Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Spectre Attacks: Exploiting Speculative Execution
Paul Kocher1, Jann Horn2, Anders Fogh3, Daniel Genkin4, Daniel Gruss5, Werner Haas6, Mike Hamburg7, Mortiz Lipp5, Stefan Mangard5, Thomas Prescher6, Michael Schwartz5, Yuval Yarom8
1 Independent, 2 Google Project Zero, 3 G DATA Advanced Analytics, 4 University of Pennsylvania and University of Maryland, 5 Graz University of Technology, 6 Cyberus Technology, 7 Rambus, Cryptography Research Division, 8 University of Adelaide & Data61 Alltrademarksarethepropertyoftheirrespectiveowners.Thispresentationisprovidedwithoutanyguaranteeorwarrantywhatsoever.
IEEESecurity&Privacy(May20,2019)
2
Nomoreeasygainsfromlow-levelphysics,e.g.:ê Increaseclockrates Mostlymaxedout(3.8GHzPentium4in2004)ê Improvememoryspeeds DRAMlatencyhuge,notimprovingmuch
Industryfocusonpipelining+boostingaverage-caseperformance,e.g.:ê Reducingmemorydelays àCachesê Workingduringdelays àSpeculativeexecution
How to boost CPU performance?
PublicdomainimageofPentium4diebyRitzchensFritz
Computer architecture: n. The art and science of introducing new side channel vulnerabilities.
3
Programsareexpressedsequentially…butfastCPUsleverageHW’sparallelism(pipelining…)andspeculation
Speculation:Startlikelytasksearly,thencleanuperrors.
Speculative execution
if (x == 1) { abc…
} else { xyz…
}
Ifxisuncached,processorfacesalongdelay CPUcanguessexecutionpath&proceedspeculatively WhenxarrivesfromDRAM,checkifguesswascorrectê Correct:commitspeculativework=performancegainê Wrongguess:Discardfaultywork
Example:
4
Correctprogram
Fault attacks
ABCDE…
Induceerror(s)
ABC’DE…
SecureprogramsareunsafeifexecutederroneouslyExample:Induceanalogglitchesonclock,reset,power/ground…Almostanykindoferrorisexploitable
ßExecutedprogramisdifferent
5
Arethereanysecurityimplicationsfromspeculativeexecution? --MikeHamburg
CPUissecretlymakingerrorsonitsown
≈ faultattackhardwareisbuilt-in
Faultyresultsarediscarded,butCPUsareriddledwithside/covertchannels(…muchsimplerthancombinedfault+differentialpoweranalysis)
6
Conditional branch (Variant 1) attack
Attackscenario:ê Coderunsinatrustedcontextê Adversarywantstoreadmemoryandcontrolsunsignedintegerx
ê Branchpredictorwillexpectif()tobetrue(e.g.becausepriorcallshadx<array1_size)
ê array1_sizeandarray2[]arenotincache
if (x < array1_size) y = array2[array1[x]*512];
Contentsdon’tmatter
Memory&CacheStatus
array1_size = 00000008
Memoryatarray1baseaddress: 8bytesofdata(valuedoesn’tmatter) […lotsofmemoryuptoarray1base+N…] 09 F1 98 CC 90...(somethingsecret)
array2[ 0*512] array2[ 1*512] array2[ 2*512] array2[ 3*512] array2[ 4*512] array2[ 5*512] array2[ 6*512] array2[ 7*512] array2[ 8*512] array2[ 9*512] array2[10*512] array2[11*512]
Uncached Cached
���
onlycareaboutcachestatus
7
Conditional branch (Variant 1) attack
Attackercallsvictimcodewithx=N(whereN>8)ê Speculativeexecwhilewaitingforarray1_size
ê Predictthatif()istrueê Readaddress(array1base+x)w/out-of-boundsxê Readreturnssecretbyte=09(fast–incache)
if (x < array1_size) y = array2[array1[x]*512];
Memory&CacheStatus
array1_size = 00000008
Memoryatarray1baseaddress: 8bytesofdata(valuedoesn’tmatter) […lotsofmemoryuptoarray1base+N…] 09 F1 98 CC 90...(somethingsecret)
array2[ 0*512] array2[ 1*512] array2[ 2*512] array2[ 3*512] array2[ 4*512] array2[ 5*512] array2[ 6*512] array2[ 7*512] array2[ 8*512] array2[ 9*512] array2[10*512] array2[11*512]
