Spectre Attacks: Exploiting Speculative Execution

Paul Kocher1, Jann Horn2, Anders Fogh3, Daniel Genkin4, Daniel Gruss5, Werner Haas6, Mike Hamburg7, Mortiz Lipp5, Stefan Mangard5, Thomas Prescher6, Michael Schwartz5, Yuval Yarom8

1 Independent, 2 Google Project Zero, 3 G DATA Advanced Analytics, 4 University of Pennsylvania and University of Maryland, 5 Graz University of Technology, 6 Cyberus Technology, 7 Rambus, Cryptography Research Division, 8 University of Adelaide & Data61 Alltrademarksarethepropertyoftheirrespectiveowners.Thispresentationisprovidedwithoutanyguaranteeorwarrantywhatsoever.

IEEESecurity&Privacy(May20,2019)

2

Nomoreeasygainsfromlow-levelphysics,e.g.:ê  Increaseclockrates Mostlymaxedout(3.8GHzPentium4in2004)ê  Improvememoryspeeds DRAMlatencyhuge,notimprovingmuch

Industryfocusonpipelining+boostingaverage-caseperformance,e.g.:ê  Reducingmemorydelays àCachesê  Workingduringdelays àSpeculativeexecution

How to boost CPU performance?

PublicdomainimageofPentium4diebyRitzchensFritz

Computer architecture: n. The art and science of introducing new side channel vulnerabilities.

3

Programsareexpressedsequentially…butfastCPUsleverageHW’sparallelism(pipelining…)andspeculation

Speculation:Startlikelytasksearly,thencleanuperrors.

Speculative execution

if (x == 1) { abc…

} else { xyz…

}

 Ifxisuncached,processorfacesalongdelay CPUcanguessexecutionpath&proceedspeculatively WhenxarrivesfromDRAM,checkifguesswascorrectê  Correct:commitspeculativework=performancegainê Wrongguess:Discardfaultywork

Example:

4

Correctprogram

Fault attacks

ABCDE…

Induceerror(s)

ABC’DE…

SecureprogramsareunsafeifexecutederroneouslyExample:Induceanalogglitchesonclock,reset,power/ground…Almostanykindoferrorisexploitable

ßExecutedprogramisdifferent

5

Arethereanysecurityimplicationsfromspeculativeexecution? --MikeHamburg

CPUissecretlymakingerrorsonitsown

≈  faultattackhardwareisbuilt-in

Faultyresultsarediscarded,butCPUsareriddledwithside/covertchannels(…muchsimplerthancombinedfault+differentialpoweranalysis)

6

Conditional branch (Variant 1) attack

 Attackscenario:ê  Coderunsinatrustedcontextê  Adversarywantstoreadmemoryandcontrolsunsignedintegerx

ê  Branchpredictorwillexpectif()tobetrue(e.g.becausepriorcallshadx<array1_size)

ê  array1_sizeandarray2[]arenotincache

if (x < array1_size) y = array2[array1[x]*512];

Contentsdon’tmatter

Memory&CacheStatus

array1_size = 00000008

Memoryatarray1baseaddress: 8bytesofdata(valuedoesn’tmatter) […lotsofmemoryuptoarray1base+N…] 09 F1 98 CC 90...(somethingsecret)

array2[ 0*512] array2[ 1*512] array2[ 2*512] array2[ 3*512] array2[ 4*512] array2[ 5*512] array2[ 6*512] array2[ 7*512] array2[ 8*512] array2[ 9*512] array2[10*512] array2[11*512]

Uncached Cached

���

onlycareaboutcachestatus

7

Conditional branch (Variant 1) attack

Attackercallsvictimcodewithx=N(whereN>8)ê  Speculativeexecwhilewaitingforarray1_size

ê  Predictthatif()istrueê  Readaddress(array1base+x)w/out-of-boundsxê  Readreturnssecretbyte=09(fast–incache)

if (x < array1_size) y = array2[array1[x]*512];

Memory&CacheStatus

array1_size = 00000008

Memoryatarray1baseaddress: 8bytesofdata(valuedoesn’tmatter) […lotsofmemoryuptoarray1base+N…] 09 F1 98 CC 90...(somethingsecret)

array2[ 0*512] array2[ 1*512] array2[ 2*512] array2[ 3*512] array2[ 4*512] array2[ 5*512] array2[ 6*512] array2[ 7*512] array2[ 8*512] array2[ 9*512] array2[10*512] array2[11*512]

