MicroScope: Enabling Microarchitectural Replay Attacks

MicroScope: Enabling Microarchitectural Replay Attacks

MicroScope: Enabling Microarchitectural Replay Attacks Dimitrios Skarlatos, Mengjia Yan, Bhargava Gopireddy, Read Sprabery, Josep Torrellas, and Christopher W. Fletcher University of Illinois at Urbana-Champaign Overview The Era of Side-Channels Processor Core Port 0 Spectre18 ROB LSQ 4K-Alliasing18 Scheduler Port 2 Port 3 Port 1 PortSmash18

TLBLeed18 Branch ALU TLB Branch Predictors16 D-L1 TLB I-L1 Contention13 Subnormal FPU FPU15 Non-Inclusive LLC19 L2 L2 L3 L2 SGX Prime+Probe[13] Main Memory

DRAMA16 How much can leak over side channels? Victim: Attacker: if (secret) use resource else dont use resource for .. t1 = time() use resource t2 = time() Need repeated measurements to be confident Denoise However, many applications run only once Attacker gets 1 measurement Can attackers really extract secrets?

Contribution: Microarchitectural Replay Attacks Attacker leverages speculative execution To repeatedly replay a snippet of victim code That runs only once } Primitive to denoise arbitrary side channels Victim: ld addr // replay handle Memory operation that will cause a squash and re-execute ld secret // secret the attacker tries to leak Contribution: Microarchitectural Replay Attacks Time

ld addr: Issue Replay Handle Long Latency Event Contribution: Microarchitectural Replay Attacks Time ld addr: Issue Replay Handle ld secret: Speculative Execution of Secret Long Latency Event

Contribution: Microarchitectural Replay Attacks Time ld addr: Issue Replay Handle ld secret: Long Latency Event Speculative Execution of Secret Squash Event Squash Clear State Contribution: Microarchitectural Replay Attacks

ld addr: Issue Replay Handle ld secret: Long Latency Event Speculative Execution of Secret Cause Shared Resource Contention & Monitor Squash Event Squash Clear State Replay!! Background

Page Tables Background Virtual Address Address A CR3 + 47 39 38 30 29 21 20 12 11 0 9-bits 9-bits

9-bits 9-bits Page Offset pgd_t PGD + pud_t PUD + pmd_t + PMD

pte_t PTE Page tables stored in memory On a TLB Miss page walk = memory accesses Each step of page walk = cache hit/miss. Page walk cache (PWC): hardware cache of translations If Present bit in pte_t is cleared Page Fault, invoke OS TLB Entry Trusted Computing with SGX Designed to run sensitive applications in the cloud Do not trust OS/Hypervisor OS/Hypervisor cannot introspect/tamper enclave

Unfortunately, OS/Hypervisor still manages demand paging Attack Surface With Enclaves App App App Operating System Hypervisor Hardware Attack Surface Threat Model Threat Model In SGX the OS is responsible Demand paging Attacker (OS) can: Evict TLB entries Evict page walk cache entries

Monitor side channels MicroScope: A framework to exploit microarchitectural replay attacks Attack Examples Victim Code Loop Victim Code: 1. //public address 2. handle(pub_addr); 3. ... 4. transmit(secret); 5. ... 1. for i in ... 2. handle(pub_addrA); 3. ...

4. transmit(secret[i]); 5. ... 6. memOp(pub_addrB); 7. ... Terminology Victim Code 1. 2. 3. 4. 5. //public address handle(pub_addr); ... transmit(secret);

... Replay handle: Load to a public address (known to OS) Transmitter: Any instruction(s) whose execution reveals secret through some side channel Occurs < ROB length from Replay Handle Timeline of a MicroScope Attack - Setup Attack Setup Attacker Time Victim Timeline of a MicroScope Attack - Setup Clear PTE Present Bit of Replay Handle

Attack Setup Attacker Time Victim Timeline of a MicroScope Attack - Setup Clear PTE Present Bit of Replay Handle Attack Setup Attacker Flush Replay Handle Page Table Entries Time Victim