Uncached Cached
���
Contentsdon’tmatteronlycareaboutcachestatus
8
Conditional branch (Variant 1) attack
Attackercallsvictimcodewithx=N(whereN>8)ê Speculativeexecwhilewaitingforarray1_size
ê Predictthatif()istrueê Readaddress(array1base+x)w/out-of-boundsxê Readreturnssecretbyte=09(fast–incache)ê Requestmemoryat(array2base+09*512)ê Bringsarray2[09*512]intothecacheê Realizeif()isfalse:discardspeculativework
ê Finishoperation&returntocaller
Attackertimesreadsfromarray2[i*512]ê Readfori=09isfast(cached),revealingsecretbyte
if (x < array1_size) y = array2[array1[x]*512];
Memory&CacheStatus
array1_size = 00000008
Memoryatarray1baseaddress: 8bytesofdata(valuedoesn’tmatter) […lotsofmemoryuptoarray1base+N…] 09 F1 98 CC 90...(somethingsecret)
array2[ 0*512] array2[ 1*512] array2[ 2*512] array2[ 3*512] array2[ 4*512] array2[ 5*512] array2[ 6*512] array2[ 7*512] array2[ 8*512] array2[ 9*512] array2[10*512] array2[11*512]
Uncached Cached
���
Contentsdon’tmatteronlycareaboutcachestatus
9
Spectre is a messy class of vulnerabilities
Manyrelatedresults• SpeculativeStoreBypass/Variant4• NetSpectre• Foreshadow• Spectre1.1• Spectre-NG• RogueSystemRegisterRead• SpeculativeStoreBypass(SSB)• LazyFP(LazyFPUstateleak)• ret2spec• SpectreRSB
+moretocome
Speculationscenario(=computationerror)
“Safe”computationthatspeculationturnsunsafe Sidechannel
Detect&analyzeleakeddata
+
Manypossiblevariations
Inducecomputationwithdesirederror
+
10
Is Spectre a bug?
Everythingcomplieswiththearchitecturespecsê Branchpredictorislearningfromhistory,asexpected
ê Speculativeexecutionunwindsarchitecturalstatecorrectlyê Readsarefetchingdatathevictimisallowedtoread
ê Cachesareallowedtoholdstateê Covertchannels&sidechannelsarewellknown
?!
11
Spectre is a symptom
Symptomofexcessivearchitecturalambiguityê Typicalarchitectures’guaranteesareinsufficientforsecurity
E.g.nopromisetokeepanythingsecretfromotherprocesses?Acrossintra-processdomains?
ê Consequence:softwaredeveloperstorelyonguessesHopelessfordeveloper:eveniftestedonallchipstoday,futurechipsmaybedifferent
ê Keyresearchtopic:Whatshouldarchitecturesguarantee?Minimumrequirement:Sufficientforsecuresoftware
Metric:likelihoodfinalsystem(HW+SW)willbesecure…givenrealisticassumptionsaboutSW+HWdevelopmentpractices
Challenges:performance,power,legacycompatibility,diearea…
Step 1: Tell programmers to add LFENCE instructions wherever something could go wrong (and nowhere else because LFENCE is really slow) …
Step n: Blame programmer
12
Spectre is a symptom
Historyofprioritizingperformance,legacycompatibility,…oversecurityê Scalingissue:Ascomplexitygrows,securityrisksincreasefasterthanbenefits
ê Balancehasshiftedformanyapplications:valueofperformancegains<<insecuritycosts
ê Latencyinchangingmindsets:Dominantpeopleandbusinessesgrewupwhenperformance>security
Needtospecializedesignsforperformancevs.securityê Canco-existonthesamechip(analogoustoARM’sbig.LITTLEforpower)
ê Security=muchlesscomplexTCB(HW+SW),notjustadifferentmode(likeTrustZone/SGX)
RacecarimagepublicdomainbyRK47(https://commons.wikimedia.org/wiki/File:Formula_RUS_2007-1-112.jpg),VolvoimagepublicdomainbyIFCAR(https://commons.wikimedia.org/wiki/File:Volvo-850-wagon-front.jpg)
vs
13
Q&A
Ifthesurgeryprovesunnecessary,we’llrevertyourarchitecturalstateatnocharge.