william with many men

# Privileged Side-Channel Attacks

for Enclave Software Adversaries

Jo Van Bulck

University of Birmingham seminar, February 20, 2020

☆ imec-DistriNet, KU Leuven ⊠ jo.vanbulck@cs.kuleuven.be ¥ jovanbulck

- Trusted computing across the system stack: hardware, compiler, OS, apps
- Integrated attack-defense perspective and open-source prototypes







Transient execution [VBMW<sup>+</sup>18, SLM<sup>+</sup>19, CVBS<sup>+</sup>18] Side-channel attacks [VBPS17, VBWK<sup>+</sup>17, VBPS18] Sancus TEE processor [NVBM<sup>+</sup>17, VBMP17]

## ~40 years of computer security research in one picture



Secure program: convert all input to expected output



Buffer overflow vulnerabilities: trigger unexpected behavior



Safe languages & formal verification: preserve expected behavior



Side-channels: observe side-effects of the computation



Constant-time code: eliminate secret-dependent side-effects



## A vulnerable example program and its constant-time equivalent

```
1 void check_pwd(char *input)
2 {
3    for (int i=0; i < PWD_LEN; i++)
4         if (input[i] != pwd[i])
5             return 0;
6
7         return 1;
8 }</pre>
```



## Overall execution time reveals correctness of individual password bytes!

 $\rightarrow$  reduce brute-force attack from an exponential to a linear effort. . .

## A vulnerable example program and its constant-time equivalent

```
1void check_pwd(char *input)
2{
3    for (int i=0; i < PWD_LEN; i++)
4         if (input[i] != pwd[i])
5             return 0;
6
7         return 1;
8}</pre>
```

```
1 void check_pwd(char *input)
2 {
3     int rv = 0x0;
4     for (int i=0; i < PWD_LEN; i++)
5         rv |= input[i] ^ pwd[i];
6
7     return (result == 0);
8}</pre>
```

### Rewrite program such that execution time does not depend on secrets

 $\rightarrow$  manual, error-prone solution; side channels are likely here to stay...



# What's inside the black box?



https://informationisbeautiful.net/visualizations/million-lines-of-code/

## Enclaved execution: Reducing attack surface



Traditional layered designs: large trusted computing base

## Enclaved execution: Reducing attack surface



Intel SGX promise: hardware-level isolation and attestation



**Game-changer:** Untrusted OS  $\rightarrow$  new class of powerful side channels!



**Game-changer:** Untrusted OS  $\rightarrow$  new class of powerful side channels!

Xu et al. "Controlled-channel attacks: Deterministic side channels for untrusted operating systems", IEEE S&P 2015



**Game-changer:** Untrusted OS  $\rightarrow$  new class of powerful side channels!

Van Bulck et al. "Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic", CCS 2018



**Game-changer:** Untrusted OS  $\rightarrow$  new class of powerful side channels!

Van Bulck et al. "Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic", CCS 2018



# KEEP CALM

## **Protection from Side-Channel Attacks**

Intel® SGX does not provide explicit protection from side-channel attacks. It is the enclave developer's responsibility to address side-channel attack concerns.

In general, enclave operations that require an OCall, such as thread synchronization, I/O, etc., are exposed to the untrusted domain. If using an OCall would allow an attacker to gain insight into enclave secrets, then there would be a security concern. This scenario would be classified as a side-channel attack, and it would be up to the ISV to design the enclave in a way that prevents the leaking of side-channel information.

An attacker with access to the platform can see what pages are being executed or accessed. This sidechannel vulnerability can be mitigated by aligning specific code and data blocks to exist entirely within a single page.

More important, the application enclave should use an appropriate crypto implementation that is side channel attack resistant inside the enclave if side-channel attacks are a concern.

## Why doesn't Intel eliminate side-channel analysis methods?

Simply put, a side-channel is some observable aspect of a computer system's physical operation, such as timing, power consumption or even sound. As such, they can't be eliminated. However, Intel is committed to rapidly addressing issues such as these as they arise, and providing recommendations through security advisories and security notices. The latest security information on Intel<sup>®</sup> products can be found here.