Timeline of a MicroScope Attack - Setup Clear PTE Present Bit of Replay Handle Attack Setup Attacker Flush Replay Handle Page Table Entries Flush Replay Handle TLB Entry Time Victim Timeline of a MicroScope Attack Attack Setup handle(pub_addr):

Attacker Time Issue Replay Handle Victim Timeline of a MicroScope Attack Attack Setup handle(pub_addr): Attacker Time Issue Replay L1 TLB Handle Miss Victim

Timeline of a MicroScope Attack Attack Setup handle(pub_addr): Time Issue Replay L1 TLB L2 TLB Handle Miss Miss transmit(secret): Attacker Speculative Execution of Transmitter Victim Timeline of a MicroScope Attack

Attack Setup handle(pub_addr): Time Issue Replay L1 TLB L2 TLB PWC Handle Miss Miss Miss transmit(secret): Attacker Victim Speculative Execution of Transmitter Timeline of a MicroScope Attack Attack

Setup handle(pub_addr): Time Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Handle Miss Miss Miss Walk Walk Walk Walk transmit(secret): Attacker Victim Speculative Execution of Transmitter Timeline of a MicroScope Attack Tune speculative execution duration with: Cache Hit or Miss

Attack Setup handle(pub_addr): Time Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Handle Miss Miss Miss Walk Walk Walk Walk transmit(secret): Attacker Victim Speculative Execution of Transmitter Timeline of a MicroScope Attack Attack Setup

handle(pub_addr): Time Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Handle Miss Miss Miss Walk Walk Walk Walk transmit(secret): Attacker Victim Speculative Execution of Transmitter Page Fault Timeline of a MicroScope Attack Attack

Setup handle(pub_addr): Time Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Handle Miss Miss Miss Walk Walk Walk Walk transmit(secret): Attacker Victim Speculative Execution of Transmitter Page Fault Squash

Timeline of a MicroScope Attack Attack Setup handle(pub_addr): Time Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Handle Miss Miss Miss Walk Walk Walk Walk transmit(secret): Attacker Victim Speculative Execution of Transmitter Page Fault

Squash OS Invocation Timeline of a MicroScope Attack Page Fault Handler Attack Setup handle(pub_addr): Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Handle Miss Miss Miss Walk Walk Walk Walk transmit(secret): Attacker

Victim Speculative Execution of Transmitter Page Fault Squash OS Invocation Timeline of a MicroScope Attack Page Fault Handler Attack Setup handle(pub_addr): Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Handle

Miss Miss Miss Walk Walk Walk Walk transmit(secret): Attacker Victim Speculative Execution of Transmitter Flush Replay Handle Page Table Entries Page Fault Squash OS Invocation

Timeline of a MicroScope Attack Attack Setup handle(pub_addr): Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Handle Miss Miss Miss Walk Walk Walk Walk transmit(secret): Attacker Victim Speculative Execution of Transmitter Page Fault Squash

OS Invocation Replay!! Timeline of a MicroScope Attack Attack Setup handle(pub_addr): Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Handle Miss Miss Miss Walk Walk Walk Walk transmit(secret): Attacker Victim

Speculative Execution of Transmitter Page Fault Squash OS Invocation Timeline of a MicroScope Attack Attack Setup handle(pub_addr): Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Handle Miss Miss Miss Walk Walk Walk Walk transmit(secret):

Attacker Victim Speculative Execution of Transmitter Page Fault Squash OS Invocation Timeline of a MicroScope Attack Attack Setup handle(pub_addr): Issue Replay L1 TLB L2 TLB PWC PGD PUD PMD PTE Handle Miss Miss

Miss Walk Walk Walk Walk transmit(secret): Speculative Execution of Transmitter Cause Shared Resource Contention & Monitor Attacker Victim Attacker Monitor/Contention thread Page Fault Squash OS Invocation Replay!! Loop Example

Loop Example Victim: 1. for i in ... 2. handle(pub_addrA); 3. ... 4. transmit(secret[i]); 5. ... 6. memOp(pub_addrB); 7. ... Goal: Leak secret in every iteration Challenge: Monitor window of a replay handle < ROB length

Loop Example Victim: 1. for i in ... 2. handle(pub_addrA); 3. ... 4. transmit(secret[i]); 5. ... 6. pivot(pub_addrB); 7. ... Replay Handle Transmit Code Instruction used to pivot around transmit instructions Pivot Instruction In a Loop

Dynamic code Static Code 1. for i in ... Iteration i=0 2. handle(pub_addrA); 3. ... 4. transmit(secret[i]); 5. ... 6. pivot(pub_addrB); Iteration i=1 7. ... Replay Handle Transmit Code 1. handle(pub_addrA); 2. ... 3. transmit(secret[0]); 4. ... 5. pivot(pub_addrB); 6. ...

