Embed Size (px)
Citation preview
Cache Storage Channels Alias-drivenAttacks
Roberto GuancialeMads DamHamed NematiChristoph Baumann
Formally Verified Platforms
Formally Verified Platforms
Formally Verified Platforms
Caches Excluded from the analysis
Formally Verified Platforms
Caches Excluded from the analysis
Formally Verified Platforms
Caches Excluded from the analysis
Formally Verified Platforms
Caches Excluded from the analysis
Formally Verified Platforms
Caches Excluded from the analysis
Models should be Sound
Formally Verified Platforms
Caches Excluded from the analysis
Models should be Sound
Storage Channels caninvalidate results
VirtualAddress
MMU
Cacheable(std-memory)
Non-cacheable(devices)
Incoherent Cache Behaviors
Page Tables
Mismatched cacheability attributes
do not do this
Mismatched cacheability attributes
do not do thisPlease,
Mismatched cacheability attributes
do not do thisPlease,
Mismatched cacheability attributes
Incoherent Cache Behaviors
ARM-terminology: unexpected cache hit
if the data cache reports a hit on a memory location that is marked as non-cacheable, the cache might access the memory disregarding such hit.
do not do thisPlease,
Mismatched cacheability attributes
Incoherent Cache Behaviors
Hypervisor
OS OS
Scenarios
Hypervisor
OS OS OSARM
TrustZoneService
Scenarios
Hypervisor
OS OS OSARM
TrustZoneService
Kernel
DeviceDriver
UserProcess
Scenarios
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c line dirty
Attacker
Victimcache
memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
Attacker
Victim
VA_nc
PA
VA_c line dirtycache
memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
Attacker
Victim
VA_nc
PA
VA_c line dirtycache
memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
Attacker
Victim
VA_nc
PA
VA_c line dirtycache
0memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c line dirty
Attacker
Victimcache
0memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c line dirty
Attacker
Victimcache
0memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c line dirty
Attacker
Victimcache
0memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c0 F
line dirty
Attacker
Victimcache
0memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c0 F
line dirty
Attacker
Victimcache
0memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c0 F
line dirty
Attacker
Victimcache
1memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c0 F
line dirty
Attacker
Victimcache
1memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c0 F
line dirty
Attacker
Victimcache
1memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c0 F
line dirty
Attacker
Victimcache
1memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c0 F
line dirty
Attacker
Victimcache
1memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c0 F
line dirty
Attacker
Victimcache
1memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c0 F
line dirty
Attacker
Victimcache
1memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c0 F
line dirty
Attacker
Victimcache
1memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c0 F
line dirty
Attacker
Victimcache
1memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c0 F
line dirty
Attacker
Victimcache
1memory
D == 0
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c0 F
line dirty
Attacker
Victimcache
1memory
D == 0
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c0 F
line dirty
Attacker
Victimcache
1memory
eviction
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c line dirty
Attacker
Victimcache
1memory
eviction
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c line dirty
Attacker
Victimcache
1memory
VA_nc
PA
VA_c line dirty
Attacker
Victimcache
1memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c line dirty
Attacker
Victimcache
1memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c1 F
line dirty
Attacker
Victimcache
1memory
write(VA_nc, 0)…write(VA_nc, 1)free(VA_nc)
D = access(VA_c)…D = access(VA_c)if not policy(D) Reject()…use(VA_c)
VA_nc
PA
VA_c1 F
line dirty
Attacker
Victimcache
1memory
Integrity threat
● Transfer of memory ownership
● Time Of Check To Time Of Use attacks
● No need of● simultaneous double mapping● concurrency
Natural preys: reference monitors
Storage channels
cache
VA_nc
VA_c PA1
VA3
VA2 PA2
PA3
invalidate(VA_c)write(VA_nc, 0)D = read(VA_c)write(VA_nc, 1)call victimD = read(VA_c)
if secret access(VA2)else access(VA3)
Attacker
Victim
cache
VA_nc
VA_c PA1
VA3
VA2 PA2
PA3Accessedcache line is
secret-dependent
invalidate(VA_c)write(VA_nc, 0)D = read(VA_c)write(VA_nc, 1)call victimD = read(VA_c)
if secret access(VA2)else access(VA3)
Attacker
Victim
cache
VA_nc
VA_c PA1
VA3
VA2 PA2
PA3
invalidate(VA_c)write(VA_nc, 0)D = read(VA_c)write(VA_nc, 1)call victimD = read(VA_c)
if secret access(VA2)else access(VA3)
Attacker
Victim
Cache is ashared resource
cache
VA_nc
VA_c PA1
VA3
VA2 PA2
PA3
invalidate(VA_c)write(VA_nc, 0)D = read(VA_c)write(VA_nc, 1)call victimD = read(VA_c)
if secret access(VA2)else access(VA3)
Attacker
Victim
Mismatchedcacheabilityattributes
Confidentiality threat
● Access driven attacks
● No external measure needed
● Difficult to counter-measure at probing time
Natural preys: look-up tablesNatural preys: reference monitors
Storage channels
Integrity threat
● Transfer of memory ownership
● Time Of Check To Time Of Use
● No need of● simultaneous double mapping● concurrency
Hypervisor
▸ Beagleboard
ParavirtualizingHypervisor
PT PT
Linux
Linux prepares a PT
Linux
Hypervisor makesregion read-only
▸ Beagleboard
ParavirtualizingHypervisor
Hypervisor
PT PT
Hypervisor
PT PT
Linux
Hypervisor validatescontent
▸ Beagleboard
ParavirtualizingHypervisor
Hypervisor
PT PT
Linux
Hypervisor activatesPT
▸ Beagleboard
ParavirtualizingHypervisor
Hypervisor
PT PT
Linux
Hypervisor activatesPT
▸ Beagleboard
ParavirtualizingHypervisor
Hypervisor
PT PT
Linux
Hypervisor activatesPT
▸ Beagleboard▸ Linux takes
complete control
ParavirtualizingHypervisor
OSTrustZone
Service
Vulnerability:
c[j]=Kn[j] xor T4[s[j]]
▸ Raspberry PI 2▸ 128-bit key extracted after
850 encryptions
AESCryptoservice
Integrity threatguarantee memory coherency
● cache flushes(8x overhead)
● selective eviction(0.2x overhead)
Countermeasures
Integrity threatguarantee memory coherency
● cache flushes(8x overhead)
● selective eviction(0.2x overhead)
CountermeasuresConfidentiality threatstandard timing approaches
● secret-independent accesses(5x overhead)
● no cache for secret accesses(6x overhead)
Integrity threatguarantee memory coherency
● cache flushes(8x overhead)
● selective eviction(0.2x overhead)
CountermeasuresConfidentiality threatstandard timing approaches
● secret-independent accesses(5x overhead)
● no cache for secret accesses(6x overhead)
Vector specific
● avoid uncacheable aliases(0.15x overhead)
Integrity threatguarantee memory coherency
● cache flushes(8x overhead)
● selective eviction(0.2x overhead)
CountermeasuresConfidentiality threatstandard timing approaches
● secret-independent accesses(5x overhead)
● no cache for secret accesses(6x overhead)
Vector specific
● avoid uncacheable aliases(0.15x overhead)
HW Countermeasures
● do not disregardunexpected cache hit
Confidentiality threat using self-modifying code
Concluding remarks
Ongoing work
● Repair formal verification
● TLBs / Branch prediction / …
● Experimentation in multi-core
● Evaluating HW countermeasures