## Why doesn't Intel eliminate side-channel analysis methods?

Simply put, a side-channel is some observable aspect of a computer system's physical operation, such as timing, power consumption or even sound. As such, they can't be eliminated. However, Intel is committed to rapidly addressing issues such as these as they arise, and providing recommendations through security advisories and security notices. The latest security information on Intel® products can be found here.



## ⇒ Research agenda: systematic understanding of side-channel leakage in TEEs

## Evolution of "side-channel attack" occurrences in Google Scholar



## Side-channel attacks and trusted computing



Based on github.com/Pold87/academic-keyword-occurrence and xkcd.com/1938/

## Side-channel attacks and trusted computing (focus of today)



Based on github.com/Pold87/academic-keyword-occurrence and xkcd.com/1938/

Privileged adversary idea #1



## Page tables as a side channel?

## The virtual memory abstraction



Costan et al. "Intel SGX explained", IACR 2016



• SGX machinery protects against direct address remapping attacks



- SGX machinery protects against direct address remapping attacks
- ... but untrusted address translation may fault during enclaved execution (!)

## Page faults as a side channel



- SGX machinery protects against direct address remapping attacks
- ... but untrusted address translation may fault during enclaved execution (!)
- $\Rightarrow$  Page fault traces leak private control/data flow



1. Revoke access rights on *unprotected* enclave page table entry



- 1. Revoke access rights on *unprotected* enclave page table entry
- 2. Enter victim enclave



- 1. Revoke access rights on *unprotected* enclave page table entry
- 2. Enter victim enclave
- 3. Secret-dependent data memory access
  - $\rightsquigarrow\,$  Processor reads page table setup by untrusted OS



- 1. Revoke access rights on *unprotected* enclave page table entry
- 2. Enter victim enclave
- 3. Secret-dependent data memory access
  - $\rightsquigarrow\,$  Processor reads page table setup by untrusted OS
- 4. Virtual address not present  $\rightarrow$  raise page fault
  - → Processor exits enclave and vectors to untrusted OS



- 1. Revoke access rights on *unprotected* enclave page table entry
- 2. Enter victim enclave
- 3. Secret-dependent data memory access
  - $\rightsquigarrow$  Processor reads page table setup by untrusted OS
- 4. Virtual address not present  $\rightarrow$  raise page fault
  - $\rightsquigarrow$  Processor exits enclave and <u>vectors to untrusted OS</u>
- 5. Restore access rights and resume victim enclave



### Page table-based attacks in practice



Xu et al.: "Controlled-channel attacks: Deterministic side channels for untrusted operating systems", Oakland 2015

#### $\Rightarrow$ Low-noise, single-run exploitation of legacy applications

#### Page table-based attacks in practice



Xu et al.: "Controlled-channel attacks: Deterministic side channels for untrusted operating systems", Oakland 2015

... but at a relative coarse-grained 4 KiB granularity



Shih et al. "T-SGX: Eradicating controlled-channel attacks against enclave programs", NDSS 2017

Shinde et al. "Preventing page faults from telling your secrets", AsiaCCS 2016



... But stealthy attacker can still learn page accesses without triggering faults!

#### 4.8 ACCESSED AND DIRTY FLAGS

For any paging-structure entry that is used during linear-address translation, bit 5 is the **accessed** flag.<sup>2</sup> For paging-structure entries that map a page (as opposed to referencing another paging structure), bit 6 is the **dirty** flag. These flags are provided for use by memory-management software to manage the transfer of pages and paging structures into and out of physical memory.

Whenever the processor uses a paging-structure entry as part of linear-address translation, it sets the accessed flag in that entry (if it is not already set).

Whenever there is a write to a linear address, the processor sets the dirty flag (if it is not already set) in the pagingstructure entry that identifies the final physical address for the linear address (either a PTE or a paging-structure entry in which the PS flag is 1).