7. handle(pub_addrA); 8. ... 9. transmit(secret[1]); 10.... 11.pivot(pub_addrB); Pivot Instruction Monitor window In a Loop Dynamic code Static Code 1. for i in ... 2. handle(pub_addrA); 3. ... 4. transmit(secret[i]); 5. ... 6. pivot(pub_addrB); 7. ... Replay Handle

Transmit Code 1. handle(pub_addrA); 2. ... 3. transmit(secret[0]); 4. ... 5. pivot(pub_addrB); 6. ... 7. handle(pub_addrA); 8. ... 9. transmit(secret[1]); 10.... 11.pivot(pub_addrB); Pivot Instruction Pivot page fault In a Loop Dynamic code Static Code

1. for i in ... 2. handle(pub_addrA); 3. ... 4. transmit(secret[i]); 5. ... 6. pivot(pub_addrB); 7. ... Replay Handle Transmit Code 1. handle(pub_addrA); Retired instructions 2. ... 3. transmit(secret[0]); 4. ... 5. pivot(pub_addrB); Cause page fault on pivot 6. ... 7. handle(pub_addrA); 8. ... 9. transmit(secret[1]);

10.... 11.pivot(pub_addrB); Pivot Instruction In a Loop Dynamic code Static Code 1. for i in ... 2. handle(pub_addrA); 3. ... 4. transmit(secret[i]); 5. ... 6. pivot(pub_addrB); 7. ... Replay Handle Transmit Code 1. handle(pub_addrA); 2. ...

3. transmit(secret[0]); 4. ... 5. pivot(pub_addrB); 6. ... 7. handle(pub_addrA); 8. ... 9. transmit(secret[1]); 10.... 11.pivot(pub_addrB); Pivot Instruction Retired instructions Cause page fault in new replay handle In a Loop Dynamic code Static Code 1. for i in ... 2. handle(pub_addrA);

3. ... 4. transmit(secret[i]); 5. ... 6. pivot(pub_addrB); 7. ... 1. handle(pub_addrA); 2. ... 3. transmit(secret[0]); 4. ... 5. pivot(pub_addrB); 6. ... 7. handle(pub_addrA); 8. ... 9. transmit(secret[1]); 10.... 11.pivot(pub_addrB); Retired Instructions New Monitor Window

Use this idea to denoise side channels on AES (see paper) Replay Handle Transmit Code Pivot Instruction Port Contention Attack Port Contention Attack with MicroScope Victim: Attacker: 1. 2. 3. 4. 5. 1. Setup replay attack handle(pub_addrA); 2.

if3. (secret) for 4. victim_mul() t1 = time() else 5. attacker_div() 6. victim_div() t2 =time() 7. } Replay Handle Transmit Code No Loop! Attacker Code Port Contention Attack with MicroScope Victim Thread

Victim: 1. handle(pub_addrA); 2. if (secret) 3. victim_mul() 4. else 5. victim_div() Replay Handle Transmit Code Decode INT ALU Attacker Code FP DIV

Attacker Thread Attacker: 1. 2. 3. 4. 5. 6. 7. Setup replay attack for t1 = time() attacker_div() t2 =time() } Port Contention Attack with MicroScope Victim

Thread Victim: 1. handle(pub_addrA); 2. if (secret) 3. victim_mul() 4. else 5. victim_div() Replay Handle Transmit Code Decode INT ALU Attacker Code FP DIV

Attacker Thread Attacker: 1. 2. 3. 4. 5. 6. 7. Setup replay attack for t1 = time() attacker_div() t2 =time() } Port Contention Attack with MicroScope

