 3 by Google? How can you use speculative execution maliciously? Intel had much interest in not fancy-naming them ;) 45 Daniel Gruss Graz University of Technology

248 But why were they named variant 1, 2 and 3 by Google? How can you use speculative execution maliciously? Intel had much interest in not fancy-naming them ;) 45 Daniel Gruss Graz University of Technology

249 But why were they named variant 1, 2 and 3 by Google? How can you use speculative execution maliciously? Intel had much interest in not fancy-naming them ;)... why were they presented on the same date and on the same website? 45 Daniel Gruss Graz University of Technology

250 But why were they named variant 1, 2 and 3 by Google? How can you use speculative execution maliciously? Intel had much interest in not fancy-naming them ;)... why were they presented on the same date and on the same website? We did not choose the date 45 Daniel Gruss Graz University of Technology

251 But why were they named variant 1, 2 and 3 by Google? How can you use speculative execution maliciously? Intel had much interest in not fancy-naming them ;)... why were they presented on the same date and on the same website? We did not choose the date We did not want to have one of them overshadow the other immediately 45 Daniel Gruss Graz University of Technology

252 What do we learn from it? We have ignored microarchitectural attacks for many many years: 46 Daniel Gruss Graz University of Technology

253 What do we learn from it? We have ignored microarchitectural attacks for many many years: attacks on crypto 46 Daniel Gruss Graz University of Technology

254 What do we learn from it? We have ignored microarchitectural attacks for many many years: attacks on crypto software should be fixed 46 Daniel Gruss Graz University of Technology

255 What do we learn from it? We have ignored microarchitectural attacks for many many years: attacks on crypto software should be fixed attacks on ASLR 46 Daniel Gruss Graz University of Technology

256 What do we learn from it? We have ignored microarchitectural attacks for many many years: attacks on crypto software should be fixed attacks on ASLR ASLR is broken anyway 46 Daniel Gruss Graz University of Technology

257 What do we learn from it? We have ignored microarchitectural attacks for many many years: attacks on crypto software should be fixed attacks on ASLR ASLR is broken anyway attacks on SGX and TrustZone 46 Daniel Gruss Graz University of Technology

258 What do we learn from it? We have ignored microarchitectural attacks for many many years: attacks on crypto software should be fixed attacks on ASLR ASLR is broken anyway attacks on SGX and TrustZone not part of the threat model 46 Daniel Gruss Graz University of Technology

259 What do we learn from it? We have ignored microarchitectural attacks for many many years: attacks on crypto software should be fixed attacks on ASLR ASLR is broken anyway attacks on SGX and TrustZone not part of the threat model for years we solely optimized for performance 46 Daniel Gruss Graz University of Technology

260 When you read the manuals... After learning about a side channel you realize: 47 Daniel Gruss Graz University of Technology

261 When you read the manuals... After learning about a side channel you realize: the side channels were documented in the Intel manual 47 Daniel Gruss Graz University of Technology

262 When you read the manuals... After learning about a side channel you realize: the side channels were documented in the Intel manual only now we understand the implications 47 Daniel Gruss Graz University of Technology

263 What do we learn from it? Motor Vehicle Deaths in U.S. by Year 48 Daniel Gruss Graz University of Technology

264 Conclusions A unique chance to rethink processor design 49 Daniel Gruss Graz University of Technology

265 Conclusions A unique chance to rethink processor design grow up, like other fields (car industry, construction industry) 49 Daniel Gruss Graz University of Technology

266 Conclusions A unique chance to rethink processor design grow up, like other fields (car industry, construction industry) dedicate more time into identifying problems and not solely in mitigating known problems 49 Daniel Gruss Graz University of Technology

267 SCIENCE PASSION TECHNOLOGY Software-based Microarchitectural Attacks Daniel Gruss April 19, 2018 Graz University of Technology 50 Daniel Gruss Graz University of Technology