## **CAN'T SEE PAGE FAULTS THEY SAID**

# BUT WE CAN SPY ON PAGE TABLE MEMORY

imgflip.com

#### Telling your secrets without page faults

- 1. Attack vector: PTE status flags:
  - A(ccessed) bit
  - D(irty) bit
  - → Also updated in <u>enclave mode</u>!



## Telling your secrets without page faults

- 1. Attack vector: PTE status flags:
  - A(ccessed) bit
  - D(irty) bit
  - → Also updated in <u>enclave mode</u>!
- 2. Attack vector: Unprotected page table memory:
  - Cached as regular data
  - Accessed during address translation
  - → Flush+Reload cache timing attack!













Privileged adversary idea #2



## Interrupts as a side channel?

#### Elementary CPU behavior: stored program computer



#### Back to basics: Fetch-decode-execute

Interrupts: asynchronous real-world events, handled on instruction retirement



#### Back to basics: Fetch-decode-execute

公 Timing leak: IRQ response time depends on current instruction(!)



#### Wait a cycle: Interrupt latency as a side channel



## Attacking a Sancus application with interrupt latency



#### Attacking a Sancus application with interrupt latency





#### Attacking a Sancus application with interrupt latency





#### Sancus IRQ timing attack: Inferring key strokes



## Enclave x-ray: Start-to-end trace enclaved execution

#### Sancus IRQ timing attack: Inferring key strokes



## **Enclave x-ray:** Keymap bit traversal (ground truth)

Van Bulck et al. "Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic", CCS 2018

#### Sancus IRQ timing attack: Inferring key strokes



Van Bulck et al. "Nemesis: Studying Microarchitectural Timing Leaks in Rudimentary CPU Interrupt Logic", CCS 2018

#### Does this also work for Intel SGX enclaves?





Copyright, 1878, by MUYBRIDGE.

THE HORSE IN MOTION.

Illustrated by

SGX-Step goal: executing enclaves one instruction at a time

Challenge: we need a very precise timer interrupt:

- ③ x86 hardware *debug features* disabled in enclave mode
- ☺ ... but we have *root access!*

SGX-Step goal: executing enclaves one instruction at a time

Challenge: we need a very precise timer interrupt:

- © x86 hardware *debug features* disabled in enclave mode
- ☺ ... but we have root access!

 $\Rightarrow$  Setup user-space virtual **memory mappings** for x86 APIC

```
jo@sgx-laptop:~$ cat /proc/iomem | grep "Local APIC"
fee00000-fee00fff : Local APIC
jo@sgx-laptop:~$ sudo devmem2 0xFEE00030 h
/dev/mem opened.
Memory mapped at address 0x7f37dc187000.
Value at address 0xFEE00030 (0x7f37dc187030): 0x15
jo@sgx-laptop:~$ []
```

User-space attack primitives: APIC timer + interrupt handling 🙂



#### SGX-Step: Executing enclaves one instruction at a time



#### Microbenchmarks: Measuring Intel x86 instruction latencies

Latency distribution: 10,000 samples from benchmark enclave



#### Microbenchmarks: Measuring Intel x86 instruction latencies

Timing leak: reconstruct instruction latency class





Instruction (interrupt number)



Instruction (interrupt number)



Instruction (interrupt number)

#### De-anonymizing enclave lookups with interrupt latency

#### **Binary search:** Find 40 in {20, 30, 40, 50, 80, 90, 100}



27

Adversary: Infer secret lookup in known array







Interrupt (instruction number)

**Goal:** Infer lookup  $\rightarrow$  reconstruct bsearch control flow



Interrupt (instruction number)





Interrupt (instruction number)

Privileged adversary idea #3



## Page tables revisited: transient execution?



Untrusted OS  $\rightarrow$  new class of powerful side channels

Van Bulck et al. "Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution", USENIX 2018

### **Enclaved execution: Transient-execution attacks**



#### Trusted CPU $\rightarrow$ exploit microarchitectural bugs/design flaws

Van Bulck et al. "Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution", USENIX 2018

E PHANTOM TROLLEY ISN'T PPOSED TO TOUCH ANYONE. IT TURNS OUT YOU CAN ILL USE IT TO DO STUFF. ND IT CAN DRIVE IROUGH WALLS.