Victim Thread Victim: 1. handle(pub_addrA); 2. if (secret) 3. victim_mul() 4. else 5. victim_div() Decode INT ALU FP DIV 10,000 1 Replay Handle Transmit Code

Attacker Code Attacker Thread Attacker: 1. 2. 3. 4. 5. 6. 7. Setup replay attack for t1 = time() attacker_div() t2 =time() }

Port Contention Results Victim and attacker run on adjacent SMT contexts of same core Attacker performs divisions in a loop and measures time Victim performs two multiplications without a loop Victim performs two divisions without a loop Generalizing Microarchitectural Replay Attacks Microarchitectural Replay Attacks Attacker Trigger Replay? Strategy Secret 3 2

3 4 Replay Handle 2 Measure 1 1 Side Channels? ed y la e p Re Cod Window

4 Victim This work: Replay Handle Page fault-inducing load Replayed Code Leaky instruction Changing each can result in Side Channel uarch structures different attacks!! Attacker strategy Page fault until denoise More On the Paper Other attack examples MicroScope framework implementation Attacks on AES Countermeasures discussion Open source! MicroScope Framework Denoise nearly arbitrary microarchitectural side channels using page faults

Only a single run of the victim Demonstrate attacks on notoriously noisy side channels Detect the presence or absence of two divide instructions Single-step and denoise cache-based attacks on AES https://github.com/dskarlatos/MicroScope Takeaways Microarchitectural Replay Attacks New class of attacks Opens large new attack surface (noisy side channels) Implications for integrity, TSX, physical side channels Exploits core microarchitectural feature Dynamic instructions can be replayed through controlled squashes! We need new security properties to mitigate these attacks!

Recently Viewed Presentations

  • Title Slide Option 1 Presentation Title Here Keep Left Justified

    Title Slide Option 1 Presentation Title Here Keep Left Justified

    A commitment from all agencies to work toward meeting the timelines from the 2008 mitigation rule. An agreement for IRT agencies to coordinate prior to providing potentially conflicting direction to bankers or ILF program sponsors
  • :jfutd&#92; - Staff college

    :jfutd\ - Staff college

    Title:jfutd\ Author: user Last modified by: LAPTOP Created Date: 8/9/2009 11:21:22 PM Document presentation format: On-screen Show (4:3) Company
  • Update on the American Seed Trade Association &

    Update on the American Seed Trade Association &

    Breeding Methods: DNA markers, established heterotic pools, faster cycle time. Breeding Selection Criteria: Performance (yield, agronomics, disease) DUS Criteria: Morphology (non-performance visual observation) Standard morphological descriptors often fail to establish distinctness. PVP Office asks for additional evidence.
  • mining an unexpected source of innovation: lessons from

    mining an unexpected source of innovation: lessons from

    Where the brand name isn't what's important—it's the functionality and features of the device itself. And I'll talk more about this in a bit. * Shanzhai manufacturing has also come to include the idea of indigenous innovation. So this is...
  • Πληροφοριακά Συστήματα

    Πληροφοριακά Συστήματα

    Πανεπιστήμιο Αιγαίου Τμήμα Μηχανικών Σχεδίασης Προϊόντων & Συστημάτων Ε΄ εξάμηνο
  • Chapter 9 Materiality and Risk

    Chapter 9 Materiality and Risk

    Chapter 9 Materiality and Risk Audit Risk CPA Presentation Outline Steps in Applying Materiality Risk in Auditing Planning Model Relationships Evaluating Results Step 1 in Applying Materiality Set preliminary judgment about materiality.
  • Design and Development-Major. New Product to design variation.

    Design and Development-Major. New Product to design variation.

    Verify: In house- Mechanical endurance, Contact resistance, Time Interval,H.V, Megger, Shunt Coil, Charging Motor Resistance Value & Mechanical overall check. Validate: Type testing at IIT Chennai.
  • Curriculum development is a plan or blueprint for structuring ...

    Curriculum development is a plan or blueprint for structuring ...

    Curriculum development is a plan or blueprint for structuring the learning environments and coordinating the elements of personnel, materials, and equipment. ... Behavioral-Rational ApproachBy the Taba and Tyler Models, 1969. Most Recognized Technical . Scientific Models. The Ralph Tyler Model...