Uncached Cached

���

Contentsdon’tmatteronlycareaboutcachestatus

8

Conditional branch (Variant 1) attack

Attackercallsvictimcodewithx=N(whereN>8)ê  Speculativeexecwhilewaitingforarray1_size

ê  Predictthatif()istrueê  Readaddress(array1base+x)w/out-of-boundsxê  Readreturnssecretbyte=09(fast–incache)ê  Requestmemoryat(array2base+09*512)ê  Bringsarray2[09*512]intothecacheê  Realizeif()isfalse:discardspeculativework

ê  Finishoperation&returntocaller

Attackertimesreadsfromarray2[i*512]ê  Readfori=09isfast(cached),revealingsecretbyte

if (x < array1_size) y = array2[array1[x]*512];

Memory&CacheStatus

array1_size = 00000008

Memoryatarray1baseaddress: 8bytesofdata(valuedoesn’tmatter) […lotsofmemoryuptoarray1base+N…] 09 F1 98 CC 90...(somethingsecret)

array2[ 0*512] array2[ 1*512] array2[ 2*512] array2[ 3*512] array2[ 4*512] array2[ 5*512] array2[ 6*512] array2[ 7*512] array2[ 8*512] array2[ 9*512] array2[10*512] array2[11*512]

Uncached Cached

���

Contentsdon’tmatteronlycareaboutcachestatus

9

Spectre is a messy class of vulnerabilities

Manyrelatedresults•  SpeculativeStoreBypass/Variant4•  NetSpectre•  Foreshadow•  Spectre1.1•  Spectre-NG•  RogueSystemRegisterRead•  SpeculativeStoreBypass(SSB)•  LazyFP(LazyFPUstateleak)•  ret2spec•  SpectreRSB

+moretocome

Speculationscenario(=computationerror)

“Safe”computationthatspeculationturnsunsafe Sidechannel

Detect&analyzeleakeddata

+

Manypossiblevariations

Inducecomputationwithdesirederror

+

10

Is Spectre a bug?

 Everythingcomplieswiththearchitecturespecsê  Branchpredictorislearningfromhistory,asexpected

ê  Speculativeexecutionunwindsarchitecturalstatecorrectlyê  Readsarefetchingdatathevictimisallowedtoread

ê  Cachesareallowedtoholdstateê  Covertchannels&sidechannelsarewellknown

?!

11

Spectre is a symptom

 Symptomofexcessivearchitecturalambiguityê  Typicalarchitectures’guaranteesareinsufficientforsecurity

E.g.nopromisetokeepanythingsecretfromotherprocesses?Acrossintra-processdomains?

ê  Consequence:softwaredeveloperstorelyonguessesHopelessfordeveloper:eveniftestedonallchipstoday,futurechipsmaybedifferent

ê  Keyresearchtopic:Whatshouldarchitecturesguarantee?Minimumrequirement:Sufficientforsecuresoftware

Metric:likelihoodfinalsystem(HW+SW)willbesecure…givenrealisticassumptionsaboutSW+HWdevelopmentpractices

Challenges:performance,power,legacycompatibility,diearea…

Step 1: Tell programmers to add LFENCE instructions wherever something could go wrong (and nowhere else because LFENCE is really slow) …

Step n: Blame programmer

12

Spectre is a symptom

 Historyofprioritizingperformance,legacycompatibility,…oversecurityê  Scalingissue:Ascomplexitygrows,securityrisksincreasefasterthanbenefits

ê  Balancehasshiftedformanyapplications:valueofperformancegains<<insecuritycosts

ê  Latencyinchangingmindsets:Dominantpeopleandbusinessesgrewupwhenperformance>security

Needtospecializedesignsforperformancevs.securityê  Canco-existonthesamechip(analogoustoARM’sbig.LITTLEforpower)

ê  Security=muchlesscomplexTCB(HW+SW),notjustadifferentmode(likeTrustZone/SGX)

RacecarimagepublicdomainbyRK47(https://commons.wikimedia.org/wiki/File:Formula_RUS_2007-1-112.jpg),VolvoimagepublicdomainbyIFCAR(https://commons.wikimedia.org/wiki/File:Volvo-850-wagon-front.jpg)

vs

13

Q&A

Ifthesurgeryprovesunnecessary,we’llrevertyourarchitecturalstateatnocharge.