#### **Unauthorized access**

|   | Listing 1: x86 assembly |   | Listing 2: C code.                  |
|---|-------------------------|---|-------------------------------------|
| 1 | meltdown :              | 1 | void meltdown(                      |
| 2 | // %rdi: oracle         | 2 | uint8_t *oracle,                    |
| 3 | // %rsi: secret_ptr     | 3 | uint8_t *secret_ptr)                |
| 4 |                         | 4 | {                                   |
| 5 | movb (%rsi), %al        | 5 | <pre>uint8_t v = *secret_ptr;</pre> |
| 6 | shl \$0×c, %rax         | 6 | $v = v * 0 \times 1000;$            |
| 7 | movq (%rdi, %rax), %rdi | 7 | uint64_t o = oracle[v];             |
| 8 | retq                    | 8 | }                                   |



Unauthorized access

#### **Transient out-of-order window**









Unauthorized access

Transient out-of-order window

Exception (discard architectural state)

|                  | Listing 1: x86 assembly.                            |        | Listing 2: C code.                                         |
|------------------|-----------------------------------------------------|--------|------------------------------------------------------------|
| 3                | meltdown:<br>// %rdi: oracle<br>// %rsi: secret_ptr | 2<br>3 | void meltdown(<br>uint8_t *oracle,<br>uint8_t *secret_ptr) |
| 4                | movb (%rsi), %al                                    | 4      | {<br>uint8_t v = *secret_ptr;                              |
| 5<br>6<br>7<br>8 | shl \$0xc, %rax<br>movq (%rdi, %rax), %rdi<br>retq  | 6<br>7 |                                                            |







Unauthorized access

Transient out-of-order window

#### **Exception handler**





# Meltdown melted down everything, except for one thing

"[enclaves] remain protected and completely secure"

— International Business Times, February 2018

### ANJUNA'S SECURE-RUNTIME CAN PROTECT CRITICAL APPLICATIONS AGAINST THE MELTDOWN ATTACK USING ENCLAVES

"[enclave memory accesses] redirected to an abort page, which has no value"

— Anjuna Security, Inc., March 2018

#### Rumors: Meltdown immunity for SGX enclaves?



LILY HAY NEWMAN SECURITY 08.14.18 01:00 PM

## SPECTRE-LIKE FLAW UNDERMINES INTEL PROCESSORS' MOST SECURE ELEMENT

# Intel's SGX blown wide open by, you guessed it, a speculative execution attack

Speculative execution attacks truly are the gift that keeps on giving.

https://wired.com and https://arstechnica.com





Note: SGX MMU sanitizes untrusted address translation



#### Abort page semantics:

An attempt to read from a non-existent or disallowed resource returns all ones for data (abort page). An attempt to write to a non-existent or disallowed physical resource is dropped. This behavior is unrelated to exception type abort (the others being Fault and Trap).

Straw man: (Transient) accesses in non-enclave mode are dropped



#### Abort page semantics:

An attempt to read from a non-existent or disallowed resource returns all ones for data (abort page). An attempt to write to a non-existent or disallowed physical resource is dropped. This behavior is unrelated to exception type abort (the others being Fault and Trap).

https://software.intel.com/en-us/sgx-sdk-dev-reference-enclave-development-basics

Van Bulck et al. "Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution", USENIX 2018

Stone man: Bypass abort page via *untrusted* page table



Xu et al. "Controlled-channel attacks: Deterministic side channels for untrusted operating systems", IEEE S&P 2015

Van Bulck et al. "Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution", USENIX 2017

35

Van Bulck et al. "Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution", USENIX 2018

**Stone man:** Bypass abort page via *untrusted* page table





#### L1 cache design: Virtually-indexed, physically-tagged



Page fault: Early-out address translation



L1-Terminal Fault: match unmapped physical address (!)



Foreshadow-SGX: bypass enclave isolation



Foreshadow-VMM: bypass virtual machine isolation

#### Research challenges: Universal classification and understanding

#### https://transient.fail



- ⇒ **Trusted execution** environments are not perfect(!)
- $\Rightarrow$  New emerging and powerful class of transient-execution attacks
- ⇒ Importance of fundamental **side-channel research**; no silver-bullet defenses



## Appendix

 C. Canella, J. Van Bulck, M. Schwarz, M. Lipp, B. von Berg, P. Ortner, F. Piessens, D. Evtyushkin, and D. Gruss.
 A systematic evaluation of transient execution attacks and defenses. arXiv preprint arXiv:1811.05441, 2018.

 J. Noorman, J. Van Bulck, J. T. Mühlberg, F. Piessens, P. Maene, B. Preneel, I. Verbauwhede, J. Götzfried, T. Müller, and F. Freiling.
 Sancus 2.0: A low-cost security architecture for IoT devices. ACM Transactions on Privacy and Security (TOPS), 20(3):7:1–7:33, 2017. M. Schwarz, M. Lipp, D. Moghimi, J. Van Bulck, J. Stecklina, T. Prescher, and D. Gruss.

ZombieLoad: Cross-privilege-boundary data sampling.

In CCS, 2019.

J. Van Bulck, J. T. Mühlberg, and F. Piessens.

VulCAN: Efficient component authentication and software isolation for automotive control networks.

In Annual Computer Security Applications Conference (ACSAC), 2017.

 J. Van Bulck, M. Minkin, O. Weisse, D. Genkin, B. Kasikci, F. Piessens, M. Silberstein, T. F. Wenisch, Y. Yarom, and R. Strackx.
 Foreshadow: Extracting the keys to the Intel SGX kingdom with transient out-of-order execution.

In Proceedings of the 27th USENIX Security Symposium, 2018.

J. Van Bulck, F. Piessens, and R. Strackx. **SGX-Step: A practical attack framework for precise enclave execution control.** 

In SysTEX, pp. 4:1-4:6, 2017.

🔋 J. Van Bulck, F. Piessens, and R. Strackx.

Nemesis: Studying microarchitectural timing leaks in rudimentary cpu interrupt logic.

In ACM CCS 2018, 2018.

J. Van Bulck, N. Weichbrodt, R. Kapitza, F. Piessens, and R. Strackx. Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution.

In Proceedings of the 26th USENIX Security Symposium, pp. 1041–1056, 2017.







1. Cache secrets in L1

2. Unmap page table entry

3. Execute Meltdown





1. Cache secrets in L1

2. Unmap page table entry



Future CPUs (silicon-based changes)



1. Cache secrets in L1





3. Execute Meltdown

OS kernel updates (sanitize page frame bits)



#### $\Rightarrow$ Flush L1 cache on enclave/VMM exit + disable HyperThreading

https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault



• Programmer *intention:* never access out-of-bounds memory



- Programmer *intention:* never access out-of-bounds memory
- Branch can be mistrained to speculatively (i.e., ahead of time) execute with *idx* ≥ *LEN* in the transient world



- Programmer *intention:* never access out-of-bounds memory
- Branch can be mistrained to speculatively (i.e., ahead of time) execute with *idx* ≥ *LEN* in the transient world
- Insert explicit **speculation barriers** to tell the CPU to halt the transient world...



- Programmer *intention:* never access out-of-bounds memory
- Branch can be mistrained to speculatively (i.e., ahead of time) execute with *idx* ≥ *LEN* in the **transient world**
- Insert explicit **speculation barriers** to tell the CPU to halt the transient world...
- Huge manual, error-prone effort...